Skip to main content
Security Incident Management in ISO 27799

Security Incident Management in ISO 27799

$349.00
When you get access:
Course access is prepared after purchase and delivered via email
Who trusts this:
Trusted by professionals in 160+ countries
How you learn:
Self-paced • Lifetime updates
Your guarantee:
30-day money-back guarantee — no questions asked
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Adding to cart… The item has been added

This curriculum spans the full incident management lifecycle in healthcare settings, equivalent to a multi-phase internal capability program that integrates governance, technical response, and executive oversight across clinical and IT domains.

Module 1: Establishing Governance Frameworks Aligned with ISO 27799

  • Define scope boundaries for health information systems covered under the governance framework, including EHRs, medical devices, and third-party cloud services.
  • Select and adapt ISO 27799 controls to align with jurisdictional healthcare regulations such as HIPAA, GDPR, or PIPEDA.
  • Assign accountability for control ownership across clinical, IT, and compliance roles using RACI matrices.
  • Integrate incident management policies with existing enterprise risk management processes to ensure consistent escalation paths.
  • Develop criteria for classifying health data based on sensitivity, regulatory impact, and clinical criticality.
  • Establish governance oversight committees with defined meeting cadences and reporting metrics for incident trends.
  • Document decision rationales for control exclusions or modifications to support audit readiness.
  • Implement version control and change tracking for all governance documentation to maintain regulatory traceability.

Module 2: Incident Preparedness and Policy Development

  • Draft incident response policies that specify mandatory reporting timelines for breaches involving protected health information (PHI).
  • Define thresholds for incident declaration, including unauthorized access, data exfiltration, and system unavailability.
  • Develop communication templates for internal stakeholders, regulators, and patients that comply with legal disclosure requirements.
  • Integrate incident playbooks with organizational change management procedures to prevent conflict during system updates.
  • Specify roles for clinical safety officers in incident response when patient care systems are impacted.
  • Establish pre-approved authority levels for system isolation or shutdown during active incidents.
  • Conduct legal reviews of response protocols to ensure alignment with mandatory breach notification laws.
  • Embed logging requirements into system procurement policies to ensure forensic readiness.

Module 3: Threat Intelligence and Risk Assessment Integration

  • Subscribe to healthcare-specific threat intelligence feeds and map indicators to ISO 27799 control objectives.
  • Conduct threat modeling for high-risk systems such as radiology PACS or infusion pumps using STRIDE or PASTA.
  • Update risk registers with threat data to prioritize incident response capabilities for likely attack vectors.
  • Map threat actor tactics (e.g., ransomware targeting hospitals) to detection and response controls in the framework.
  • Integrate vulnerability scanning results with threat intelligence to refine incident likelihood assessments.
  • Establish thresholds for elevating threat alerts to formal incident status based on asset criticality.
  • Coordinate with national health ISACs to validate threat indicators and share anonymized incident data.
  • Adjust control testing frequency based on emerging threat trends affecting medical device security.

Module 4: Detection and Monitoring Systems Configuration

  • Configure SIEM correlation rules to identify anomalous access patterns to patient records, such as bulk downloads.
  • Deploy network segmentation monitoring to detect lateral movement between clinical and administrative networks.
  • Implement host-based logging on medical workstations to capture USB device usage and application execution.
  • Set up alerts for failed authentication attempts on systems containing large volumes of PHI.
  • Validate log integrity mechanisms to ensure admissibility in regulatory investigations.
  • Define retention periods for security logs in accordance with legal and audit requirements.
  • Integrate EDR tools with clinical application monitoring to detect malicious behavior on endpoints.
  • Test detection coverage through purple team exercises simulating known healthcare attack patterns.

Module 5: Incident Triage and Classification Procedures

  • Apply a standardized classification schema (e.g., low/medium/high/critical) based on data exposure volume and patient impact.
  • Use predefined decision trees to determine whether an event constitutes a reportable breach.
  • Initiate chain-of-custody procedures for digital evidence when legal action is anticipated.
  • Engage legal counsel during triage if the incident involves cross-border data transfers.
  • Validate initial assessment findings through log cross-referencing and endpoint imaging.
  • Escalate incidents involving implanted medical devices to clinical engineering teams for risk evaluation.
  • Document all triage decisions and evidence sources to support post-incident reviews.
  • Activate communication protocols based on classification level, including executive and board notifications.

Module 6: Containment, Eradication, and Recovery Execution

  • Isolate compromised systems while maintaining failover capabilities for life-critical applications.
  • Preserve memory dumps and disk images from infected systems before remediation begins.
  • Apply surgical patching or configuration changes to eliminate attack vectors without disrupting clinical workflows.
  • Coordinate system restoration with clinical departments to schedule downtime during low-activity periods.
  • Validate clean backups before restoration to prevent reinfection from compromised snapshots.
  • Implement compensating controls (e.g., multi-person authentication) during recovery of access management systems.
  • Monitor recovered systems for residual malicious activity during a defined observation window.
  • Update firewall rules and access controls to block identified threat infrastructure.

Module 7: Post-Incident Analysis and Regulatory Reporting

  • Conduct root cause analysis using methods such as 5 Whys or fishbone diagrams focused on technical and process failures.
  • Prepare breach notification reports for regulators with required fields such as data types exposed and number of individuals affected.
  • Document lessons learned in a standardized format for inclusion in organizational knowledge bases.
  • Submit evidence packages to auditors demonstrating compliance with incident response timelines.
  • Coordinate public statements with legal and PR teams to avoid regulatory misstatements.
  • Identify control gaps that allowed the incident and assign remediation owners with deadlines.
  • Archive all incident-related communications and artifacts in a secure, access-controlled repository.
  • Report incident metrics to the board, including mean time to detect and respond.

Module 8: Continuous Improvement and Control Validation

  • Update incident response plans annually or after major incidents based on lessons learned.
  • Conduct tabletop exercises simulating ransomware attacks on hospital networks with executive participation.
  • Validate detection rules quarterly using threat emulation tools like Atomic Red Team.
  • Measure response effectiveness through KPIs such as containment time and data loss volume.
  • Reassess control mappings to ISO 27799 after infrastructure changes, such as EHR upgrades.
  • Integrate feedback from clinical staff into response procedures to improve usability during crises.
  • Perform third-party audits of incident management processes to verify compliance with ISO 27799.
  • Adjust training content for response teams based on skill gaps identified in drills.

Module 9: Third-Party and Supply Chain Incident Coordination

  • Define contractual obligations for incident notification and cooperation in vendor agreements.
  • Establish secure communication channels for exchanging incident details with business associates.
  • Validate cloud service providers’ incident response capabilities during procurement due diligence.
  • Coordinate joint response activities when a breach originates in a third-party claims processing system.
  • Require evidence of forensic readiness from medical device manufacturers as part of procurement.
  • Map data flows across the supply chain to identify single points of failure in incident response.
  • Conduct joint incident drills with key partners such as laboratory information systems vendors.
  • Enforce logging and access audit requirements on third parties handling PHI.

Module 10: Leadership Communication and Board Engagement

  • Develop executive dashboards summarizing incident volume, severity, and response performance.
  • Translate technical incident details into business impact statements for non-technical board members.
  • Present risk treatment plans for recurring incident types, including investment justifications.
  • Report on compliance with ISO 27799 control objectives during governance committee meetings.
  • Advocate for resource allocation based on incident trend analysis and threat landscape shifts.
  • Align incident management KPIs with organizational strategic objectives for risk reduction.
  • Facilitate board-level discussions on risk appetite for cybersecurity incidents affecting patient care.
  • Review insurance coverage adequacy in light of actual incident costs and regulatory fines.
!