HIPAA –ISO 27001 COMPLIANCE MAPPING FRAMEWORK

HIPAA
HIPAA Security Security ISO 27001:2013 Organisation Response Compliance
Standard Implementation
Specification
6.1.2 Information security Organisation has defined risk management program
Risk Analysis
risk assessment in line with ISO 31000 & ISO 27001. Organisation on
8.2 Information security periodic basis perform risk assessment and monitor
risk assessment the risks.
6.1.3 Information security Organisation has defined risk management program
Security Risk Management risk treatment
Management in line with ISO 31000 & ISO 27001. Organisation on
Process 8.3 Information security periodic basis perform risk assessment and monitor
164.308(a)(1) risk treatment the risks.
Sanction Policy A.7.2.3 Disciplinary Organisation has defined process for information
process security disciplinary process. The formal
disciplinary process is established to ensure correct
and fair treatment for employees who are suspected
of committing breaches of information security.
A.12.4.1 Event logging Organisation have defined and documented policies
A.12.4.3 Administrator and controls for incident management including the
Information and operator logs following documented aspects:
System Activity • Definition of an incident (e.g. security breaches,
Review A.16.1.2 Reporting
information security data loss, system downtime, malicious activity)
events • Incident reporting timelines and procedures
A.16.1.3 Reporting • Root cause analysis and reporting to avoid
security weaknesses recurrence.
Evidence of incident management activities
including incident logging and root cause analysis
be maintained according to regulatory and
contractual requirements
A. 6.1.1 Responsibilities for the protection of
Assigned Security Information individual assets and for carrying out
Responsibility security roles and specific information security processes is
164.308(a)(2) responsibilities identified. Responsibilities for information
security risk management activities and in
particular for acceptance of residual risks is
defined.
Authorization A.9.2.2 User access The process for managing user IDs include:
and/or provisioning a) using unique user IDs to enable users to be
Workforce Security Supervision linked to and held responsible for their actions;
164.308(a)(3) the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
to other users.
Workforce A.9.2.5 Review of user The review of access rights consider the following:
Clearance access rights a) users' access rights be reviewed at regular
Procedure intervals and after any changes, such as promotion,
demotion or termination of employment;
b) user access rights be reviewed and re-allocated
when moving from one role to another within the
same Organisation;
c) authorizations for privileged access rights be
reviewed at more frequent intervals;
d) privilege allocations be checked at regular
intervals to ensure that unauthorized privileges
have not been obtained;
e) changes to privileged accounts be logged for
periodic review.
A.7.3.1 Termination or A process is established to ensure that all the exit
Termination change of employment formalities are performed, the assets provided to
Procedures responsibilities the employees have been collected and all the
accesses provided have been removed. Evidences
 A.9.2.6 Removal or be maintained for the same
adjustment of access
rights
Isolated Health N/A Not Applicable
Clearinghouse
Information Access Functions
Management The process for managing user IDs include:
Access A.9.2.2 User access
164.308(a)(4)
Authorization provisioning a) using unique user IDs to enable users to be
linked to and held responsible for their actions;
the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
to other users.
Access A.9.2.2 User access The process for managing user IDs include:
Establishment and provisioning a) using unique user IDs to enable users to be
Modification linked to and held responsible for their actions;
the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
to other users.
Security A.12.6.1 Management of Information about technical vulnerabilities of
Reminders technical vulnerabilities information systems being used be obtained in a
Security Awareness timely fashion, the Organisation's exposure to such
and Training vulnerabilities evaluated and appropriate measures
164.308(a)(5) taken to address the associated risk
Protection from A.12.2.1 Controls against Policy & Procedures are established for protection
Malicious malware against malware using malware detection and
Software repair software, information security awareness
and appropriate system access and change
management controls.
Log-in Monitoring A.12.4.1 Event logging Event logs recording user activities, exceptions,
faults and information security events is produced,
kept and regularly reviewed.
Event logs include, when relevant:
a) user IDs;
b) system activities;
c) dates, times and details of key events, e.g. log-on
and log-off;
d) device identity or location if possible and system
identifier;
e) records of successful and rejected system access
attempts;
Password A.9.4.3 Password Organisation has a password management system :
Management management system a) enforce the use of individual user IDs and
passwords to maintain accountability;
b) allow users to select and change their own
passwords and include a confirmation procedure to
allow for input errors;
c) enforce a choice of quality passwords;
d) force users to change their passwords at the first
log-on;
e) enforce regular password changes and as needed;
f) maintain a record of previously used passwords
and prevent re-use;
g) not display passwords on the screen when being
entered;

A.16.1.1 Responsibilities
and procedures
A.16.1.2 Reporting is
Security Incident Response and A.16.1.3 Reporting
Procedures Reporting security weaknesses
164.308(a)(6) A.16.1.4 Response to
information security
incidents
Data Backup Plan A.12.3.1 Information
backup
A.17.1.1 Planning
Disaster Recovery information security
Contingency Plan Plan continuity
164.308(a)(7)
A.17.1.2 Implementing
information security
continuity
h) store password files separately from application
system data;
i) store and transmit passwords in protected form.
Organisation have defined and documented policies
and controls for incident management including the
following documented aspects:
• Definition of an incident (e.g. security breaches,
data loss, system downtime, malicious activity)
• Incident reporting timelines and procedures
• Root cause analysis and reporting to avoid
recurrence.
Evidence of incident management activities
including incident logging and root cause analysis
be maintained according to regulatory and
contractual requirements
A documented backup and restoration policy is
defined and communicated. The policy document
outline the backup and restoration procedures
followed including frequency, schedule, retention
requirements, and recovery/restore testing.
There is a defined and documented method for
determining the impact of any disruption to the
Organisation which incorporate the following:
• Identify critical products and services
• Identify all dependencies, including processes,
applications, business partners and third party
service providers
• Understand threats to critical products and
services
• Determine impacts resulting from planned or
unplanned disruptions and how these vary over
time
• Establish the maximum tolerable period for
 disruption that aligns with SLA
• Establish priorities for recovery
• Establish recovery time objectives for resumption
of critical products and services within their
maximum tolerable period of disruption that aligns
with SLA
• Estimate the resources required for resumption
A.17.1.1 Planning There is a defined and documented method for
Emergency Mode information security determining the impact of any disruption to the
Operation Plan continuity Organisation which must incorporate the following:
A.17.1.2 Implementing • Identify critical products and services
information security • Identify all dependencies, including processes,
continuity applications, business partners and third party
service providers
• Understand threats to critical products and
services
• Determine impacts resulting from planned or
unplanned disruptions and how these vary over
time
• Establish the maximum tolerable period for
disruption that aligns with SLA
• Establish priorities for recovery
• Establish recovery time objectives for resumption
of critical products and services within their
maximum tolerable period of disruption that aligns
with SLA
• Estimate the resources required for resumption
Testing and A.17.1.3 Verify, review Organisation ensure that the BCP / DR reviewed
and evaluate information and approved at least annually. Distribute the BCP
Revision security continuity / DR to authorized individuals including all
Procedures personnel.
14.1.1 Information Organisation ensure that the BCP / DR
Applications and security reviewed and approved at least annually.
Data Criticality requirements Distribute the BCP / DR to authorized
 Analysis analysis and individuals including all personnel.
specification
A.17.1.1 Planning
information security
continuity
Evaluation A.18.2.3 Technical Technical compliance is reviewed preferably with
164.308(a)(8) compliance checking the assistance of automated tools, which generate
technical reports for subsequent interpretation by a
technical specialist.
Business Written contract A.15.1.2 Addressing Supplier agreements is established and
Associate security within documented to ensure that all relevant
Contracts and or other supplier agreements information security requirements to be
Other arrangement implemented by the supplier are covered.
Arrangements
164.308(b)(1)
Contingency A.17.2.1 Availability of Organisation has identified and implemented
information processing sufficient redundancies for servers, network
Operations facilities components, ISPs, from outages (such as power
failure, network disruption)
A.11.1.3 Securing offices, Secure areas are protected by appropriate entry
Facility Access Facility Security rooms and facilities controls to ensure that only authorized personnel
Controls Plan
164.310(a)(1) A.11.1.4 Protecting against are allowed access.
external and
environmental threats
A.11.1.1 Physical security Organisation ensure that a defined physical security
Access Control and perimeter policy containing Organisation guidelines for
Validation A.11.1.2 Physical entry physical security of personnel, equipment, and
Procedures controls information systems is developed, approved and
communicated.
Maintenance A.11.2.4 Equipment The following guidelines for equipment
Records maintenance maintenance be considered:
a) equipment be maintained in accordance with the
supplier's recommended service intervals and
specifications;
b) only authorized maintenance personnel carry
 out repairs and service equipment;
c) records be kept to fall suspected or actual faults,
and of all preventive and corrective maintenance;
A.8.1.3 Acceptable use of Employees and external party users using or having
Workstation Use assets access to the Organisation's assets are made aware
164.310(b) A.11.1.5 Working in secure of the information security requirements of the
areas Organisation's assets associated with information
and information processing facilities and resources.
A. 12.1.1 Documented
They are responsible for their use of any
operating procedures
information processing resources and of any such
use carried out under their responsibility.
Workstation A.11.1.5 Working in secure The following controls are considered:
Security 164.310(c) areas a) personnel only be aware of the existence of, or
activities within, a secure area on a need- to-know
basis;
b) unsupervised working in secure areas be
avoided both for safety reasons and to prevent
opportunities for malicious activities;
c) vacant secure areas be physically locked and
periodically reviewed;
Disposal A.8.3.2 Disposal of media Formal procedures for the secure disposal of media
are established to minimize the risk of confidential
information leakage to unauthorized persons. The
Device and Media procedures for secure disposal of media containing
Controls confidential information is proportional to the
164.310(d)(1) sensitivity of that information.
Media Reuse A.8.3.1 Management of Management of removal media process is defined
removable media for controlled use of removable media devices to
store and transfer information by all users who
have access to information, information systems
and IT equipment.
A.8.3.3 Physical media Procedures is implemented to the protect the
Accountability transfer media containing information against unauthorized
A.11.2.6 Security of access, misuse or corruption during transportation.
 equipment and assets
off- premises

Data Backup and A.12.3.1 Information A documented backup and restoration policy is
Storage backup defined and communicated. The policy document
outline the backup and restoration procedures
followed including frequency, schedule, retention
requirements, and recovery/restore testing.
Unique User A.9.2.1 The process for managing user IDs
User include:
Identification registration a) using unique user IDs to enable
Access Control and de- users to be linked to and held
registration responsible for their actions; the
164.312(a)(1)
use of shared IDs only be permitted
where they are necessary for
business or operational reasons and
be approved and documented;
b) immediately disabling or
removing user IDs of users who have
left the Organisation;
c) periodically identifying and
removing or disabling redundant
user IDs;
d) ensuring that redundant user IDs
are not issued to other users.
Emergency Access A.9.2.2 User access The process for managing user IDs include:
Procedure provisioning a) using unique user IDs to enable users to be
linked to and held responsible for their actions;
the use of shared IDs only be permitted where they
are necessary for business or operational reasons
and be approved and documented;
b) immediately disabling or removing user IDs of
users who have left the Organisation;
c) periodically identifying and removing or
disabling redundant user IDs;
d) ensuring that redundant user IDs are not issued
 to other users.
Automatic Logoff A.11.2.8 Unattended user All users are made aware of the security
equipment requirements and procedures for protecting
unattended equipment, as well as their
responsibilities for implementing such protection.
Users be advised to:
a) terminate active sessions when finished, unless
they can be secured by an appropriate locking
mechanism, e.g. a password protected screen
saver;
b) log-off from applications or network services
when no longer needed;
c) secure computers or mobile devices from
unauthorized use by a key lock or an equivalent
control,
e.g. password access, when not in use.
Encryption and A. 10.1.1 Policy on Cryptography policy is defined to set out
the use of principles and expectations about when and
Decryption cryptographic how encryption of Organisation digital
controls information (or not) be used.
A.12.4.1 Event logging Event logs recording user activities, exceptions,
Audit Controls A.12.4.2 Protection of log faults and is be produced, kept and regularly
164.312(b) information reviewed.
A.12.4.3 Administrator and Event logs include, when relevant:
operator logs a) user IDs;
b) system activities;
c) dates, times and details of key events, e.g. log-on
and log-off;
d) device identity or location if possible and system
identifier;
e) records of successful and rejected system access
attempts;
Integrity Mechanism to A.18.1.3 Protection of Records are protected from loss, destruction,
Authenticate
164.312(c)(1) Electronic records falsification, unauthorized access and unauthorized
Protected release, in accordance with legislator, regulatory,
Health contractual and business requirements.
Information
Person or Entity A.9.2.4 Management of The process include the following requirements:
secret authentication a) users are required to sign a statement to keep
Authentication information of users
164.312(d) personal secret authentication information
confidential and to keep group (i.e. shared] secret
authentication information solely within the
members of the group; this signed statement may
be included in the terms and conditions of
employment;
Integrity Controls A.13.1.1 Network controls Controls are implemented to ensure the security of
information in networks and the protection of
Transmission connected services from unauthorized access.
Security
164.312(e)(1) A.10.1.1 Policy on Cryptography policy is defined to set out
Encryption the use of principles and expectations about when and
cryptographic how encryption of Organisation digital
controls information (or not) be used.