Hi! I have an app that is HIPAA compliant and hosted in the US. I would like to open it up to patients in Israel and am trying to figure out what it takes to become ISO certified and what part of that is already covered by HIPAA. It is a mental health app and we store personal data, although nothing about physical health. Thanks!
Assign topic to the user
The general steps to be prepared for certification are:
1) getting management buy-in for the project
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and the requirements of interested parties
3) development of risk assessment and treatment methodology
4) perform a risk assessment and define a risk treatment plan
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)
6) people training and awareness
7) controls operation
8 performance monitoring and measurement
9) perform internal audit
10) perform management critical review
11) address nonconformities, corrective actions, and opportunities for improvement.
This article will provide you with a further explanation of ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding the relation between HIPAA and ISO 27001, ISO 27001:2013 has at least 47 controls that can be used to comply with HIPAA requirements such as:
- Assigned Security Responsibility (164.308(a)(2)) can be related to control A.6.1.1 – Information security roles and responsibilities
- Security Awareness and Training (164.308(a)(5)) can be related to control A.7.2.2 – Information security awareness, education, and training
For further information, see:
- Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/
Comment as guest or Sign in
Oct 28, 2022