Skip to main content
Practical Info in ISO 27799

Practical Info in ISO 27799

$349.00
Your guarantee:
30-day money-back guarantee — no questions asked
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Who trusts this:
Trusted by professionals in 160+ countries
How you learn:
Self-paced • Lifetime updates
When you get access:
Course access is prepared after purchase and delivered via email
Adding to cart… The item has been added

This curriculum spans the equivalent of a multi-workshop advisory engagement, addressing the end-to-end integration of ISO 27799 into healthcare governance, risk management, and clinical operations across diverse organizational contexts.

Module 1: Establishing the Governance Framework for Health Information Security

  • Selecting and adapting ISO 27799 controls based on organizational size, clinical service mix, and regulatory jurisdiction (e.g., HIPAA vs. GDPR-H)
  • Defining governance roles and responsibilities across clinical, IT, and compliance leadership to ensure accountability
  • Integrating the ISO 27799 framework with existing enterprise risk management processes without duplicating effort
  • Determining the scope of health information assets to include in governance—e.g., EHRs, medical devices, research databases
  • Establishing reporting lines for security incidents that respect clinical workflows while ensuring timely escalation
  • Deciding whether to adopt ISO 27799 as a standalone standard or align it with ISO 27001 certification efforts
  • Developing governance documentation that meets auditor expectations while remaining usable by non-technical stakeholders
  • Setting thresholds for risk acceptance that reflect both clinical impact and legal liability

Module 2: Risk Assessment Methodologies in Clinical Environments

  • Choosing risk assessment methods (e.g., qualitative vs. quantitative) based on data availability and stakeholder risk tolerance
  • Mapping clinical workflows to information assets to identify high-risk touchpoints (e.g., discharge summaries, lab results)
  • Assessing risks introduced by third-party vendors managing patient portals or cloud-based imaging systems
  • Conducting threat modeling specific to medical device ecosystems (e.g., infusion pumps, MRI machines)
  • Adjusting risk scoring criteria to reflect patient safety implications beyond data confidentiality
  • Documenting residual risks in a way that supports informed decision-making by clinical and executive leadership
  • Reassessing risks after significant changes such as mergers, EHR upgrades, or telehealth expansion
  • Integrating risk assessment outputs into capital planning for security controls

Module 3: Access Control Design for Clinical Systems

  • Implementing role-based access control (RBAC) models that reflect dynamic clinical roles (e.g., on-call physicians, locums)
  • Defining emergency access procedures that comply with ISO 27799 while preventing misuse during crises
  • Configuring just-in-time (JIT) access for external consultants or visiting specialists
  • Managing access revocation timelines for terminated staff in decentralized clinical settings
  • Handling access for trainees and students with time-limited affiliations and evolving responsibilities
  • Enforcing multi-factor authentication without disrupting time-sensitive clinical workflows
  • Monitoring and reviewing access logs for anomalous behavior in high-privilege accounts (e.g., system administrators)
  • Aligning access policies with data sensitivity levels—e.g., mental health records vs. administrative data

Module 4: Third-Party and Vendor Risk Management

  • Evaluating cloud service providers' ISO 27799 compliance through on-site audits or third-party reports (e.g., SOC 2)
  • Negotiating business associate agreements (BAAs) that enforce specific ISO 27799 controls
  • Assessing risks from legacy vendors unable to support modern encryption or logging standards
  • Monitoring vendor patch management timelines for critical medical devices with long support cycles
  • Requiring evidence of incident response testing from vendors handling protected health information
  • Managing subcontractor chains where vendors outsource data processing without transparency
  • Conducting periodic reassessments of vendor risk based on breach trends and service changes
  • Defining exit strategies and data return processes in vendor contracts

Module 5: Incident Response and Breach Management

  • Classifying incidents based on clinical impact—e.g., disrupted surgery scheduling vs. unauthorized record access
  • Activating incident response teams that include clinical informaticists and legal counsel
  • Preserving forensic evidence from medical devices without disrupting patient care
  • Reporting breaches to regulators within mandated timeframes while managing internal communications
  • Coordinating with public relations teams to avoid premature disclosure of system vulnerabilities
  • Conducting post-incident reviews that identify systemic gaps, not just individual errors
  • Updating incident playbooks based on tabletop exercise outcomes and real events
  • Integrating incident data into enterprise risk registers for long-term mitigation planning

Module 6: Security Awareness and Behavior Change in Healthcare

  • Designing role-specific training content for clinicians, administrative staff, and IT support
  • Timing security campaigns to avoid conflicts with peak clinical periods (e.g., flu season)
  • Measuring effectiveness through simulated phishing campaigns with clinical email templates
  • Addressing resistance from senior clinicians who perceive security as a barrier to care delivery
  • Integrating security reminders into clinical workflow tools (e.g., EHR pop-ups at login)
  • Establishing peer-led security champions within departments to drive cultural change
  • Tracking repeat policy violations to identify systemic training or process gaps
  • Updating training content based on emerging threats such as ransomware targeting radiology systems

Module 7: Audit and Compliance Monitoring

  • Defining audit scope to include high-risk systems like EHRs, PACS, and patient kiosks
  • Selecting automated tools for continuous monitoring of access logs and configuration changes
  • Conducting unannounced audits in clinical areas to assess real-world compliance with clean desk policies
  • Responding to audit findings with corrective action plans that assign owners and deadlines
  • Aligning internal audit schedules with external regulatory inspection cycles
  • Managing auditor access to sensitive systems without exposing live patient data
  • Documenting control effectiveness for ISO 27799 compliance without creating redundant paperwork
  • Using audit data to prioritize investment in underperforming security domains

Module 8: Data Lifecycle Management in Health Systems

  • Defining retention periods for different record types based on clinical, legal, and research needs
  • Implementing secure data disposal methods for physical media such as CDs and printed imaging reports
  • Managing data migration risks during EHR system replacements or upgrades
  • Enforcing encryption for data in transit between facilities, especially over public networks
  • Controlling data duplication across departments to prevent unauthorized shadow repositories
  • Applying metadata tagging to support granular access and retention rules
  • Handling data subject access requests (DSARs) in compliance with privacy laws and ISO 27799
  • Establishing data minimization practices to reduce the attack surface in research datasets

Module 9: Governance Integration with Clinical Safety and Quality Programs

  • Mapping security incidents to patient safety reporting systems to identify systemic risks
  • Collaborating with quality improvement teams to embed security checks in clinical process redesign
  • Aligning security KPIs with clinical quality metrics in executive dashboards
  • Engaging clinical leadership in governance committees to ensure security decisions reflect care delivery realities
  • Assessing the impact of security controls on clinical decision-making speed and accuracy
  • Integrating security requirements into procurement processes for new medical technologies
  • Conducting joint risk assessments with infection control or pharmacy teams for high-consequence scenarios
  • Reporting on security program effectiveness to boards using clinical risk language, not technical jargon

Module 10: Continuous Improvement and Maturity Assessment

  • Applying maturity models to evaluate the organization’s progression in implementing ISO 27799 controls
  • Using gap analyses to prioritize remediation efforts based on risk and resource constraints
  • Setting measurable objectives for advancing from reactive to proactive security governance
  • Conducting benchmarking against peer institutions while protecting sensitive operational data
  • Updating governance policies in response to changes in standards, regulations, or technology
  • Tracking control effectiveness over time using metrics such as mean time to detect and respond
  • Integrating lessons from breaches and near-misses into governance refinements
  • Revising the governance framework to accommodate new care models like remote monitoring and AI diagnostics
!