Rhand Leal
January 27, 2021
Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
All required policies, procedures, and forms to implement an ISMS according to ISO 27001.
Train your key people about ISO 27001 requirements and provide cybersecurity awareness training to all of your employees.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.
All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.
All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.
Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.
Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.
All required policies, procedures, and forms to implement a QMS according to ISO 9001.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.
All required policies, procedures, and forms to implement an EMS according to ISO 14001.
Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.
Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.
All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.
Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.
Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.
All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.
Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.
Compliance products for the European Union’s Medical Device Regulation.
All required policies, procedures, and forms to comply with the EU MDR.
Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.
All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.
Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.
All required policies, procedures, and forms to implement a BCMS according to ISO 22301.
Implementation products for testing and calibration laboratories according to the ISO 17025 standard.
All required policies, procedures, and forms to implement ISO 17025 in a laboratory.
Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.
All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.
Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.
All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.
Implementation, maintenance, training, and knowledge products for consultancies.
Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.
All required policies, procedures, and forms to implement various standards and regulations for your clients.
Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.
Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.
Implementation, maintenance, training, and knowledge products for the IT industry.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance, training, and knowledge products for essential and important organizations.
Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for manufacturing companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for transportation & distribution companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for schools, universities, and other educational organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for telecoms.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for local, regional, and national government entities.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for hospitals and other health organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), NIS 2 (critical infrastructure cybersecurity) and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the medical device industry.
Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), NIS 2 (critical infrastructure cybersecurity) and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the aerospace industry.
Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the automotive industry.
Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for laboratories.
Documentation to comply with ISO 17025 (testing and calibration laboratories), ISO 9001 (quality), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Update 2022-04-25.
All over the world, organizations in the healthcare industry are becoming more and more interested in protecting their patients’ information; but, in the United States, this need goes back to 1996, with the enforcement of HIPAA (Health Insurance Portability and Accountability Act), which regulates the use and disclosure of U.S. citizens’ protected health information.
This article will compare HIPAA compliance vs. ISO 27001, and present how organizations that need to ensure HIPAA compliance can take advantage of ISO 27001, the leading ISO standard for information security management, to fulfill the requirements.
HIPAA is a legislation for sensitive health/patient data protection and is applicable only in the United States, for health organizations. ISO 27001 is a standard for information security management and is applicable internationally, in any industry.
Broadly speaking, HIPAA requirements are defined by two main rules: the Privacy rule and the Security rule. These rules must be followed by any U.S. healthcare provider who transmits health information in electronic form (generally called “covered entities”).
The Privacy rule establishes standards for the use and disclosure of personal health information (called Protected Health Information, or PHI) – information about the present or future physical or mental health or condition of an individual. Examples of established standards are limitation of use and disclosure to the minimum necessary, notification of privacy practices, and adoption of administrative practices (e.g., privacy policies and procedures, definition of responsibilities, training, documentation, records and retention, etc.).
The Security rule establishes standards for the protection of confidentiality, integrity, and availability of PHI that is held or transferred in electronic form (i.e., electronic Protected Health Information, or e-PHI), by means of administrative, physical, and technical safeguards. Examples of addressed safeguards are risk analysis and management, information access management, workforce training management, facilities access and control, workstation and device security, audit controls, and transmission security.
It is also important to note that HIPPA does not require any specific set of technology or software, so organizations are free to adopt the solutions that best fit their needs to ensure compliance with HIPAA.
ISO 27001 is a standard for information security management designed to be applicable to organizations of any size and industry. It consists of 10 clauses and 114 security controls grouped into 14 sections (Annex A).
ISO 27001 has at least 47 controls that can be used to comply with HIPAA requirements. For example:
HIPAA requirements vs. ISO 27001 controls
HIPAA general requirement | ISO 27001 requirement / control | Additional information |
Assigned Security Responsibility (164.308(a)(2)) | A.6.1.1 – Information security roles and responsibilities | How to document roles and responsibilities according to ISO 27001 |
Security Awareness and Training (164.308(a)(5)) | A.7.2.2 – Information security awareness, education and training | How to perform training & awareness for ISO 27001 and ISO 22301 |
Workstation Use (164.310(b)) | A.8.1.3 – Acceptable use of assets | IT Security Policy |
Information Access Management (164.308(a)(4))
|
A.9.1 – Business requirements of access control (2 controls)
A.9.2 – User access management (6 controls)
|
How to handle access control according to ISO 27001
Template Access Control Policy |
Access Control (to information systems) (164.312(a)(1)) | A.9.4 – System and application access control (5 controls) | How to handle access control according to ISO 27001
Template Access Control Policy |
Workstation Security (164.310(c)) | A.11.2 – Equipment (9 controls) | How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1
How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 |
Audit Controls (164.312(b)) | A.12.7.1 – Information systems audit controls | How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) (this article is about including security features in software development and maintenance) |
Transmission Security (164.312(e)(1)) | A.13 – Communications security (7 controls) | How to manage the security of network services according to ISO 27001 A.13.1.2 |
Security Incident Procedures (164.308(a)(6)) | A.16 – Information security incident management (7 controls) | How to handle incidents according to ISO 27001 A.16 |
Privacy Rule Obligations for Business Associates (general provision) | A.15.1.2 – Addressing security within supplier agreements | Which security clauses to use for supplier agreements? |
Contingency Plan (164.308(a)(7)) | A.17 – Information security aspects of business continuity management (4 controls) | How to use ISO 22301 for the implementation of business continuity in ISO 27001 |
Evaluation (164.308(a)(8)) | A.18.2.2 – Compliance with security policies and standards
A.18.2.3 – Technical compliance review |
How to make an Internal Audit checklist for ISO 27001 / ISO 22301 |
However, one of the main contributions of ISO 27001 is the management system approach, defined in the requirements from clauses 4 through 10, which allows an organization to continuously adapt and improve its security to keep it aligned with the organization’s desired objectives and outcomes.
For more information, read these articles: What do the ISO 27001 requirements and structure look like? and An overview of ISO 27001:2013 Annex A.
Although well aligned, ISO 27001 compliance does not mean HIPAA compliance, because ISO 27001 does not have some of the controls necessary to handle specific HIPAA requirements, like privacy-related controls. To fill the gaps within HIPAA compliance vs. ISO 27001, you should consider using ISO 27799, the ISO standard for the protection of personal health information, as a supporting guidance.
For more information about ISO 27799, read this article: How ISO 27001 and ISO 27799 complement each other in health organizations.
In short, it is not a question of HIPAA vs. ISO 27001, because HIPAA is a law, while ISO 27001 is a standard to establish an Information Security Management System. In terms of ISO 27001, HIPAA can be viewed as one of the many requirements that can be fulfilled by an ISO 27001 ISMS implementation.
The proper way to see the relationship between these two is this: ISO 27001 can provide a sound basis for driving and optimizing an organization’s resources to implement HIPAA security, and any other information security requirement the organization may have, thereby reducing compliance efforts.
For a better understanding of how to comply with ISO 27001, sign up for a free 14-day trial of Conformio, the leading ISO 27001 compliance software.
Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.
Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
You may unsubscribe at any time. For more information, please see our privacy notice.