HIPAA vs ISO

The general steps to be prepared for certification are:

1) getting management buy-in for the project

2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and the requirements of interested parties

3) development of risk assessment and treatment methodology

4) perform a risk assessment and define a risk treatment plan

5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

6) people training and awareness

7) controls operation

8 performance monitoring and measurement

9) perform internal audit

10) perform management critical review

11) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you with a further explanation of ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding the relation between HIPAA and ISO 27001, ISO 27001:2013 has at least 47 controls that can be used to comply with HIPAA requirements such as:

• Assigned Security Responsibility (164.308(a)(2)) can be related to control A.6.1.1 – Information security roles and responsibilities
• Security Awareness and Training (164.308(a)(5)) can be related to control A.7.2.2 – Information security awareness, education, and training

For further information, see:

• Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/