Skip to main content
ISO 27799 in ISO 27799

ISO 27799 in ISO 27799

$299.00
Your guarantee:
30-day money-back guarantee — no questions asked
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Who trusts this:
Trusted by professionals in 160+ countries
When you get access:
Course access is prepared after purchase and delivered via email
How you learn:
Self-paced • Lifetime updates
Adding to cart… The item has been added

This curriculum spans the equivalent of a multi-workshop advisory engagement, addressing governance, risk, policy, access, incident response, vendor management, audit, training, and continuous improvement across clinical environments with the granularity seen in internal healthcare security capability programs.

Module 1: Establishing the Governance Framework for Health Information Security

  • Define scope boundaries for health information systems, including electronic health records (EHRs), medical devices, and third-party data processors.
  • Select governance roles such as Data Protection Officer (DPO) and Clinical Information Security Lead based on organizational structure and regulatory obligations.
  • Map ISO 27799 controls to jurisdictional requirements like HIPAA, GDPR, or PIPEDA to avoid compliance gaps.
  • Determine reporting lines for security incidents involving patient data between clinical units and IT security teams.
  • Establish a formal charter for the Health Information Security Steering Committee with documented decision-making authority.
  • Integrate risk appetite statements into governance policy to guide acceptable levels of residual risk in clinical operations.
  • Decide whether to adopt ISO 27799 as a standalone framework or align it with ISO 27001/ISMS for broader organizational coverage.
  • Implement a policy review cycle tied to clinical workflow changes, such as new telehealth deployments or EHR upgrades.

Module 2: Risk Assessment and Management in Clinical Environments

  • Conduct asset inventories that include mobile clinical devices (e.g., infusion pumps, tablets) with assigned data classification levels.
  • Perform threat modeling specific to clinical workflows, such as emergency room data access under time pressure.
  • Select risk assessment methodologies (e.g., OCTAVE, ISO 27005) based on clinical data sensitivity and system interconnectivity.
  • Assign ownership of risk treatment plans to clinical department heads, not just IT staff, to ensure operational accountability.
  • Document risk acceptance decisions involving legacy medical systems that cannot support modern encryption standards.
  • Integrate risk treatment timelines with capital expenditure cycles for medical equipment replacement.
  • Define thresholds for escalating risks to the board when patient safety or regulatory penalties are involved.
  • Validate risk mitigation effectiveness through simulated breach scenarios involving clinical staff.

Module 3: Policy Development and Enforcement in Healthcare Settings

  • Draft access control policies that differentiate between role-based access (e.g., nurse vs. physician) and context-based access (e.g., location, urgency).
  • Define data handling procedures for cross-border transfers of patient data, including cloud-hosted EHRs in non-local jurisdictions.
  • Establish policy exceptions processes for clinical research projects requiring de-identified data aggregation.
  • Implement policy version control with audit trails to support regulatory audits and internal reviews.
  • Enforce password policies that balance security with usability in high-stress clinical environments (e.g., code blue situations).
  • Develop bring-your-own-device (BYOD) policies for clinicians using personal smartphones to access patient data.
  • Integrate policy enforcement with EHR audit logging to detect unauthorized access patterns.
  • Define disciplinary actions for policy violations involving intentional data exfiltration or negligence.

Module 4: Access Control and Identity Management for Health Systems

  • Implement just-in-time (JIT) access provisioning for temporary staff during peak clinical demand periods.
  • Configure role-based access control (RBAC) models that reflect clinical hierarchies and specialty-specific data needs.
  • Integrate identity providers (IdPs) with clinical scheduling systems to automate access deprovisioning upon staff rotation.
  • Deploy multi-factor authentication (MFA) at EHR login points while assessing impact on emergency department workflows.
  • Manage shared accounts for clinical workstations using session monitoring and digital logging.
  • Implement attribute-based access control (ABAC) for research data access based on project approval and data sensitivity.
  • Enforce time-of-day restrictions for non-clinical staff accessing patient records.
  • Conduct quarterly access reviews with department supervisors to validate active user privileges.

Module 5: Incident Response and Breach Management in Healthcare

  • Define incident classification criteria that distinguish between data breaches, privacy violations, and system outages.
  • Establish communication protocols for notifying patients, regulators, and legal counsel within mandated timeframes.
  • Integrate clinical incident reporting systems (e.g., patient safety events) with IT security incident management platforms.
  • Conduct tabletop exercises simulating ransomware attacks on radiology departments with real clinical staff participation.
  • Preserve forensic evidence from medical devices involved in security incidents while maintaining patient care continuity.
  • Assign incident response roles to clinical informaticists who understand both IT systems and care workflows.
  • Document root cause analyses for incidents involving misconfigured EHR access or phishing compromises.
  • Implement post-incident process changes, such as mandatory security training for staff involved in breaches.

Module 6: Third-Party and Vendor Risk Management

  • Conduct security assessments of cloud-based EHR vendors using ISO 27799 control checklists during procurement.
  • Negotiate data processing agreements (DPAs) that specify encryption, audit rights, and breach notification timelines.
  • Monitor vendor compliance with security SLAs through quarterly review meetings and audit reports (e.g., SOC 2).
  • Assess risks associated with medical device manufacturers that provide remote monitoring and update services.
  • Implement vendor access controls using jump servers and time-limited credentials for remote support.
  • Track end-of-life timelines for third-party software used in clinical systems to plan for migration or compensating controls.
  • Require vendors to report security incidents involving patient data within four hours of discovery.
  • Conduct on-site audits of business associates that host or process sensitive health data.

Module 7: Audit and Monitoring of Health Information Systems

  • Define audit log retention periods based on legal requirements and clinical data lifecycle policies.
  • Configure EHR audit trails to capture critical events: record access, modifications, print actions, and export operations.
  • Implement automated alerting for anomalous access patterns, such as after-hours access to high-risk patient records.
  • Integrate SIEM tools with clinical information systems to correlate security events across departments.
  • Conduct regular log reviews with clinical supervisors to validate access legitimacy.
  • Ensure audit systems are tamper-proof and logs are signed or hashed to preserve integrity.
  • Balance monitoring scope with privacy expectations for clinicians accessing peer records.
  • Produce audit reports for regulatory inspections with redaction capabilities for non-relevant patient data.

Module 8: Security Awareness and Training for Clinical Workforce

  • Develop role-specific training content for clinicians, administrative staff, and IT support personnel.
  • Deliver phishing simulations using healthcare-themed lures (e.g., fake lab results or vaccine updates).
  • Integrate security training into clinical onboarding and annual competency assessments.
  • Track completion rates and failure rates in simulated attacks to identify high-risk departments.
  • Address cultural resistance to security practices by involving clinical champions in training design.
  • Update training materials following major incidents or changes in EHR functionality.
  • Deliver just-in-time training at point of care, such as pop-up alerts when downloading patient data.
  • Measure behavior change through post-training audits of password hygiene and device locking practices.

Module 9: Continuous Improvement and Maturity Assessment

  • Conduct annual maturity assessments using ISO 27799 control effectiveness scoring.
  • Map control gaps to specific clinical departments and assign remediation owners.
  • Integrate security KPIs into executive dashboards, including mean time to detect and respond to incidents.
  • Perform benchmarking against peer healthcare organizations using industry reports or consortium data.
  • Update the governance framework in response to new technologies, such as AI-driven diagnostic tools.
  • Revise risk treatment plans based on audit findings and penetration testing results.
  • Incorporate patient feedback mechanisms for reporting privacy concerns into improvement cycles.
  • Align security improvement initiatives with organizational strategic goals, such as digital transformation or patient engagement.
!