Skip to main content
IT Governance in ISO 27799

IT Governance in ISO 27799

$299.00
How you learn:
Self-paced • Lifetime updates
When you get access:
Course access is prepared after purchase and delivered via email
Who trusts this:
Trusted by professionals in 160+ countries
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Your guarantee:
30-day money-back guarantee — no questions asked
Adding to cart… The item has been added

This curriculum spans the design and operationalization of an ISO 27799-aligned governance structure across clinical, technical, and compliance functions, comparable in scope to a multi-phase advisory engagement supporting enterprise-wide health information governance in a regulated healthcare environment.

Module 1: Establishing the Governance Framework for Health Information

  • Define scope boundaries for health information governance across clinical, administrative, and research systems within a multi-facility organization.
  • Select governance roles and responsibilities for data stewards, system custodians, and clinical leads based on regulatory accountability.
  • Map existing organizational policies to ISO 27799 control objectives to identify coverage gaps in privacy and security practices.
  • Determine reporting lines for information governance decisions between IT, compliance, legal, and clinical leadership.
  • Develop escalation protocols for data breaches involving protected health information (PHI) that align with both HIPAA and ISO 27799.
  • Integrate risk appetite statements into governance charters to guide decision-making on data access and retention.
  • Establish a governance review cycle for periodic evaluation of control effectiveness across electronic health record (EHR) platforms.
  • Implement a centralized register of information assets to support classification and ownership assignment.

Module 2: Aligning with Regulatory and Legal Requirements

  • Conduct jurisdictional analysis to reconcile conflicting data residency laws when operating across state or national borders.
  • Document legal basis for processing sensitive health data under GDPR, HIPAA, or PIPEDA within shared care environments.
  • Negotiate data processing agreements with third-party vendors that enforce ISO 27799-aligned security obligations.
  • Implement audit trails to demonstrate compliance with mandatory retention periods for clinical records.
  • Design data subject access request (DSAR) workflows that balance patient rights with clinical operational continuity.
  • Develop policies for handling law enforcement data requests while preserving patient confidentiality.
  • Update governance controls in response to new regulatory interpretations, such as OCR guidance on ransomware and PHI.
  • Coordinate with legal counsel to assess implications of using AI-generated clinical documentation on data accountability.

Module 3: Risk Assessment and Management Integration

  • Perform health-specific risk assessments using ISO 27799 guidance to prioritize threats to patient data confidentiality.
  • Assign ownership for risk treatment plans involving legacy clinical systems lacking modern encryption capabilities.
  • Integrate clinical safety considerations into information risk evaluations for connected medical devices.
  • Quantify residual risk levels for data sharing initiatives with external research partners.
  • Define thresholds for risk acceptance based on clinical impact, not just technical exposure.
  • Implement risk treatment plans that address insecure default configurations in medical imaging systems.
  • Use risk assessment outcomes to justify investment in access control upgrades for EHRs.
  • Ensure risk registers are updated following system decommissioning or integration of new health information exchanges.

Module 4: Information Classification and Handling

  • Define classification levels for health data (e.g., public, internal, confidential, highly sensitive) based on clinical impact of disclosure.
  • Implement automated tagging of clinical documents at point of creation using EHR metadata.
  • Configure secure printing policies for documents containing mental health or genetic information.
  • Enforce encryption requirements for removable media used in mobile clinical workflows.
  • Develop handling rules for de-identified datasets used in population health analytics.
  • Train clinical staff on proper handling of screenshots containing PHI during telehealth consultations.
  • Restrict email transmission of classified health data using DLP policies integrated with clinical messaging systems.
  • Establish procedures for secure destruction of physical health records in decentralized clinics.

Module 5: Access Control Governance

  • Define role-based access control (RBAC) models for clinicians, billing staff, and researchers based on minimum necessary principles.
  • Implement just-in-time access for third-party contractors supporting EHR maintenance.
  • Enforce privileged access management (PAM) for database administrators with access to patient records.
  • Conduct quarterly access reviews for users with elevated privileges in clinical systems.
  • Integrate identity lifecycle management with HR systems to automate access revocation upon staff termination.
  • Configure context-aware access policies that restrict logins from non-trusted locations during off-hours.
  • Address override access (e.g., emergency override in EHRs) with mandatory justification and audit logging.
  • Manage shared account usage in clinical kiosks while maintaining individual accountability.

Module 6: Third-Party and Vendor Risk Oversight

  • Conduct security assessments of cloud service providers hosting patient portals using ISO 27799 criteria.
  • Enforce contractual SLAs requiring vendors to report security incidents involving health data within one hour.
  • Verify subcontractor controls when a cloud provider uses additional data centers in unapproved jurisdictions.
  • Perform on-site audits of medical billing vendors with access to full patient datasets.
  • Implement continuous monitoring of vendor access to internal health information systems.
  • Require penetration test results from SaaS providers before integrating with EHR infrastructure.
  • Establish governance processes for terminating vendor relationships with data transition requirements.
  • Manage risks associated with open-source software components used in clinical applications.

Module 7: Incident Management and Breach Response

  • Define incident severity levels based on patient impact, such as delayed care due to system unavailability.
  • Coordinate response between IT security, legal, communications, and clinical leadership during a ransomware event.
  • Preserve forensic evidence from clinical workstations while minimizing disruption to patient care.
  • Report breaches to regulatory authorities within 72 hours as required by HIPAA or GDPR.
  • Conduct root cause analysis for insider threats involving clinicians accessing unauthorized patient records.
  • Implement automated alerting for anomalous data exports from health data warehouses.
  • Test incident response plans with realistic scenarios involving loss of backup tapes or cloud misconfigurations.
  • Document lessons learned from incidents to update governance policies and access controls.

Module 8: Audit and Compliance Monitoring

  • Design audit log specifications for capturing access to sensitive health data in EHRs and PACS systems.
  • Configure log retention periods to meet both legal requirements and forensic investigation needs.
  • Implement automated log correlation rules to detect suspicious access patterns across multiple systems.
  • Conduct unannounced audits of access logs for high-risk clinical departments such as oncology or psychiatry.
  • Respond to internal audit findings by updating governance controls for data export functionality.
  • Prepare for external certification audits against ISO 27799 by compiling evidence of control implementation.
  • Use audit findings to refine user training content on secure data handling practices.
  • Integrate compliance dashboards into executive reporting to track control effectiveness over time.

Module 9: Continuous Governance Improvement

  • Establish key performance indicators (KPIs) for governance effectiveness, such as time to revoke access after role change.
  • Conduct post-implementation reviews after deploying new health information systems to assess control adherence.
  • Update governance policies in response to changes in clinical workflows, such as adoption of remote patient monitoring.
  • Facilitate governance forums for clinicians to report usability issues with security controls.
  • Benchmark governance maturity against ISO 27799 best practices using structured assessment models.
  • Integrate governance feedback into system procurement criteria for future technology acquisitions.
  • Manage version control of governance policies to ensure all staff reference the current edition.
  • Align governance improvement initiatives with organizational strategic objectives in digital health transformation.
!