Authority Document - Unified Compliance

Back

International > International Organization for Standardization

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition

AD ID

0003014

AD STATUS

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

For Purchase

SYNONYMS

ISO 27799:2016

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002

EFFECTIVE

2016-07-01

ADDED

The document as a whole was last reviewed and released on 2019-08-02T00:00:00-0700.

URL

Click here

AD ID

0003014

AD STATUS

For Purchase

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 27799:2016

ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002

EFFECTIVE

2016-07-01

ADDED

The document as a whole was last reviewed and released on 2019-08-02T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 86 Mandated Controls - bold
109 Implied Controls - italic 735 Implementation

Number of Controls

930 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]	Establish/Maintain Documentation	Preventive
Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]	Testing	Detective
Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741	Testing	Detective
Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742	Testing	Detective
Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743	Testing	Detective
Test new software or upgraded software for security vulnerabilities. CC ID 01898	Testing	Detective
Test new software or upgraded software for compatibility with the current system. CC ID 11654	Testing	Detective
Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655	Testing	Detective
Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899	Testing	Detective
Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744	Testing	Detective
Correct defective acquired goods or services. CC ID 06911	Acquisition/Sale of Assets or Services	Corrective
Authorize new assets prior to putting them into the production environment. CC ID 13530	Process or Activity	Preventive

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and Risk Management	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control]	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703	Audits and Risk Management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and Risk Management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and Risk Management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and Risk Management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Actionable Reports or Measurements	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and Risk Management	Detective
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706	Establish/Maintain Documentation	Preventive
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Investigate	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Behavior	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Establish/Maintain Documentation	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]	Audits and Risk Management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Process or Activity	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Process or Activity	Detective
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and Risk Management	Preventive

Human Resources management

119

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the security staff roles and responsibilities. CC ID 11750 [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2]	Establish/Maintain Documentation	Preventive
Establish and maintain an Information Technology steering committee. CC ID 12706	Human Resources Management	Preventive
Convene the Information Technology steering committee, as necessary. CC ID 12730 [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3]	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267 [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2]	Human Resources Management	Preventive
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources Management	Preventive
Assign roles and responsibilities for physical security, as necessary. CC ID 13113	Establish Roles	Preventive
Document the use of external experts. CC ID 16263	Human Resources Management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660	Human Resources Management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources Management	Preventive
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777	Establish Roles	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Establish Roles	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources Management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Establish Roles	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources Management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources Management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources Management	Preventive
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Communicate	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Establish Roles	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Establish Roles	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Establish Roles	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Establish Roles	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Establish Roles	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Establish Roles	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368	Establish/Maintain Documentation	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Establish Roles	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Establish Roles	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Establish Roles	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Establish Roles	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Establish Roles	Preventive
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources Management	Preventive
Define and assign roles and responsibilities for dispute resolution. CC ID 13626	Human Resources Management	Preventive
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources Management	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)]	Testing	Detective
Perform security skills assessments for all critical employees. CC ID 12102 [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)]	Human Resources Management	Detective
Assign security clearance procedures to qualified personnel. CC ID 06812	Establish Roles	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Establish Roles	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Establish/Maintain Documentation	Preventive
Perform a background check during personnel screening. CC ID 11758	Human Resources Management	Detective
Perform a personal identification check during personnel screening. CC ID 06721 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]	Human Resources Management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Establish/Maintain Documentation	Preventive
Include all residences in the criminal records check. CC ID 13306	Process or Activity	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Establish/Maintain Documentation	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources Management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources Management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Establish/Maintain Documentation	Preventive
Perform a drug test during personnel screening. CC ID 06648	Testing	Preventive
Perform a resume check during personnel screening. CC ID 06659 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1 Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2]	Human Resources Management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources Management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources Management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Communicate	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources Management	Preventive
Document the personnel risk assessment results. CC ID 11764	Establish/Maintain Documentation	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Establish/Maintain Documentation	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources Management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources Management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources Management	Preventive
Document the security clearance procedure results. CC ID 01635	Establish/Maintain Documentation	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Establish/Maintain Documentation	Preventive
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control]	Technical Security	Corrective
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Establish Roles	Preventive
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1 In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1]	Establish Roles	Detective
Implement segregation of duties in roles and responsibilities. CC ID 00774 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control]	Testing	Detective
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960	Technical Security	Preventive
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain job applications. CC ID 16180	Establish/Maintain Documentation	Preventive
Include a space for previous addresses and previous residences on the job application. CC ID 12302 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]	Human Resources Management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Behavior	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Communicate	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Establish/Maintain Documentation	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Establish/Maintain Documentation	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Establish/Maintain Documentation	Preventive
Include media protection in the security awareness program. CC ID 16368	Training	Preventive
Document security awareness requirements. CC ID 12146	Establish/Maintain Documentation	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Establish/Maintain Documentation	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Establish/Maintain Documentation	Preventive
Include physical security in the security awareness program. CC ID 16369	Training	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Establish/Maintain Documentation	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Training	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Training	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Training	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Training	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Establish/Maintain Documentation	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]	Establish/Maintain Documentation	Preventive
Include remote access in the security awareness program. CC ID 13892	Establish/Maintain Documentation	Preventive
Document the goals of the security awareness program. CC ID 12145	Establish/Maintain Documentation	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Establish/Maintain Documentation	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources Management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources Management	Preventive
Document the scope of the security awareness program. CC ID 12148	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Establish/Maintain Documentation	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources Management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Establish/Maintain Documentation	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a Code of Conduct. CC ID 04897	Establish/Maintain Documentation	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]	Behavior	Corrective
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Communicate	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information classification standard. CC ID 00601 [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control]	Establish/Maintain Documentation	Preventive
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Data and Information Management	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Data and Information Management	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Data and Information Management	Preventive
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Data and Information Management	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Data and Information Management	Preventive
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Data and Information Management	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Data and Information Management	Preventive
Classify the value of information in the information classification standard. CC ID 11995	Data and Information Management	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994	Data and Information Management	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4]	Establish/Maintain Documentation	Preventive
Define the scope of the security policy. CC ID 07145	Data and Information Management	Preventive
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688	Business Processes	Preventive
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608	Establish/Maintain Documentation	Preventive
Correlate Information Systems with applicable controls. CC ID 01621	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956	Establish/Maintain Documentation	Preventive
Include the effective date on all organizational policies. CC ID 06820	Establish/Maintain Documentation	Preventive
Include threats in the organization’s policies, standards, and procedures. CC ID 12953	Establish/Maintain Documentation	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Establish/Maintain Documentation	Detective
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Business Processes	Preventive
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Establish/Maintain Documentation	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Establish/Maintain Documentation	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Communicate	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Establish/Maintain Documentation	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Establish/Maintain Documentation	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Establish/Maintain Documentation	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Establish/Maintain Documentation	Detective
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Establish Roles	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Align the Authority Document list with external requirements. CC ID 06288	Establish/Maintain Documentation	Preventive
Assign the appropriate roles to all applicable compliance documents. CC ID 06284	Establish Roles	Preventive
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Establish/Maintain Documentation	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Establish/Maintain Documentation	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Establish/Maintain Documentation	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631	Establish/Maintain Documentation	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Business Processes	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Establish/Maintain Documentation	Preventive
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Establish Roles	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Establish/Maintain Documentation	Preventive
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282	Behavior	Preventive
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283	Behavior	Preventive
Estimate the costs of implementing the compliance framework. CC ID 07191	Business Processes	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Log Management	Detective
Establish, implement, and maintain event logging procedures. CC ID 01335	Log Management	Detective
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]	Log Management	Preventive
Protect the event logs from failure. CC ID 06290	Log Management	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Data and Information Management	Preventive
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Testing	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Establish/Maintain Documentation	Corrective
Include identity information of suspects in the suspicious activity report. CC ID 16648	Establish/Maintain Documentation	Preventive
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Audits and Risk Management	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596	Log Management	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Log Management	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Log Management	Detective
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Technical Security	Detective
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Investigate	Corrective
Reproduce the event log if a log failure is captured. CC ID 01426	Log Management	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a log management program. CC ID 00673	Establish/Maintain Documentation	Preventive
Restrict access to audit trails to a need to know basis. CC ID 11641 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Technical Security	Preventive
Protect logs from unauthorized activity. CC ID 01345 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Log Management	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594 [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)]	Log Management	Preventive
Protect against misusing automated audit tools. CC ID 04547 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Technical Security	Preventive
Evaluate the measurement process used for metrics. CC ID 06920	Testing	Detective
Evaluate the information technology products used for metrics. CC ID 11644	Technical Security	Detective
Identify and communicate improvements in metrics reporting. CC ID 06921	Establish/Maintain Documentation	Corrective

Operational and Systems Continuity

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258	Systems Continuity	Preventive
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Physical and Environmental Protection	Preventive
Store backup media at an off-site electronic media storage facility. CC ID 01332 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Data and Information Management	Preventive
Transport backup media in lockable electronic media storage containers. CC ID 01264	Data and Information Management	Preventive
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Data and Information Management	Preventive
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Systems Continuity	Preventive
Perform backup procedures for in scope systems. CC ID 11692	Process or Activity	Preventive
Back up all records. CC ID 11974 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Systems Continuity	Preventive
Encrypt backup data. CC ID 00958 [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2]	Configuration	Preventive

Operational management

296

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]	Business Processes	Preventive
Make compliance and governance decisions in a timely manner. CC ID 06490	Behavior	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Establish/Maintain Documentation	Preventive
Include system development in the information security program. CC ID 12389	Establish/Maintain Documentation	Preventive
Include system maintenance in the information security program. CC ID 12388	Establish/Maintain Documentation	Preventive
Include system acquisition in the information security program. CC ID 12387	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386	Establish/Maintain Documentation	Preventive
Review and approve access controls, as necessary. CC ID 13074	Process or Activity	Detective
Include operations management in the information security program. CC ID 12385	Establish/Maintain Documentation	Preventive
Include communication management in the information security program. CC ID 12384	Establish/Maintain Documentation	Preventive
Include environmental security in the information security program. CC ID 12383	Establish/Maintain Documentation	Preventive
Include physical security in the information security program. CC ID 12382	Establish/Maintain Documentation	Preventive
Include human resources security in the information security program. CC ID 12381	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Provide management direction and support for the information security program. CC ID 11999	Process or Activity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control]	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Human Resources Management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)]	Establish/Maintain Documentation	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Human Resources Management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]	Communicate	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Establish/Maintain Documentation	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Behavior	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Establish/Maintain Documentation	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Establish/Maintain Documentation	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Establish/Maintain Documentation	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Establish, implement, and maintain operational control procedures. CC ID 00831	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)]	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control]	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Identify the sender in all electronic messages. CC ID 13996	Data and Information Management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control]	Establish/Maintain Documentation	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Communicate	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Establish/Maintain Documentation	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Business Processes	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]	Process or Activity	Corrective
Establish, implement, and maintain an Asset Management program. CC ID 06630	Business Processes	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b) The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]	Human Resources Management	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)]	Business Processes	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Establish/Maintain Documentation	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Establish/Maintain Documentation	Preventive
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Systems Design, Build, and Implementation	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Data and Information Management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Establish/Maintain Documentation	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Establish/Maintain Documentation	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Establish/Maintain Documentation	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Establish/Maintain Documentation	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Establish/Maintain Documentation	Preventive
Conduct environmental surveys. CC ID 00690	Physical and Environmental Protection	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Establish/Maintain Documentation	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Establish/Maintain Documentation	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Establish/Maintain Documentation	Preventive
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Process or Activity	Preventive
Include software in the Information Technology inventory. CC ID 00692	Establish/Maintain Documentation	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Establish/Maintain Documentation	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Establish/Maintain Documentation	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Establish/Maintain Documentation	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Monitor and Evaluate Occurrences	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Monitor and Evaluate Occurrences	Corrective
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Establish/Maintain Documentation	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Technical Security	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Technical Security	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Data and Information Management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Establish/Maintain Documentation	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Data and Information Management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Data and Information Management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Establish/Maintain Documentation	Preventive
Include source code in the asset inventory. CC ID 14858	Records Management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2]	Human Resources Management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Technical Security	Detective
Record the review date for applicable assets in the asset inventory. CC ID 14919	Establish/Maintain Documentation	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Data and Information Management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Establish/Maintain Documentation	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Establish/Maintain Documentation	Preventive
Record the software version in the asset inventory. CC ID 12196	Establish/Maintain Documentation	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Establish/Maintain Documentation	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Establish/Maintain Documentation	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Establish/Maintain Documentation	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Establish/Maintain Documentation	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Establish/Maintain Documentation	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Establish/Maintain Documentation	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Establish/Maintain Documentation	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Establish/Maintain Documentation	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Establish/Maintain Documentation	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Data and Information Management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Establish/Maintain Documentation	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Data and Information Management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Establish/Maintain Documentation	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Establish/Maintain Documentation	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Establish/Maintain Documentation	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Establish/Maintain Documentation	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Establish/Maintain Documentation	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Establish/Maintain Documentation	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Establish/Maintain Documentation	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Data and Information Management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Data and Information Management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Establish/Maintain Documentation	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Establish/Maintain Documentation	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Establish/Maintain Documentation	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Establish/Maintain Documentation	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Establish/Maintain Documentation	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Contain the incident to prevent further loss. CC ID 01751	Process or Activity	Corrective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]	Log Management	Corrective
Include incident management procedures in the Incident Management program. CC ID 12689 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Establish/Maintain Documentation	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Establish/Maintain Documentation	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]	Establish Roles	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Establish Roles	Preventive
Open a priority incident request after a security breach is detected. CC ID 04838	Testing	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Testing	Corrective
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Communicate	Corrective
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Establish Roles	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Establish Roles	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Establish Roles	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Establish Roles	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Establish Roles	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Establish Roles	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Establish Roles	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Establish Roles	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Establish Roles	Preventive
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Human Resources Management	Preventive
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Investigate	Detective
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Establish/Maintain Documentation	Preventive
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Communicate	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)]	Establish/Maintain Documentation	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Establish/Maintain Documentation	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Establish/Maintain Documentation	Preventive
Respond when an integrity violation is detected, as necessary. CC ID 10678	Technical Security	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Technical Security	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Technical Security	Corrective
Establish, implement, and maintain a change control program. CC ID 00886 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]	Establish/Maintain Documentation	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243	Establish/Maintain Documentation	Preventive
Include version control in the change control program. CC ID 13119	Establish/Maintain Documentation	Preventive
Include service design and transition in the change control program. CC ID 13920	Establish/Maintain Documentation	Preventive
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Maintenance	Preventive
Integrate configuration management procedures into the change control program. CC ID 13646	Technical Security	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Establish/Maintain Documentation	Preventive
Approve back-out plans, as necessary. CC ID 13627	Establish/Maintain Documentation	Corrective
Manage change requests. CC ID 00887 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]	Business Processes	Preventive
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Establish/Maintain Documentation	Preventive
Establish and maintain a change request approver list. CC ID 06795	Establish/Maintain Documentation	Preventive
Document all change requests in change request forms. CC ID 06794	Establish/Maintain Documentation	Preventive
Test proposed changes prior to their approval. CC ID 00548	Testing	Detective
Examine all changes to ensure they correspond with the change request. CC ID 12345	Business Processes	Detective
Approve tested change requests. CC ID 11783	Data and Information Management	Preventive
Validate the system before implementing approved changes. CC ID 01510	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Behavior	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Establish/Maintain Documentation	Preventive
Perform emergency changes, as necessary. CC ID 12707	Process or Activity	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Process or Activity	Preventive
Log emergency changes after they have been performed. CC ID 12733	Establish/Maintain Documentation	Preventive
Perform risk assessments prior to approving change requests. CC ID 00888	Testing	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Process or Activity	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Investigate	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Investigate	Detective
Implement changes according to the change control program. CC ID 11776	Business Processes	Preventive
Provide audit trails for all approved changes. CC ID 13120	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch management program. CC ID 00896	Process or Activity	Preventive
Document the sources of all software updates. CC ID 13316	Establish/Maintain Documentation	Preventive
Implement patch management software, as necessary. CC ID 12094	Technical Security	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Technical Security	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Establish/Maintain Documentation	Preventive
Review the patch log for missing patches. CC ID 13186	Technical Security	Detective
Perform a patch test prior to deploying a patch. CC ID 00898	Testing	Detective
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Business Processes	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Configuration	Corrective
Test software patches for any potential compromise of the system's security. CC ID 13175	Testing	Detective
Patch software. CC ID 11825	Technical Security	Corrective
Patch the operating system, as necessary. CC ID 11824	Technical Security	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Configuration	Corrective
Remove outdated software after software has been updated. CC ID 11792	Configuration	Corrective
Update computer firmware, as necessary. CC ID 11755	Configuration	Corrective
Review changes to computer firmware. CC ID 12226	Testing	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Testing	Detective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Configuration	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Technical Security	Detective
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Systems Design, Build, and Implementation	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Behavior	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Data and Information Management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Business Processes	Corrective
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Establish/Maintain Documentation	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Testing	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Testing	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Establish/Maintain Documentation	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a configuration change log. CC ID 08710	Configuration	Detective
Document approved configuration deviations. CC ID 08711	Establish/Maintain Documentation	Corrective

Physical and environmental protection

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711	Establish/Maintain Documentation	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Establish/Maintain Documentation	Preventive
Control physical access to (and within) the facility. CC ID 01329 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Establish/Maintain Documentation	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and Environmental Protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and Environmental Protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Establish/Maintain Documentation	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Establish/Maintain Documentation	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and Environmental Protection	Preventive
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Testing	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Behavior	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Establish/Maintain Documentation	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Establish/Maintain Documentation	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Establish/Maintain Documentation	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and Environmental Protection	Corrective
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Establish/Maintain Documentation	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Human Resources Management	Preventive
Implement physical identification processes. CC ID 13715	Process or Activity	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Process or Activity	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and Environmental Protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Testing	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Establish/Maintain Documentation	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Establish/Maintain Documentation	Corrective
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and Environmental Protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Behavior	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Human Resources Management	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and Environmental Protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Behavior	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and Environmental Protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Behavior	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Establish/Maintain Documentation	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Process or Activity	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Establish/Maintain Documentation	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Business Processes	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Establish/Maintain Documentation	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Process or Activity	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Establish/Maintain Documentation	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Establish/Maintain Documentation	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and Environmental Protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and Environmental Protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and Environmental Protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Establish/Maintain Documentation	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Human Resources Management	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Establish/Maintain Documentation	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and Environmental Protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]	Physical and Environmental Protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and Environmental Protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and Environmental Protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and Environmental Protection	Detective
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and Environmental Protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and Environmental Protection	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Establish/Maintain Documentation	Preventive
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control]	Process or Activity	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537	Establish/Maintain Documentation	Preventive
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]	Behavior	Preventive

Privacy protection for information and data

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control]	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Communicate	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Establish/Maintain Documentation	Preventive
Process restricted data lawfully and carefully. CC ID 00086	Establish Roles	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4]	Communicate	Corrective
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)]	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)]	Data and Information Management	Preventive
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3]	Communicate	Corrective
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]	Establish/Maintain Documentation	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Data and Information Management	Preventive
Protect electronic messaging information. CC ID 12022	Technical Security	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Data and Information Management	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Configuration	Preventive
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Testing	Detective
Store payment card data in secure chips, if possible. CC ID 13065	Configuration	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Configuration	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Technical Security	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Data and Information Management	Preventive
Log the disclosure of personal data. CC ID 06628	Log Management	Preventive
Log the modification of personal data. CC ID 11844	Log Management	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Technical Security	Preventive
Implement security measures to protect personal data. CC ID 13606	Technical Security	Preventive
Implement physical controls to protect personal data. CC ID 00355	Testing	Preventive
Limit data leakage. CC ID 00356	Data and Information Management	Preventive
Conduct personal data risk assessments. CC ID 00357	Testing	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Business Processes	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Establish/Maintain Documentation	Detective
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Data and Information Management	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Data and Information Management	Detective
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Investigate	Detective
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Behavior	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Data and Information Management	Detective
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Log Management	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Monitor and Evaluate Occurrences	Corrective
Log dates for account name changes or address changes. CC ID 04876	Log Management	Detective
Review accounts that are changed for additional user requests. CC ID 11846	Monitor and Evaluate Occurrences	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Data and Information Management	Detective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Acquisition/Sale of Assets or Services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Process or Activity	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Process or Activity	Preventive
Review monitored websites for data leakage. CC ID 10593	Monitor and Evaluate Occurrences	Detective
Take appropriate action when a data leakage is discovered. CC ID 14716	Process or Activity	Corrective
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Data and Information Management	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective

Records management

159

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a data retention program. CC ID 00906	Establish/Maintain Documentation	Detective
Archive appropriate records, logs, and database tables. CC ID 06321 [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1]	Records Management	Preventive
Maintain continued integrity for all stored data and stored records. CC ID 00969 [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]	Testing	Detective
Establish, implement, and maintain records management procedures. CC ID 11619 [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain source document authorization tracking. CC ID 01262	Records Management	Detective
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988	Business Processes	Detective
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Process or Activity	Detective
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Process or Activity	Detective
Remove non-public information from publicly accessible systems. CC ID 14246	Data and Information Management	Corrective
Establish, implement, and maintain source document error handling tracking. CC ID 01263	Records Management	Detective
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806	Records Management	Preventive
Process restricted information in a secure environment. CC ID 13058	Process or Activity	Preventive
Refrain from creating printed records as copies of electronic records. CC ID 11808	Records Management	Preventive
Assign ownership for all electronic records. CC ID 14814	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920	Monitor and Evaluate Occurrences	Detective
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552	Records Management	Detective
Attribute electronic records, as necessary. CC ID 14820	Establish/Maintain Documentation	Preventive
Validate transactions using identifiers and credentials. CC ID 13203	Technical Security	Preventive
Establish, implement, and maintain a system storage log. CC ID 13532	Records Management	Preventive
Establish, implement, and maintain a system input log. CC ID 13531	Establish/Maintain Documentation	Preventive
Protect records from loss in accordance with applicable requirements. CC ID 12007	Records Management	Preventive
Establish, implement, and maintain data accuracy controls. CC ID 00921	Monitor and Evaluate Occurrences	Detective
Capture the records required by organizational compliance requirements. CC ID 00912	Records Management	Detective
Establish, implement, and maintain data completeness controls. CC ID 11649	Process or Activity	Preventive
Establish, implement, and maintain authorization records. CC ID 14367	Establish/Maintain Documentation	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Establish/Maintain Documentation	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Establish/Maintain Documentation	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Establish/Maintain Documentation	Preventive
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Data and Information Management	Detective
Establish, implement, and maintain electronic health records. CC ID 14436	Data and Information Management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Data and Information Management	Preventive
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records Management	Preventive
Display required information automatically in electronic health records. CC ID 14442	Process or Activity	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Establish/Maintain Documentation	Preventive
Provide the patient with a summary of care record, as necessary. CC ID 14441	Actionable Reports or Measurements	Preventive
Create export summaries, as necessary. CC ID 14446	Process or Activity	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Data and Information Management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Data and Information Management	Preventive
Identify patient-specific education resources. CC ID 14439	Process or Activity	Detective
Establish and maintain an implantable device list. CC ID 14444	Records Management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Data and Information Management	Preventive
Establish, implement, and maintain decision support interventions. CC ID 14443	Business Processes	Preventive
Include attributes in the decision support intervention. CC ID 16766	Data and Information Management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records Management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records Management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records Management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records Management	Preventive
Log records as being received into the recordkeeping system. CC ID 11696	Records Management	Preventive
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Log Management	Preventive
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Log Management	Preventive
Log the number of routine items received into the recordkeeping system. CC ID 11701	Establish/Maintain Documentation	Preventive
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Log Management	Preventive
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Log Management	Preventive
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Log Management	Preventive
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Log Management	Preventive
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Log Management	Preventive
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Log Management	Preventive
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Log Management	Preventive
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Log Management	Preventive
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Log Management	Preventive
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Log Management	Preventive
Log performance monitoring into the recordkeeping system. CC ID 11724	Log Management	Preventive
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Log Management	Preventive
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Log Management	Preventive
Establish, implement, and maintain a transfer journal. CC ID 11729	Records Management	Preventive
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Log Management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Log Management	Preventive
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Log Management	Preventive
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Log Management	Preventive
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records Management	Preventive
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Log Management	Preventive
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Log Management	Preventive
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Log Management	Preventive
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Data and Information Management	Detective
Include record integrity techniques in the records management procedures. CC ID 06418 [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data availability controls. CC ID 15301	Data and Information Management	Preventive
Note in electronic records converted from printed records, the location of the original. CC ID 11809	Records Management	Preventive
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535	Establish/Maintain Documentation	Preventive
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009	Business Processes	Preventive
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010	Business Processes	Preventive
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011	Business Processes	Preventive
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012	Business Processes	Preventive
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965	Records Management	Preventive
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013	Business Processes	Preventive
Control error handling when data is being inputted. CC ID 00922	Data and Information Management	Detective
Establish, implement, and maintain electronic storage media security controls. CC ID 13204	Technical Security	Preventive
Use automated entry devices to reduce errors during data input. CC ID 06626	Data and Information Management	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923	Establish Roles	Preventive
Compare each record's data input to its final form. CC ID 11813	Records Management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Process or Activity	Preventive
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Data and Information Management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747	Establish/Maintain Documentation	Preventive
Label restricted storage media appropriately. CC ID 00966	Data and Information Management	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]	Records Management	Detective
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Establish/Maintain Documentation	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Establish/Maintain Documentation	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Establish/Maintain Documentation	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Establish/Maintain Documentation	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Establish/Maintain Documentation	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Establish/Maintain Documentation	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Data and Information Management	Preventive
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957	Technical Security	Preventive
Establish the minimum originator requirements for security labels. CC ID 06579	Establish/Maintain Documentation	Preventive
Establish the minimum intermediate system requirements for security labels. CC ID 06581	Establish/Maintain Documentation	Preventive
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580	Establish/Maintain Documentation	Preventive
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582	Establish/Maintain Documentation	Preventive
Establish and maintain access controls for all records. CC ID 00371	Records Management	Preventive
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202	Data and Information Management	Preventive
Establish, implement, and maintain a records lifecycle management program. CC ID 00951	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information preservation policy. CC ID 16483	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information preservation procedures. CC ID 06277	Establish/Maintain Documentation	Preventive
Implement and maintain high availability storage, as necessary. CC ID 00952	Technical Security	Preventive
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953	Records Management	Preventive
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954	Records Management	Preventive
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932	Records Management	Preventive
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain online storage controls. CC ID 00942	Technical Security	Preventive
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records Management	Preventive
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944	Testing	Detective
Provide encryption for different types of electronic storage media. CC ID 00945 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Technical Security	Preventive
Implement electronic storage media integrity controls. CC ID 00946	Configuration	Preventive
Automate electronic storage media integrity check controls. CC ID 00948	Configuration	Preventive
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950	Configuration	Preventive
Provide audit trails for all pertinent records. CC ID 00372	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a removable storage media log. CC ID 12317 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Log Management	Preventive
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Establish/Maintain Documentation	Preventive
Include the date and time in the removable storage media log. CC ID 12318	Establish/Maintain Documentation	Preventive
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Establish/Maintain Documentation	Preventive
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Establish/Maintain Documentation	Preventive
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Establish/Maintain Documentation	Preventive
Include the sender's name in the removable storage media log. CC ID 12752	Establish/Maintain Documentation	Preventive
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Establish/Maintain Documentation	Preventive
Include the reason for transfer in the removable storage media log. CC ID 12316	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619	Process or Activity	Preventive
Identify electronic storage media that require downgrading. CC ID 10620	Process or Activity	Detective
Downgrade electronic storage media, as necessary. CC ID 10621	Process or Activity	Corrective
Document all actions taken when downgrading electronic storage media. CC ID 10622	Establish/Maintain Documentation	Preventive
Test the storage media downgrade for correct performance. CC ID 10623	Testing	Detective
Establish, implement, and maintain output distribution procedures. CC ID 00927	Establish/Maintain Documentation	Preventive
Include printed output in output distribution procedures. CC ID 13477	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain document retention procedures. CC ID 11660	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain output balancing audit trails. CC ID 00928	Establish/Maintain Documentation	Detective
Establish and maintain an error suspense file for rejected transactions. CC ID 06623	Records Management	Preventive
Establish and maintain reconciliation audit trails. CC ID 11647	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing output log. CC ID 06624	Log Management	Preventive
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929	Establish/Maintain Documentation	Detective
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930	Establish/Maintain Documentation	Preventive
Review and approve output exceptions. CC ID 06625	Records Management	Preventive
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627	Testing	Detective

System hardening through configuration management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
System hardening through configuration management CC ID 00860	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain system hardening procedures. CC ID 12001	Establish/Maintain Documentation	Preventive
Configure the time server in accordance with organizational standards. CC ID 06426	Configuration	Preventive
Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control]	Configuration	Preventive

Systems design, build, and implementation

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems Design, Build, and Implementation	Preventive
Separate the design and development environment from the production environment. CC ID 06088 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]	Systems Design, Build, and Implementation	Preventive
Specify appropriate tools for the system development project. CC ID 06830	Establish/Maintain Documentation	Preventive
Implement security controls in development endpoints. CC ID 16389	Testing	Preventive
Initiate the System Development Life Cycle implementation phase. CC ID 06268	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system implementation standard. CC ID 01111	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an implementation plan. CC ID 01114 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]	Establish/Maintain Documentation	Preventive
Include an implementation schedule in the implementation plan. CC ID 16124	Establish/Maintain Documentation	Preventive
Include the allocation of resources in the implementation plan. CC ID 16122	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the implementation plan. CC ID 16121	Establish/Maintain Documentation	Preventive
Approve implementation plans, as necessary. CC ID 13628	Establish/Maintain Documentation	Corrective
Manage the system implementation process. CC ID 01115	Behavior	Preventive
Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120 [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2]	Testing	Detective

Technical security

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain access control policies. CC ID 00512 [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2 {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4 The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3]	Establish/Maintain Documentation	Preventive
Include compliance requirements in the access control policy. CC ID 14006	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the access control policy. CC ID 14005	Establish/Maintain Documentation	Preventive
Include management commitment in the access control policy. CC ID 14004	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the access control policy. CC ID 14003	Establish/Maintain Documentation	Preventive
Include the scope in the access control policy. CC ID 14002	Establish/Maintain Documentation	Preventive
Include the purpose in the access control policy. CC ID 14001	Establish/Maintain Documentation	Preventive
Document the business need justification for user accounts. CC ID 15490	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Identify information system users. CC ID 12081	Technical Security	Detective
Review user accounts. CC ID 00525 [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2]	Technical Security	Detective
Match user accounts to authorized parties. CC ID 12126	Configuration	Detective
Control access rights to organizational assets. CC ID 00004	Technical Security	Preventive
Establish access rights based on least privilege. CC ID 01411 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]	Technical Security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical Security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical Security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Configuration	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1]	Data and Information Management	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]	Technical Security	Preventive
Establish, implement, and maintain an authority for access authorization list. CC ID 06782	Establish/Maintain Documentation	Preventive
Review and approve logical access to all assets based upon organizational policies. CC ID 06641	Technical Security	Preventive
Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515	Technical Security	Preventive
Assign roles and responsibilities for administering user account management. CC ID 11900	Human Resources Management	Preventive
Automate access control methods, as necessary. CC ID 11838	Technical Security	Preventive
Automate Access Control Systems, as necessary. CC ID 06854	Technical Security	Preventive
Refrain from storing logon credentials for third party applications. CC ID 13690	Technical Security	Preventive
Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048	Technical Security	Preventive
Notify interested personnel when user accounts are added or deleted. CC ID 14327	Communicate	Detective
Remove inactive user accounts, as necessary. CC ID 00517	Technical Security	Corrective
Remove temporary user accounts, as necessary. CC ID 11839	Technical Security	Corrective
Establish, implement, and maintain a password policy. CC ID 16346	Establish/Maintain Documentation	Preventive
Enforce the password policy. CC ID 16347	Technical Security	Preventive
Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518	Establish/Maintain Documentation	Preventive
Limit superuser accounts to designated System Administrators. CC ID 06766	Configuration	Preventive
Enforce usage restrictions for superuser accounts. CC ID 07064	Technical Security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]	Establish/Maintain Documentation	Preventive
Implement out-of-band authentication, as necessary. CC ID 10606	Technical Security	Corrective
Grant access to authorized personnel or systems. CC ID 12186	Configuration	Preventive
Document approving and granting access in the access control log. CC ID 06786	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Communicate	Preventive
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171	Establish/Maintain Documentation	Preventive
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Establish/Maintain Documentation	Preventive
Include the date and time that access was reviewed in the system record. CC ID 16416	Data and Information Management	Preventive
Include the date and time that access rights were changed in the system record. CC ID 16415	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Communicate	Corrective
Identify and control all network access controls. CC ID 00529	Technical Security	Preventive
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Establish/Maintain Documentation	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical Security	Preventive
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical Security	Preventive
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2 {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2]	Data and Information Management	Preventive
Enforce information flow control. CC ID 11781	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Establish/Maintain Documentation	Preventive
Constrain the information flow of restricted data or restricted information. CC ID 06763	Data and Information Management	Preventive
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)]	Data and Information Management	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information flow procedures. CC ID 04542 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]	Establish/Maintain Documentation	Preventive
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Data and Information Management	Preventive
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Data and Information Management	Preventive
Control all methods of remote access and teleworking. CC ID 00559	Technical Security	Preventive
Implement multifactor authentication techniques. CC ID 00561 [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1]	Configuration	Preventive
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical Security	Preventive
Document and approve requests to bypass multifactor authentication. CC ID 15464	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574	Establish/Maintain Documentation	Preventive
Install security and protection software, as necessary. CC ID 00575 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]	Configuration	Preventive
Install and maintain container security solutions. CC ID 16178	Technical Security	Preventive

Third Party and supply chain oversight

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742	Establish/Maintain Documentation	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Process or Activity	Detective
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Establish/Maintain Documentation	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]	Business Processes	Preventive
Include risk management procedures in the supply chain management policy. CC ID 08811	Establish/Maintain Documentation	Preventive
Perform risk assessments of third parties, as necessary. CC ID 06454	Testing	Detective
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]	Establish/Maintain Documentation	Preventive

Common Controls and
mandates by Type 86 Mandated Controls - bold
109 Implied Controls - italic 735 Implementation

Number of Controls

930 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Correct defective acquired goods or services. CC ID 06911	Acquisition or sale of facilities, technology, and services	Corrective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Detective
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Monitoring and measurement	Preventive
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and risk management	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control]	Audits and risk management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703	Audits and risk management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and risk management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and risk management	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and risk management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and risk management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and risk management	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]	Audits and risk management	Preventive
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282	Leadership and high level objectives	Preventive
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283	Leadership and high level objectives	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Preventive
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]	Physical and environmental protection	Preventive
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Human Resources management	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]	Human Resources management	Corrective
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Preventive
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Operational management	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Preventive
Manage the system implementation process. CC ID 01115	Systems design, build, and implementation	Preventive
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Detective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Corrective

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688	Leadership and high level objectives	Preventive
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Leadership and high level objectives	Preventive
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Preventive
Estimate the costs of implementing the compliance framework. CC ID 07191	Leadership and high level objectives	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Preventive
Establish, implement, and maintain a positive information control environment. CC ID 00813 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]	Operational management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Preventive
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Preventive
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Preventive
Establish, implement, and maintain an asset inventory. CC ID 06631 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)]	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Manage change requests. CC ID 00887 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]	Operational management	Preventive
Examine all changes to ensure they correspond with the change request. CC ID 12345	Operational management	Detective
Implement changes according to the change control program. CC ID 11776	Operational management	Preventive
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Preventive
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Operational management	Corrective
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988	Records management	Detective
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Preventive
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009	Records management	Preventive
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010	Records management	Preventive
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011	Records management	Preventive
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012	Records management	Preventive
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013	Records management	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]	Third Party and supply chain oversight	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Preventive
Notify interested personnel when user accounts are added or deleted. CC ID 14327	Technical security	Detective
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Preventive
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Technical security	Corrective
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Preventive
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Human Resources management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]	Operational management	Preventive
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Preventive
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Preventive
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Operational management	Corrective
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Operational management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4]	Privacy protection for information and data	Corrective
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3]	Privacy protection for information and data	Corrective

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Match user accounts to authorized parties. CC ID 12126	Technical security	Detective
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Preventive
Limit superuser accounts to designated System Administrators. CC ID 06766	Technical security	Preventive
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Preventive
Implement multifactor authentication techniques. CC ID 00561 [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1]	Technical security	Preventive
Install security and protection software, as necessary. CC ID 00575 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]	Technical security	Preventive
Encrypt backup data. CC ID 00958 [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2]	Operational and Systems Continuity	Preventive
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Corrective
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Corrective
Remove outdated software after software has been updated. CC ID 11792	Operational management	Corrective
Update computer firmware, as necessary. CC ID 11755	Operational management	Corrective
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Corrective
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Detective
Configure the time server in accordance with organizational standards. CC ID 06426	System hardening through configuration management	Preventive
Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control]	System hardening through configuration management	Preventive
Implement electronic storage media integrity controls. CC ID 00946	Records management	Preventive
Automate electronic storage media integrity check controls. CC ID 00948	Records management	Preventive
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950	Records management	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Preventive
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Preventive

Data and Information Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Leadership and high level objectives	Preventive
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Leadership and high level objectives	Preventive
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Leadership and high level objectives	Preventive
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Leadership and high level objectives	Preventive
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Leadership and high level objectives	Preventive
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Leadership and high level objectives	Preventive
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Leadership and high level objectives	Preventive
Classify the value of information in the information classification standard. CC ID 11995	Leadership and high level objectives	Preventive
Classify the legal requirements of information in the information classification standard. CC ID 11994	Leadership and high level objectives	Preventive
Define the scope of the security policy. CC ID 07145	Leadership and high level objectives	Preventive
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1]	Technical security	Preventive
Include the date and time that access was reviewed in the system record. CC ID 16416	Technical security	Preventive
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2 {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2]	Technical security	Preventive
Constrain the information flow of restricted data or restricted information. CC ID 06763	Technical security	Preventive
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)]	Technical security	Preventive
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Technical security	Preventive
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Technical security	Preventive
Store backup media at an off-site electronic media storage facility. CC ID 01332 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Operational and Systems Continuity	Preventive
Transport backup media in lockable electronic media storage containers. CC ID 01264	Operational and Systems Continuity	Preventive
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Operational and Systems Continuity	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Preventive
Identify the sender in all electronic messages. CC ID 13996	Operational management	Preventive
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Preventive
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Preventive
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Preventive
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Preventive
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Preventive
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Preventive
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Preventive
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Preventive
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Preventive
Approve tested change requests. CC ID 11783	Operational management	Preventive
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Preventive
Remove non-public information from publicly accessible systems. CC ID 14246	Records management	Corrective
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Records management	Detective
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Preventive
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Preventive
Import data files into a patient's electronic health record. CC ID 14448	Records management	Preventive
Export requested sections of the electronic health record. CC ID 14447	Records management	Preventive
Display the implantable device list to authorized users. CC ID 14445	Records management	Preventive
Include attributes in the decision support intervention. CC ID 16766	Records management	Preventive
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Records management	Detective
Establish, implement, and maintain data availability controls. CC ID 15301	Records management	Preventive
Control error handling when data is being inputted. CC ID 00922	Records management	Detective
Use automated entry devices to reduce errors during data input. CC ID 06626	Records management	Preventive
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Preventive
Label restricted storage media appropriately. CC ID 00966	Records management	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Preventive
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202	Records management	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control]	Privacy protection for information and data	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)]	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)]	Privacy protection for information and data	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Preventive
Limit data leakage. CC ID 00356	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Detective
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Preventive
Change or destroy any personal data that is incorrect. CC ID 00462 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Leadership and high level objectives	Preventive
Assign the appropriate roles to all applicable compliance documents. CC ID 06284	Leadership and high level objectives	Preventive
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Assign roles and responsibilities for physical security, as necessary. CC ID 13113	Human Resources management	Preventive
Identify and define all critical roles. CC ID 00777	Human Resources management	Preventive
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Preventive
Assign the role of security management to applicable controls. CC ID 06444	Human Resources management	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471	Human Resources management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Preventive
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Human Resources management	Preventive
Assign the role of logical access control to applicable controls. CC ID 00772	Human Resources management	Preventive
Assign the role of asset physical security to applicable controls. CC ID 00770	Human Resources management	Preventive
Assign the role of data custodian to applicable controls. CC ID 04789	Human Resources management	Preventive
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Human Resources management	Preventive
Assign interested personnel to the Quality Management committee. CC ID 07193	Human Resources management	Preventive
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Human Resources management	Preventive
Assign the role of fire protection management to applicable controls. CC ID 04891	Human Resources management	Preventive
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Human Resources management	Preventive
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Human Resources management	Preventive
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Human Resources management	Preventive
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Preventive
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Human Resources management	Preventive
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1 In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1]	Human Resources management	Detective
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Preventive
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]	Operational management	Preventive
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Preventive
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Operational management	Preventive
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Operational management	Preventive
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Operational management	Preventive
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Operational management	Preventive
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Operational management	Preventive
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Operational management	Preventive
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Operational management	Preventive
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Operational management	Preventive
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Operational management	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923	Records management	Preventive
Process restricted data lawfully and carefully. CC ID 00086	Privacy protection for information and data	Preventive

Establish/Maintain Documentation

389

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain an information classification standard. CC ID 00601 [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control]	Leadership and high level objectives	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4]	Leadership and high level objectives	Preventive
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608	Leadership and high level objectives	Preventive
Correlate Information Systems with applicable controls. CC ID 01621	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956	Leadership and high level objectives	Preventive
Include the effective date on all organizational policies. CC ID 06820	Leadership and high level objectives	Preventive
Include threats in the organization’s policies, standards, and procedures. CC ID 12953	Leadership and high level objectives	Preventive
Analyze organizational policies, as necessary. CC ID 14037	Leadership and high level objectives	Detective
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Leadership and high level objectives	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Leadership and high level objectives	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636	Leadership and high level objectives	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Leadership and high level objectives	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Leadership and high level objectives	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Leadership and high level objectives	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Detective
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Preventive
Align the Authority Document list with external requirements. CC ID 06288	Leadership and high level objectives	Preventive
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114	Leadership and high level objectives	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Leadership and high level objectives	Preventive
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Preventive
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Detective
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631	Leadership and high level objectives	Preventive
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Preventive
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Preventive
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Monitoring and measurement	Corrective
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a log management program. CC ID 00673	Monitoring and measurement	Preventive
Identify and communicate improvements in metrics reporting. CC ID 06921	Monitoring and measurement	Corrective
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706	Audits and risk management	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483	Audits and risk management	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Detective
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain access control policies. CC ID 00512 [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2 {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4 The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3]	Technical security	Preventive
Include compliance requirements in the access control policy. CC ID 14006	Technical security	Preventive
Include coordination amongst entities in the access control policy. CC ID 14005	Technical security	Preventive
Include management commitment in the access control policy. CC ID 14004	Technical security	Preventive
Include roles and responsibilities in the access control policy. CC ID 14003	Technical security	Preventive
Include the scope in the access control policy. CC ID 14002	Technical security	Preventive
Include the purpose in the access control policy. CC ID 14001	Technical security	Preventive
Document the business need justification for user accounts. CC ID 15490	Technical security	Preventive
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815	Technical security	Preventive
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Establish, implement, and maintain an authority for access authorization list. CC ID 06782	Technical security	Preventive
Establish, implement, and maintain a password policy. CC ID 16346	Technical security	Preventive
Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518	Technical security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]	Technical security	Preventive
Document approving and granting access in the access control log. CC ID 06786	Technical security	Preventive
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171	Technical security	Preventive
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Technical security	Preventive
Include the date and time that access rights were changed in the system record. CC ID 16415	Technical security	Preventive
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Technical security	Preventive
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Technical security	Preventive
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410	Technical security	Preventive
Establish, implement, and maintain information flow procedures. CC ID 04542 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]	Technical security	Preventive
Document and approve requests to bypass multifactor authentication. CC ID 15464	Technical security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574	Technical security	Preventive
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711	Physical and environmental protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Physical and environmental protection	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Corrective
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Preventive
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Physical and environmental protection	Preventive
Establish, implement, and maintain asset return procedures. CC ID 04537	Physical and environmental protection	Preventive
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Preventive
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Preventive
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Operational and Systems Continuity	Preventive
Define and assign the security staff roles and responsibilities. CC ID 11750 [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2]	Human Resources management	Preventive
Assign the roles and responsibilities for the asset management system. CC ID 14368	Human Resources management	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Human Resources management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Preventive
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Preventive
Document the security clearance procedure results. CC ID 01635	Human Resources management	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Human Resources management	Preventive
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781	Human Resources management	Preventive
Establish, implement, and maintain job applications. CC ID 16180	Human Resources management	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]	Human Resources management	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Human Resources management	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Preventive
Document security awareness requirements. CC ID 12146	Human Resources management	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Human Resources management	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Human Resources management	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Human Resources management	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Human Resources management	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]	Human Resources management	Preventive
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Preventive
Document the goals of the security awareness program. CC ID 12145	Human Resources management	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Preventive
Document the scope of the security awareness program. CC ID 12148	Human Resources management	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Preventive
Establish, implement, and maintain a Code of Conduct. CC ID 04897	Human Resources management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Preventive
Include system development in the information security program. CC ID 12389	Operational management	Preventive
Include system maintenance in the information security program. CC ID 12388	Operational management	Preventive
Include system acquisition in the information security program. CC ID 12387	Operational management	Preventive
Include access control in the information security program. CC ID 12386	Operational management	Preventive
Include operations management in the information security program. CC ID 12385	Operational management	Preventive
Include communication management in the information security program. CC ID 12384	Operational management	Preventive
Include environmental security in the information security program. CC ID 12383	Operational management	Preventive
Include physical security in the information security program. CC ID 12382	Operational management	Preventive
Include human resources security in the information security program. CC ID 12381	Operational management	Preventive
Include asset management in the information security program. CC ID 12380	Operational management	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Preventive
Include risk management in the information security program. CC ID 12378	Operational management	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control]	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Preventive
Include information security objectives in the information security policy. CC ID 13493	Operational management	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)]	Operational management	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Preventive
Include startup processes in operational control procedures. CC ID 00833	Operational management	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Corrective
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)]	Operational management	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control]	Operational management	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Preventive
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control]	Operational management	Preventive
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Preventive
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Preventive
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Operational management	Preventive
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Preventive
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Preventive
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Preventive
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Preventive
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Preventive
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Preventive
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Preventive
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Preventive
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Preventive
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Preventive
Include software in the Information Technology inventory. CC ID 00692	Operational management	Preventive
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Preventive
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Preventive
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Detective
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Preventive
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Preventive
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Operational management	Preventive
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Preventive
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Preventive
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Preventive
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Preventive
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Preventive
Record the software version in the asset inventory. CC ID 12196	Operational management	Preventive
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Preventive
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Preventive
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Preventive
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Preventive
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Preventive
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Preventive
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Preventive
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Preventive
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Preventive
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Preventive
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Preventive
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Preventive
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Preventive
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Preventive
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Preventive
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Preventive
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Preventive
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Preventive
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Preventive
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Preventive
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Preventive
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Preventive
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include incident escalation procedures in the Incident Management program. CC ID 00856 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)]	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Include incident management procedures in the Incident Management program. CC ID 12689 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]	Operational management	Preventive
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Corrective
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Preventive
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Operational management	Preventive
Establish, implement, and maintain incident response procedures. CC ID 01206 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)]	Operational management	Detective
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Preventive
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Preventive
Establish, implement, and maintain a change control program. CC ID 00886 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]	Operational management	Preventive
Include potential consequences of unintended changes in the change control program. CC ID 12243	Operational management	Preventive
Include version control in the change control program. CC ID 13119	Operational management	Preventive
Include service design and transition in the change control program. CC ID 13920	Operational management	Preventive
Establish, implement, and maintain a back-out plan. CC ID 13623	Operational management	Preventive
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Preventive
Approve back-out plans, as necessary. CC ID 13627	Operational management	Corrective
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Operational management	Preventive
Establish and maintain a change request approver list. CC ID 06795	Operational management	Preventive
Document all change requests in change request forms. CC ID 06794	Operational management	Preventive
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Preventive
Log emergency changes after they have been performed. CC ID 12733	Operational management	Preventive
Provide audit trails for all approved changes. CC ID 13120	Operational management	Preventive
Document the sources of all software updates. CC ID 13316	Operational management	Preventive
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Preventive
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Preventive
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Preventive
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Preventive
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Detective
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Corrective
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Preventive
Document approved configuration deviations. CC ID 08711	Operational management	Corrective
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Preventive
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Detective
Establish, implement, and maintain a data retention program. CC ID 00906	Records management	Detective
Establish, implement, and maintain records management procedures. CC ID 11619 [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)]	Records management	Preventive
Assign ownership for all electronic records. CC ID 14814	Records management	Preventive
Attribute electronic records, as necessary. CC ID 14820	Records management	Preventive
Establish, implement, and maintain a system input log. CC ID 13531	Records management	Preventive
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Preventive
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Preventive
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Preventive
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Preventive
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Preventive
Log the number of routine items received into the recordkeeping system. CC ID 11701	Records management	Preventive
Include record integrity techniques in the records management procedures. CC ID 06418 [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2]	Records management	Preventive
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Preventive
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Records management	Preventive
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926	Records management	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747	Records management	Preventive
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Preventive
Establish the minimum originator requirements for security labels. CC ID 06579	Records management	Preventive
Establish the minimum intermediate system requirements for security labels. CC ID 06581	Records management	Preventive
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580	Records management	Preventive
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582	Records management	Preventive
Establish, implement, and maintain a records lifecycle management program. CC ID 00951	Records management	Preventive
Establish, implement, and maintain an information preservation policy. CC ID 16483	Records management	Preventive
Establish, implement, and maintain information preservation procedures. CC ID 06277	Records management	Preventive
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934	Records management	Preventive
Provide audit trails for all pertinent records. CC ID 00372	Records management	Detective
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Records management	Preventive
Include the date and time in the removable storage media log. CC ID 12318	Records management	Preventive
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Records management	Preventive
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Records management	Preventive
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Records management	Preventive
Include the sender's name in the removable storage media log. CC ID 12752	Records management	Preventive
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Records management	Preventive
Include the reason for transfer in the removable storage media log. CC ID 12316	Records management	Preventive
Document all actions taken when downgrading electronic storage media. CC ID 10622	Records management	Preventive
Establish, implement, and maintain output distribution procedures. CC ID 00927	Records management	Preventive
Include printed output in output distribution procedures. CC ID 13477	Records management	Preventive
Establish, implement, and maintain document retention procedures. CC ID 11660	Records management	Preventive
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650	Records management	Preventive
Establish, implement, and maintain output balancing audit trails. CC ID 00928	Records management	Detective
Establish and maintain reconciliation audit trails. CC ID 11647	Records management	Preventive
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929	Records management	Detective
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930	Records management	Preventive
Specify appropriate tools for the system development project. CC ID 06830	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a system implementation standard. CC ID 01111	Systems design, build, and implementation	Preventive
Establish, implement, and maintain an implementation plan. CC ID 01114 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]	Systems design, build, and implementation	Preventive
Include an implementation schedule in the implementation plan. CC ID 16124	Systems design, build, and implementation	Preventive
Include the allocation of resources in the implementation plan. CC ID 16122	Systems design, build, and implementation	Preventive
Include roles and responsibilities in the implementation plan. CC ID 16121	Systems design, build, and implementation	Preventive
Approve implementation plans, as necessary. CC ID 13628	Systems design, build, and implementation	Corrective
Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Detective
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Preventive
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]	Third Party and supply chain oversight	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign roles and responsibilities for administering user account management. CC ID 11900	Technical security	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Preventive
Establish and maintain an Information Technology steering committee. CC ID 12706	Human Resources management	Preventive
Convene the Information Technology steering committee, as necessary. CC ID 12730 [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3]	Human Resources management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267 [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2]	Human Resources management	Preventive
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources management	Preventive
Document the use of external experts. CC ID 16263	Human Resources management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660	Human Resources management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Preventive
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources management	Preventive
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources management	Preventive
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Preventive
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Preventive
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources management	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Preventive
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources management	Preventive
Define and assign roles and responsibilities for dispute resolution. CC ID 13626	Human Resources management	Preventive
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources management	Preventive
Perform security skills assessments for all critical employees. CC ID 12102 [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)]	Human Resources management	Detective
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Detective
Perform a personal identification check during personnel screening. CC ID 06721 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]	Human Resources management	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Preventive
Perform a resume check during personnel screening. CC ID 06659 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1 Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2]	Human Resources management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources management	Preventive
Include a space for previous addresses and previous residences on the job application. CC ID 12302 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]	Human Resources management	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Preventive
Assign an information owner to organizational assets, as necessary. CC ID 12729 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b) The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]	Operational management	Preventive
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2]	Operational management	Preventive
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Operational management	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Monitoring and measurement	Corrective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Detective
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Preventive
Perform social network analysis, as necessary. CC ID 14864	Operational management	Detective
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Operational management	Detective
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Detective
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Monitoring and measurement	Detective
Establish, implement, and maintain event logging procedures. CC ID 01335	Monitoring and measurement	Detective
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]	Monitoring and measurement	Preventive
Protect the event logs from failure. CC ID 06290	Monitoring and measurement	Preventive
Review and update event logs and audit logs, as necessary. CC ID 00596	Monitoring and measurement	Detective
Eliminate false positives in event logs and audit logs. CC ID 07047	Monitoring and measurement	Corrective
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Detective
Reproduce the event log if a log failure is captured. CC ID 01426	Monitoring and measurement	Preventive
Protect logs from unauthorized activity. CC ID 01345 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Monitoring and measurement	Preventive
Preserve the identity of individuals in audit trails. CC ID 10594 [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)]	Monitoring and measurement	Preventive
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]	Operational management	Corrective
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Records management	Preventive
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Records management	Preventive
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Records management	Preventive
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Records management	Preventive
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Records management	Preventive
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Records management	Preventive
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Records management	Preventive
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Records management	Preventive
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Records management	Preventive
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Records management	Preventive
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Records management	Preventive
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Records management	Preventive
Log performance monitoring into the recordkeeping system. CC ID 11724	Records management	Preventive
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Records management	Preventive
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Records management	Preventive
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Records management	Preventive
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Preventive
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Records management	Preventive
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Records management	Preventive
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Records management	Preventive
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Records management	Preventive
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Records management	Preventive
Establish, implement, and maintain a removable storage media log. CC ID 12317 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Records management	Preventive
Establish, implement, and maintain a data processing output log. CC ID 06624	Records management	Preventive
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Preventive
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Preventive
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Detective
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Detective

Maintenance

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Preventive
Enforce information flow control. CC ID 11781	Technical security	Preventive
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Physical and environmental protection	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Human Resources management	Detective
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Preventive
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Corrective
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Corrective
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920	Records management	Detective
Establish, implement, and maintain data accuracy controls. CC ID 00921	Records management	Detective
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935	Records management	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Corrective
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Detective
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Detective

Physical and Environmental Protection

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Control physical access to (and within) the facility. CC ID 01329 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]	Physical and environmental protection	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Corrective
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Preventive
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]	Physical and environmental protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Detective
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and environmental protection	Preventive
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Preventive
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Operational and Systems Continuity	Preventive
Conduct environmental surveys. CC ID 00690	Operational management	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Detective
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Preventive
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control]	Physical and environmental protection	Preventive
Perform backup procedures for in scope systems. CC ID 11692	Operational and Systems Continuity	Preventive
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Preventive
Review and approve access controls, as necessary. CC ID 13074	Operational management	Detective
Provide management direction and support for the information security program. CC ID 11999	Operational management	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]	Operational management	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644	Operational management	Preventive
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]	Operational management	Corrective
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Preventive
Contain the incident to prevent further loss. CC ID 01751	Operational management	Corrective
Perform emergency changes, as necessary. CC ID 12707	Operational management	Preventive
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Preventive
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Detective
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Preventive
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Records management	Detective
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Records management	Detective
Process restricted information in a secure environment. CC ID 13058	Records management	Preventive
Establish, implement, and maintain data completeness controls. CC ID 11649	Records management	Preventive
Display required information automatically in electronic health records. CC ID 14442	Records management	Preventive
Create export summaries, as necessary. CC ID 14446	Records management	Preventive
Identify patient-specific education resources. CC ID 14439	Records management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Preventive
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619	Records management	Preventive
Identify electronic storage media that require downgrading. CC ID 10620	Records management	Detective
Downgrade electronic storage media, as necessary. CC ID 10621	Records management	Corrective
Authorize new assets prior to putting them into the production environment. CC ID 13530	Acquisition or sale of facilities, technology, and services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Preventive
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Corrective
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Detective

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Preventive
Include source code in the asset inventory. CC ID 14858	Operational management	Preventive
Archive appropriate records, logs, and database tables. CC ID 06321 [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1]	Records management	Preventive
Establish, implement, and maintain source document authorization tracking. CC ID 01262	Records management	Detective
Establish, implement, and maintain source document error handling tracking. CC ID 01263	Records management	Detective
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806	Records management	Preventive
Refrain from creating printed records as copies of electronic records. CC ID 11808	Records management	Preventive
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552	Records management	Detective
Establish, implement, and maintain a system storage log. CC ID 13532	Records management	Preventive
Protect records from loss in accordance with applicable requirements. CC ID 12007	Records management	Preventive
Capture the records required by organizational compliance requirements. CC ID 00912	Records management	Detective
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Preventive
Establish and maintain an implantable device list. CC ID 14444	Records management	Preventive
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Preventive
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Preventive
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Preventive
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Preventive
Log records as being received into the recordkeeping system. CC ID 11696	Records management	Preventive
Establish, implement, and maintain a transfer journal. CC ID 11729	Records management	Preventive
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records management	Preventive
Note in electronic records converted from printed records, the location of the original. CC ID 11809	Records management	Preventive
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965	Records management	Preventive
Compare each record's data input to its final form. CC ID 11813	Records management	Detective
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]	Records management	Detective
Establish and maintain access controls for all records. CC ID 00371	Records management	Preventive
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953	Records management	Preventive
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954	Records management	Preventive
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932	Records management	Preventive
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records management	Preventive
Establish and maintain an error suspense file for rejected transactions. CC ID 06623	Records management	Preventive
Review and approve output exceptions. CC ID 06625	Records management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258	Operational and Systems Continuity	Preventive
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Operational and Systems Continuity	Preventive
Back up all records. CC ID 11974 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Operational and Systems Continuity	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Preventive
Validate the system before implementing approved changes. CC ID 01510	Operational management	Preventive
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Preventive
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Preventive
Separate the design and development environment from the production environment. CC ID 06088 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]	Systems design, build, and implementation	Preventive
Initiate the System Development Life Cycle implementation phase. CC ID 06268	Systems design, build, and implementation	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Detective
Restrict access to audit trails to a need to know basis. CC ID 11641 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Monitoring and measurement	Preventive
Protect against misusing automated audit tools. CC ID 04547 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Monitoring and measurement	Preventive
Evaluate the information technology products used for metrics. CC ID 11644	Monitoring and measurement	Detective
Identify information system users. CC ID 12081	Technical security	Detective
Review user accounts. CC ID 00525 [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2]	Technical security	Detective
Control access rights to organizational assets. CC ID 00004	Technical security	Preventive
Establish access rights based on least privilege. CC ID 01411 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]	Technical security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Preventive
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]	Technical security	Preventive
Review and approve logical access to all assets based upon organizational policies. CC ID 06641	Technical security	Preventive
Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515	Technical security	Preventive
Automate access control methods, as necessary. CC ID 11838	Technical security	Preventive
Automate Access Control Systems, as necessary. CC ID 06854	Technical security	Preventive
Refrain from storing logon credentials for third party applications. CC ID 13690	Technical security	Preventive
Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048	Technical security	Preventive
Remove inactive user accounts, as necessary. CC ID 00517	Technical security	Corrective
Remove temporary user accounts, as necessary. CC ID 11839	Technical security	Corrective
Enforce the password policy. CC ID 16347	Technical security	Preventive
Enforce usage restrictions for superuser accounts. CC ID 07064	Technical security	Preventive
Implement out-of-band authentication, as necessary. CC ID 10606	Technical security	Corrective
Identify and control all network access controls. CC ID 00529	Technical security	Preventive
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Preventive
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical security	Preventive
Control all methods of remote access and teleworking. CC ID 00559	Technical security	Preventive
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical security	Preventive
Install and maintain container security solutions. CC ID 16178	Technical security	Preventive
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control]	Human Resources management	Corrective
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960	Human Resources management	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Preventive
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Preventive
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Preventive
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Detective
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Corrective
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Corrective
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Corrective
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Preventive
Implement patch management software, as necessary. CC ID 12094	Operational management	Preventive
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Preventive
Review the patch log for missing patches. CC ID 13186	Operational management	Detective
Patch software. CC ID 11825	Operational management	Corrective
Patch the operating system, as necessary. CC ID 11824	Operational management	Corrective
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Detective
Validate transactions using identifiers and credentials. CC ID 13203	Records management	Preventive
Establish, implement, and maintain electronic storage media security controls. CC ID 13204	Records management	Preventive
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957	Records management	Preventive
Implement and maintain high availability storage, as necessary. CC ID 00952	Records management	Preventive
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Preventive
Provide encryption for different types of electronic storage media. CC ID 00945 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Records management	Preventive
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Preventive
Implement security measures to protect personal data. CC ID 13606	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Monitoring and measurement	Preventive
Evaluate the measurement process used for metrics. CC ID 06920	Monitoring and measurement	Detective
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)]	Human Resources management	Detective
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Preventive
Implement segregation of duties in roles and responsibilities. CC ID 00774 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control]	Human Resources management	Detective
Open a priority incident request after a security breach is detected. CC ID 04838	Operational management	Corrective
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Operational management	Corrective
Test proposed changes prior to their approval. CC ID 00548	Operational management	Detective
Perform risk assessments prior to approving change requests. CC ID 00888	Operational management	Preventive
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Detective
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Detective
Review changes to computer firmware. CC ID 12226	Operational management	Detective
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Detective
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Detective
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Operational management	Detective
Maintain continued integrity for all stored data and stored records. CC ID 00969 [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]	Records management	Detective
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944	Records management	Detective
Test the storage media downgrade for correct performance. CC ID 10623	Records management	Detective
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627	Records management	Detective
Implement security controls in development endpoints. CC ID 16389	Systems design, build, and implementation	Preventive
Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120 [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2]	Systems design, build, and implementation	Detective
Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]	Acquisition or sale of facilities, technology, and services	Detective
Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741	Acquisition or sale of facilities, technology, and services	Detective
Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742	Acquisition or sale of facilities, technology, and services	Detective
Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743	Acquisition or sale of facilities, technology, and services	Detective
Test new software or upgraded software for security vulnerabilities. CC ID 01898	Acquisition or sale of facilities, technology, and services	Detective
Test new software or upgraded software for compatibility with the current system. CC ID 11654	Acquisition or sale of facilities, technology, and services	Detective
Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655	Acquisition or sale of facilities, technology, and services	Detective
Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899	Acquisition or sale of facilities, technology, and services	Detective
Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744	Acquisition or sale of facilities, technology, and services	Detective
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Detective
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Preventive
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Detective
Perform risk assessments of third parties, as necessary. CC ID 06454	Third Party and supply chain oversight	Detective

Training

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Preventive
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Human Resources management	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Human Resources management	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Preventive

Common Controls and
mandates by Classification 86 Mandated Controls - bold
109 Implied Controls - italic 735 Implementation

Number of Controls

930 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Establish/Maintain Documentation
Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774	Monitoring and measurement	Establish/Maintain Documentation
Eliminate false positives in event logs and audit logs. CC ID 07047	Monitoring and measurement	Log Management
Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925	Monitoring and measurement	Investigate
Identify and communicate improvements in metrics reporting. CC ID 06921	Monitoring and measurement	Establish/Maintain Documentation
Remove inactive user accounts, as necessary. CC ID 00517	Technical security	Technical Security
Remove temporary user accounts, as necessary. CC ID 11839	Technical security	Technical Security
Implement out-of-band authentication, as necessary. CC ID 10606	Technical security	Technical Security
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Technical security	Communicate
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Physical and Environmental Protection
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Establish/Maintain Documentation
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 [All organizations that process personal health information shall, as soon as possible, terminate the user access privileges with respect to such information for any departing permanent or temporary employee, third-party contractor or volunteer upon termination of employment, contracting, or volunteer activities. § 9.2.6 Health-specific control]	Human Resources management	Technical Security
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]	Human Resources management	Behavior
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Establish/Maintain Documentation
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 [Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. § 7.2.2 Health-specific control ¶ 2]	Operational management	Process or Activity
Identify discrepancies between the asset register database and the Information Technology inventory, as necessary. CC ID 07052	Operational management	Monitor and Evaluate Occurrences
Investigate and resolve discrepancies between the asset register database and the Information Technology inventory. CC ID 07053	Operational management	Monitor and Evaluate Occurrences
Contain the incident to prevent further loss. CC ID 01751	Operational management	Process or Activity
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]	Operational management	Log Management
Establish, implement, and maintain temporary and emergency access authorization procedures. CC ID 00858	Operational management	Establish/Maintain Documentation
Open a priority incident request after a security breach is detected. CC ID 04838	Operational management	Testing
Activate the incident response notification procedures after a security breach is detected. CC ID 04839	Operational management	Testing
Notify interested personnel and affected parties that a security breach was detected. CC ID 11788	Operational management	Communicate
Respond when an integrity violation is detected, as necessary. CC ID 10678	Operational management	Technical Security
Shut down systems when an integrity violation is detected, as necessary. CC ID 10679	Operational management	Technical Security
Restart systems when an integrity violation is detected, as necessary. CC ID 10680	Operational management	Technical Security
Approve back-out plans, as necessary. CC ID 13627	Operational management	Establish/Maintain Documentation
Deploy software patches in accordance with organizational standards. CC ID 07032	Operational management	Configuration
Patch software. CC ID 11825	Operational management	Technical Security
Patch the operating system, as necessary. CC ID 11824	Operational management	Technical Security
Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174	Operational management	Configuration
Remove outdated software after software has been updated. CC ID 11792	Operational management	Configuration
Update computer firmware, as necessary. CC ID 11755	Operational management	Configuration
Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671	Operational management	Configuration
Mitigate the adverse effects of unauthorized changes. CC ID 12244	Operational management	Business Processes
Establish, implement, and maintain a change acceptance testing log. CC ID 06392	Operational management	Establish/Maintain Documentation
Document approved configuration deviations. CC ID 08711	Operational management	Establish/Maintain Documentation
Remove non-public information from publicly accessible systems. CC ID 14246	Records management	Data and Information Management
Downgrade electronic storage media, as necessary. CC ID 10621	Records management	Process or Activity
Approve implementation plans, as necessary. CC ID 13628	Systems design, build, and implementation	Establish/Maintain Documentation
Correct defective acquired goods or services. CC ID 06911	Acquisition or sale of facilities, technology, and services	Acquisition/Sale of Assets or Services
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 [Organizations should inform the subject of care whenever lack of availability of health information systems may have adversely affected their care. § 16.1.2 Health-specific controls ¶ 4]	Privacy protection for information and data	Communicate
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989 [Organizations should inform the subject of care whenever personal health information has been unintentionally disclosed. § 16.1.2 Health-specific controls ¶ 3]	Privacy protection for information and data	Communicate
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Monitor and Evaluate Occurrences
Take appropriate action when a data leakage is discovered. CC ID 14716	Privacy protection for information and data	Process or Activity
Change or destroy any personal data that is incorrect. CC ID 00462 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management

Detective

115

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational policies, as necessary. CC ID 14037	Leadership and high level objectives	Establish/Maintain Documentation
Map in scope assets and in scope records to external requirements. CC ID 12189	Leadership and high level objectives	Establish/Maintain Documentation
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Establish/Maintain Documentation
Include all compliance exceptions in the compliance exception standard. CC ID 01630	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638	Monitoring and measurement	Log Management
Establish, implement, and maintain event logging procedures. CC ID 01335	Monitoring and measurement	Log Management
Review and update event logs and audit logs, as necessary. CC ID 00596	Monitoring and measurement	Log Management
Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207	Monitoring and measurement	Log Management
Identify cybersecurity events in event logs and audit logs. CC ID 13206	Monitoring and measurement	Technical Security
Evaluate the measurement process used for metrics. CC ID 06920	Monitoring and measurement	Testing
Evaluate the information technology products used for metrics. CC ID 11644	Monitoring and measurement	Technical Security
Assess the potential level of business impact risk associated with each business process. CC ID 06463	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the business environment. CC ID 06464	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465	Audits and risk management	Audits and Risk Management
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Investigate
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with external entities. CC ID 06469	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Actionable Reports or Measurements
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Audits and Risk Management
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704	Audits and risk management	Establish/Maintain Documentation
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Process or Activity
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Process or Activity
Identify information system users. CC ID 12081	Technical security	Technical Security
Review user accounts. CC ID 00525 [User registration details shall be periodically reviewed to ensure that they are complete, accurate and that access is still required. § 9.2.1 Health-specific control ¶ 2]	Technical security	Technical Security
Match user accounts to authorized parties. CC ID 12126	Technical security	Configuration
Notify interested personnel when user accounts are added or deleted. CC ID 14327	Technical security	Communicate
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Physical and Environmental Protection
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Physical and Environmental Protection
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [When an individual is hired for a specific information security role, organizations should make sure the candidate: has the necessary competence to perform the security role; § 7.1.1 Health-specific controls ¶ 3(a)]	Human Resources management	Testing
Perform security skills assessments for all critical employees. CC ID 12102 [When an individual is hired for a specific information security role, organizations should make sure the candidate: can be trusted to take the role, especially if the role is critical for the organization. § 7.1.1 Health-specific controls ¶ 3(b)]	Human Resources management	Human Resources Management
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Human Resources Management
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Establish/Maintain Documentation
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Human Resources Management
Document the security clearance procedure results. CC ID 01635	Human Resources management	Establish/Maintain Documentation
Document and communicate role descriptions to all applicable personnel. CC ID 00776 [In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1 In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security policy, should also be documented in relevant job descriptions. § 7.1.2 Health-specific control ¶ 1]	Human Resources management	Establish Roles
Implement segregation of duties in roles and responsibilities. CC ID 00774 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. § 6.1.2 Health-specific control]	Human Resources management	Testing
Monitor and measure the effectiveness of security awareness. CC ID 06262	Human Resources management	Monitor and Evaluate Occurrences
Review and approve access controls, as necessary. CC ID 13074	Operational management	Process or Activity
Perform social network analysis, as necessary. CC ID 14864	Operational management	Investigate
Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962	Operational management	Establish/Maintain Documentation
Employ Dynamic Host Configuration Protocol server logging to detect systems not in the asset inventory. CC ID 12110	Operational management	Technical Security
Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program. CC ID 11886	Operational management	Investigate
Establish, implement, and maintain incident response procedures. CC ID 01206 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure effective and timely response to security incidents; § 16.1.2 Health-specific controls ¶ 1(a)]	Operational management	Establish/Maintain Documentation
Test proposed changes prior to their approval. CC ID 00548	Operational management	Testing
Examine all changes to ensure they correspond with the change request. CC ID 12345	Operational management	Business Processes
Conduct network certifications prior to approving change requests for networks. CC ID 13121	Operational management	Process or Activity
Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126	Operational management	Investigate
Collect data about the network environment when certifying the network. CC ID 13125	Operational management	Investigate
Review the patch log for missing patches. CC ID 13186	Operational management	Technical Security
Perform a patch test prior to deploying a patch. CC ID 00898	Operational management	Testing
Test software patches for any potential compromise of the system's security. CC ID 13175	Operational management	Testing
Review changes to computer firmware. CC ID 12226	Operational management	Testing
Certify changes to computer firmware are free of malicious logic. CC ID 12227	Operational management	Testing
Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682	Operational management	Technical Security
Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391	Operational management	Establish/Maintain Documentation
Test the system's operational functionality after implementing approved changes. CC ID 06294	Operational management	Testing
Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541	Operational management	Testing
Establish, implement, and maintain a configuration change log. CC ID 08710	Operational management	Configuration
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a data retention program. CC ID 00906	Records management	Establish/Maintain Documentation
Maintain continued integrity for all stored data and stored records. CC ID 00969 [The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]	Records management	Testing
Review the information that the organization collects, processes, and stores, as necessary. CC ID 12988	Records management	Business Processes
Establish, implement, and maintain source document authorization tracking. CC ID 01262	Records management	Records Management
Review the information classification of the information that the organization collects, processes, and stores, as necessary. CC ID 13008	Records management	Process or Activity
Review the electronic storage media for the information the organization collects and processes. CC ID 13009 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Records management	Process or Activity
Establish, implement, and maintain source document error handling tracking. CC ID 01263	Records management	Records Management
Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920	Records management	Monitor and Evaluate Occurrences
Validate transactions against master files of third parties and clients, as necessary. CC ID 06552	Records management	Records Management
Establish, implement, and maintain data accuracy controls. CC ID 00921	Records management	Monitor and Evaluate Occurrences
Capture the records required by organizational compliance requirements. CC ID 00912	Records management	Records Management
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555	Records management	Data and Information Management
Identify patient-specific education resources. CC ID 14439	Records management	Process or Activity
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720	Records management	Data and Information Management
Control error handling when data is being inputted. CC ID 00922	Records management	Data and Information Management
Compare each record's data input to its final form. CC ID 11813	Records management	Records Management
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]	Records management	Records Management
Establish, implement, and maintain online storage monitoring and reporting capabilities. CC ID 00935	Records management	Monitor and Evaluate Occurrences
Store records on non-rewritable, non-erasable storage media formats, as necessary. CC ID 00944	Records management	Testing
Provide audit trails for all pertinent records. CC ID 00372	Records management	Establish/Maintain Documentation
Identify electronic storage media that require downgrading. CC ID 10620	Records management	Process or Activity
Test the storage media downgrade for correct performance. CC ID 10623	Records management	Testing
Establish, implement, and maintain output balancing audit trails. CC ID 00928	Records management	Establish/Maintain Documentation
Establish, implement, and maintain output review and error handling checks with end users. CC ID 00929	Records management	Establish/Maintain Documentation
Perform regularly scheduled quality and integrity control reviews of output of records. CC ID 06627	Records management	Testing
Evaluate and determine whether or not the newly developed system meets users' system design requirements. CC ID 01120 [Clinical users should be involved in the testing of clinically relevant system features. § 14.2.9 Health-specific control ¶ 2]	Systems design, build, and implementation	Testing
Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]	Acquisition or sale of facilities, technology, and services	Testing
Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741	Acquisition or sale of facilities, technology, and services	Testing
Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742	Acquisition or sale of facilities, technology, and services	Testing
Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743	Acquisition or sale of facilities, technology, and services	Testing
Test new software or upgraded software for security vulnerabilities. CC ID 01898	Acquisition or sale of facilities, technology, and services	Testing
Test new software or upgraded software for compatibility with the current system. CC ID 11654	Acquisition or sale of facilities, technology, and services	Testing
Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655	Acquisition or sale of facilities, technology, and services	Testing
Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899	Acquisition or sale of facilities, technology, and services	Testing
Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744	Acquisition or sale of facilities, technology, and services	Testing
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Testing
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Testing
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Data and Information Management
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Monitor and Evaluate Occurrences
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Investigate
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Behavior
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Data and Information Management
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Log Management
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Log Management
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Monitor and Evaluate Occurrences
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Data and Information Management
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Process or Activity
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Monitor and Evaluate Occurrences
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794	Third Party and supply chain oversight	Process or Activity
Perform risk assessments of third parties, as necessary. CC ID 06454	Third Party and supply chain oversight	Testing

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

752

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information classification standard. CC ID 00601 [{confidential information} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. § 8.2.1 Health-specific control]	Leadership and high level objectives	Establish/Maintain Documentation
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787	Leadership and high level objectives	Data and Information Management
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786	Leadership and high level objectives	Data and Information Management
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785	Leadership and high level objectives	Data and Information Management
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784	Leadership and high level objectives	Data and Information Management
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997	Leadership and high level objectives	Data and Information Management
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783	Leadership and high level objectives	Data and Information Management
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996	Leadership and high level objectives	Data and Information Management
Classify the value of information in the information classification standard. CC ID 11995	Leadership and high level objectives	Data and Information Management
Classify the legal requirements of information in the information classification standard. CC ID 11994	Leadership and high level objectives	Data and Information Management
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. § 6.1.1 Health-specific control ¶ 4]	Leadership and high level objectives	Establish/Maintain Documentation
Define the scope of the security policy. CC ID 07145	Leadership and high level objectives	Data and Information Management
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688	Leadership and high level objectives	Business Processes
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608	Leadership and high level objectives	Establish/Maintain Documentation
Correlate Information Systems with applicable controls. CC ID 01621	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Include the effective date on all organizational policies. CC ID 06820	Leadership and high level objectives	Establish/Maintain Documentation
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956	Leadership and high level objectives	Establish/Maintain Documentation
Include threats in the organization’s policies, standards, and procedures. CC ID 12953	Leadership and high level objectives	Establish/Maintain Documentation
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824	Leadership and high level objectives	Business Processes
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113	Leadership and high level objectives	Establish/Maintain Documentation
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Communicate
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Leadership and high level objectives	Establish/Maintain Documentation
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Leadership and high level objectives	Establish/Maintain Documentation
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Leadership and high level objectives	Establish/Maintain Documentation
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Establish/Maintain Documentation
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Establish/Maintain Documentation
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Establish/Maintain Documentation
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Establish/Maintain Documentation
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Establish/Maintain Documentation
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Leadership and high level objectives	Establish Roles
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Establish/Maintain Documentation
Align the Authority Document list with external requirements. CC ID 06288	Leadership and high level objectives	Establish/Maintain Documentation
Assign the appropriate roles to all applicable compliance documents. CC ID 06284	Leadership and high level objectives	Establish Roles
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Leadership and high level objectives	Establish/Maintain Documentation
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329	Leadership and high level objectives	Establish/Maintain Documentation
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631	Leadership and high level objectives	Establish/Maintain Documentation
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632	Leadership and high level objectives	Business Processes
Include when exemptions expire in the compliance exception standard. CC ID 14330	Leadership and high level objectives	Establish/Maintain Documentation
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443	Leadership and high level objectives	Establish Roles
Include management of the exemption register in the compliance exception standard. CC ID 14328	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282	Leadership and high level objectives	Behavior
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283	Leadership and high level objectives	Behavior
Estimate the costs of implementing the compliance framework. CC ID 07191	Leadership and high level objectives	Business Processes
Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to collect and preserve incident-related audit logs and other relevant evidence. § 16.1.2 Health-specific controls ¶ 1(c)]	Monitoring and measurement	Log Management
Protect the event logs from failure. CC ID 06290	Monitoring and measurement	Log Management
Overwrite the oldest records when audit logging fails. CC ID 14308	Monitoring and measurement	Data and Information Management
Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427	Monitoring and measurement	Testing
Include identity information of suspects in the suspicious activity report. CC ID 16648	Monitoring and measurement	Establish/Maintain Documentation
Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424	Monitoring and measurement	Audits and Risk Management
Reproduce the event log if a log failure is captured. CC ID 01426	Monitoring and measurement	Log Management
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a log management program. CC ID 00673	Monitoring and measurement	Establish/Maintain Documentation
Restrict access to audit trails to a need to know basis. CC ID 11641 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Monitoring and measurement	Technical Security
Protect logs from unauthorized activity. CC ID 01345 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control {use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Monitoring and measurement	Log Management
Preserve the identity of individuals in audit trails. CC ID 10594 [Health information systems processing personal health information: shall ensure that each subject of care can be uniquely identified within the system; § 14.1.1.1 Health-specific control ¶ 1(a)]	Monitoring and measurement	Log Management
Protect against misusing automated audit tools. CC ID 04547 [{use}{anti-tamper technology} Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. § 12.4.2 Health-specific control]	Monitoring and measurement	Technical Security
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686	Audits and risk management	Audits and Risk Management
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Healthcare project management should consider patient safety as a project risk in any project involving the processing of personal health information. § 6.1.5 Health-specific control]	Audits and risk management	Audits and Risk Management
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703	Audits and risk management	Audits and Risk Management
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Audits and Risk Management
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706	Audits and risk management	Establish/Maintain Documentation
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Investigate
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Behavior
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]	Audits and risk management	Audits and Risk Management
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain access control policies. CC ID 00512 [Organizations processing personal health information shall have an access control policy governing access to these data. § 9.1.1 Health-specific control ¶ 2 {external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4 The organization's policy on access control should be established on the basis of predefined roles with associated authorities which are consistent with, but limited to, the needs of that role. § 9.1.1 Health-specific control ¶ 3]	Technical security	Establish/Maintain Documentation
Include compliance requirements in the access control policy. CC ID 14006	Technical security	Establish/Maintain Documentation
Include coordination amongst entities in the access control policy. CC ID 14005	Technical security	Establish/Maintain Documentation
Include management commitment in the access control policy. CC ID 14004	Technical security	Establish/Maintain Documentation
Include roles and responsibilities in the access control policy. CC ID 14003	Technical security	Establish/Maintain Documentation
Include the scope in the access control policy. CC ID 14002	Technical security	Establish/Maintain Documentation
Include the purpose in the access control policy. CC ID 14001	Technical security	Establish/Maintain Documentation
Document the business need justification for user accounts. CC ID 15490	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an instant messaging and chat system usage policy. CC ID 11815	Technical security	Establish/Maintain Documentation
Disseminate and communicate the access control policies to all interested personnel and affected parties. CC ID 10061	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Control access rights to organizational assets. CC ID 00004	Technical security	Technical Security
Establish access rights based on least privilege. CC ID 01411 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]	Technical security	Technical Security
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Technical Security
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Technical Security
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Configuration
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Establish Roles
Enforce access restrictions for restricted data. CC ID 01921 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: § 9.1.1 Health-specific control ¶ 1]	Technical security	Data and Information Management
Establish, implement, and maintain User Access Management procedures. CC ID 00514 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]	Technical security	Technical Security
Establish, implement, and maintain an authority for access authorization list. CC ID 06782	Technical security	Establish/Maintain Documentation
Review and approve logical access to all assets based upon organizational policies. CC ID 06641	Technical security	Technical Security
Control the addition and modification of user identifiers, user credentials, or other authenticators. CC ID 00515	Technical security	Technical Security
Assign roles and responsibilities for administering user account management. CC ID 11900	Technical security	Human Resources Management
Automate access control methods, as necessary. CC ID 11838	Technical security	Technical Security
Automate Access Control Systems, as necessary. CC ID 06854	Technical security	Technical Security
Refrain from storing logon credentials for third party applications. CC ID 13690	Technical security	Technical Security
Refrain from allowing user access to identifiers and authenticators used by applications. CC ID 10048	Technical security	Technical Security
Establish, implement, and maintain a password policy. CC ID 16346	Technical security	Establish/Maintain Documentation
Enforce the password policy. CC ID 16347	Technical security	Technical Security
Disseminate and communicate the password policies and password procedures to all users who have access to restricted data or restricted information. CC ID 00518	Technical security	Establish/Maintain Documentation
Limit superuser accounts to designated System Administrators. CC ID 06766	Technical security	Configuration
Enforce usage restrictions for superuser accounts. CC ID 07064	Technical security	Technical Security
Establish, implement, and maintain access control procedures. CC ID 11663 [Access to health information systems that process personal health information shall be subject to a formal user registration process. User registration procedures shall ensure that the level of authentication required of claimed user identity is consistent with the level(s) of access that will become available to the user. § 9.2.1 Health-specific control ¶ 1]	Technical security	Establish/Maintain Documentation
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Configuration
Document approving and granting access in the access control log. CC ID 06786	Technical security	Establish/Maintain Documentation
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Communicate
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171	Technical security	Establish/Maintain Documentation
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Technical security	Establish/Maintain Documentation
Include the date and time that access was reviewed in the system record. CC ID 16416	Technical security	Data and Information Management
Include the date and time that access rights were changed in the system record. CC ID 16415	Technical security	Establish/Maintain Documentation
Identify and control all network access controls. CC ID 00529	Technical security	Technical Security
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Technical security	Establish/Maintain Documentation
Segregate systems in accordance with organizational standards. CC ID 12546	Technical security	Technical Security
Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533	Technical security	Technical Security
Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 [{processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2 {processing architecture} Access to information and application system functions related to the processing personal health information should be isolated from (and separate to) access to information processing infrastructure that is unrelated to the processing of personal health information. § 9.4.1 Health-specific control ¶ 2]	Technical security	Data and Information Management
Enforce information flow control. CC ID 11781	Technical security	Monitor and Evaluate Occurrences
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Technical security	Establish/Maintain Documentation
Constrain the information flow of restricted data or restricted information. CC ID 06763	Technical security	Data and Information Management
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when there is a need for specific data to support this activity. § 9.1.1 Health-specific control ¶ 1(c)]	Technical security	Data and Information Management
Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain information flow procedures. CC ID 04542 [{external requirements} The access control policy, as a component of the information security policy framework described in 5.1.1, shall reflect professional, ethical, legal and subject-of-care-related requirements and should take account of the tasks performed by health professionals and the task's workflow. § 9.1.1 Health-specific control ¶ 4]	Technical security	Establish/Maintain Documentation
Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242	Technical security	Data and Information Management
Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243	Technical security	Data and Information Management
Control all methods of remote access and teleworking. CC ID 00559	Technical security	Technical Security
Implement multifactor authentication techniques. CC ID 00561 [{multifactor authentication} Health information systems processing personal health information shall authenticate users and should do so by means of authentication involving at least two factors. § 9.4.1 Health-specific control ¶ 1]	Technical security	Configuration
Implement phishing-resistant multifactor authentication techniques. CC ID 16541	Technical security	Technical Security
Document and approve requests to bypass multifactor authentication. CC ID 15464	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a malicious code protection program. CC ID 00574	Technical security	Establish/Maintain Documentation
Install security and protection software, as necessary. CC ID 00575 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]	Technical security	Configuration
Install and maintain container security solutions. CC ID 16178	Technical security	Technical Security
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a facility physical security program. CC ID 00711	Physical and environmental protection	Establish/Maintain Documentation
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Establish/Maintain Documentation
Control physical access to (and within) the facility. CC ID 01329 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Establish/Maintain Documentation
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Physical and Environmental Protection
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Establish/Maintain Documentation
Escort visitors within the facility, as necessary. CC ID 06417	Physical and environmental protection	Establish/Maintain Documentation
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Physical and Environmental Protection
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Testing
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Behavior
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Establish/Maintain Documentation
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Establish/Maintain Documentation
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Establish/Maintain Documentation
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Physical and environmental protection	Monitor and Evaluate Occurrences
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Establish/Maintain Documentation
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Human Resources Management
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Process or Activity
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Process or Activity
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Physical and Environmental Protection
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Testing
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Establish/Maintain Documentation
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Physical and Environmental Protection
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Behavior
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Human Resources Management
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Physical and Environmental Protection
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Behavior
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Physical and Environmental Protection
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Behavior
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Establish/Maintain Documentation
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Process or Activity
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Establish/Maintain Documentation
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Business Processes
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Establish/Maintain Documentation
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Process or Activity
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Establish/Maintain Documentation
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Establish/Maintain Documentation
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Physical and Environmental Protection
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Establish/Maintain Documentation
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Human Resources Management
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Establish/Maintain Documentation
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Physical and Environmental Protection
Implement physical security standards for mainframe rooms or data centers. CC ID 00749 [Organizations processing personal health information should use security perimeters to protect areas that contain information processing facilities supporting such health applications. These secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. § 11.1.1 Health-specific control]	Physical and environmental protection	Physical and Environmental Protection
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Physical and Environmental Protection
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718	Physical and environmental protection	Physical and Environmental Protection
Protect distributed assets against theft. CC ID 06799	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540	Physical and environmental protection	Establish/Maintain Documentation
Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 [In addition to implementing the control given by ISO/IEC 27002, organizations providing or using equipment, data or software to support a healthcare application containing personal health information shall not allow such equipment, data, or software to be removed from the site or relocated within it without authorization by the organization. § 11.2.5 Health-specific control]	Physical and environmental protection	Process or Activity
Establish, implement, and maintain asset return procedures. CC ID 04537	Physical and environmental protection	Establish/Maintain Documentation
Require the return of all assets upon notification an individual is terminated. CC ID 06679 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control]	Physical and environmental protection	Behavior
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Establish/Maintain Documentation
Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258	Operational and Systems Continuity	Systems Continuity
Establish and maintain off-site electronic media storage facilities. CC ID 00957	Operational and Systems Continuity	Physical and Environmental Protection
Store backup media at an off-site electronic media storage facility. CC ID 01332 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Operational and Systems Continuity	Data and Information Management
Transport backup media in lockable electronic media storage containers. CC ID 01264	Operational and Systems Continuity	Data and Information Management
Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257	Operational and Systems Continuity	Data and Information Management
Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Operational and Systems Continuity	Systems Continuity
Perform backup procedures for in scope systems. CC ID 11692	Operational and Systems Continuity	Process or Activity
Back up all records. CC ID 11974 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information shall back up all personal health information and store it in a physically secure environment to ensure its future availability. § 12.3.1 Health-specific control ¶ 1]	Operational and Systems Continuity	Systems Continuity
Encrypt backup data. CC ID 00958 [To protect its confidentiality, personal health information should be backed up in an encrypted format. § 12.3.1 Health-specific control ¶ 2]	Operational and Systems Continuity	Configuration
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the security staff roles and responsibilities. CC ID 11750 [At a minimum, at least one individual shall be responsible for health information security within the organization. § 6.1.1 Health-specific control ¶ 2]	Human Resources management	Establish/Maintain Documentation
Establish and maintain an Information Technology steering committee. CC ID 12706	Human Resources management	Human Resources Management
Convene the Information Technology steering committee, as necessary. CC ID 12730 [The health information security forum shall meet regularly, on a monthly or near-to-monthly basis. (Typically, it is most effective to meet at the mid-point between the meetings of the governance body into which the forum reports. This allows emergency matters to be taken to a suitable meeting within a short period.) § 6.1.1 Health-specific control ¶ 3]	Human Resources management	Human Resources Management
Define and assign workforce roles and responsibilities. CC ID 13267 [Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. § 7.1.2 Health-specific control ¶ 2]	Human Resources management	Human Resources Management
Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201	Human Resources management	Human Resources Management
Assign roles and responsibilities for physical security, as necessary. CC ID 13113	Human Resources management	Establish Roles
Document the use of external experts. CC ID 16263	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660	Human Resources management	Human Resources Management
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Human Resources Management
Assign the roles and responsibilities for the change control program. CC ID 13118	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777	Human Resources management	Establish Roles
Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739	Human Resources management	Establish Roles
Assign responsibility for cyber threat intelligence. CC ID 12746	Human Resources management	Human Resources Management
Assign the role of security management to applicable controls. CC ID 06444	Human Resources management	Establish Roles
Assign the role of security leader to keep up to date on the latest threats. CC ID 12112	Human Resources management	Human Resources Management
Define and assign the data processor's roles and responsibilities. CC ID 12607	Human Resources management	Human Resources Management
Assign the data processor to assist the data controller in implementing security controls. CC ID 12677	Human Resources management	Human Resources Management
Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617	Human Resources management	Communicate
Define and assign the data controller's roles and responsibilities. CC ID 00471	Human Resources management	Establish Roles
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Human Resources Management
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Human Resources Management
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Human Resources Management
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Establish Roles
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Human Resources Management
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Establish Roles
Assign the role of Information Technology operations to applicable controls. CC ID 00682	Human Resources management	Establish Roles
Assign the role of logical access control to applicable controls. CC ID 00772	Human Resources management	Establish Roles
Assign the role of asset physical security to applicable controls. CC ID 00770	Human Resources management	Establish Roles
Assign the role of data custodian to applicable controls. CC ID 04789	Human Resources management	Establish Roles
Assign the role of the Quality Management committee to applicable controls. CC ID 00769	Human Resources management	Establish Roles
Assign interested personnel to the Quality Management committee. CC ID 07193	Human Resources management	Establish Roles
Assign the roles and responsibilities for the asset management system. CC ID 14368	Human Resources management	Establish/Maintain Documentation
Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348	Human Resources management	Establish Roles
Assign the role of fire protection management to applicable controls. CC ID 04891	Human Resources management	Establish Roles
Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894	Human Resources management	Establish Roles
Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895	Human Resources management	Establish Roles
Assign the role of CRYPTO custodian to applicable controls. CC ID 06723	Human Resources management	Establish Roles
Define and assign the roles and responsibilities of security guards. CC ID 12543	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for dispute resolution. CC ID 13626	Human Resources management	Human Resources Management
Define and assign the roles for Legal Support Workers. CC ID 13711	Human Resources management	Human Resources Management
Establish, implement, and maintain a personnel management program. CC ID 14018	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Establish/Maintain Documentation
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Establish Roles
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Establish Roles
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Human Resources management	Establish/Maintain Documentation
Perform a personal identification check during personnel screening. CC ID 06721 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]	Human Resources management	Human Resources Management
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Establish/Maintain Documentation
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Process or Activity
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Establish/Maintain Documentation
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Human Resources Management
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Human Resources Management
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Establish/Maintain Documentation
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Testing
Perform a resume check during personnel screening. CC ID 06659 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1 Background verification checks on all candidates for employment should include a verification of applicable health professional qualifications, where such qualifications are professionally accredited (e.g. physicians, nurses, etc.) § 7.1.1 Health-specific controls ¶ 2]	Human Resources management	Human Resources Management
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Human Resources Management
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Human Resources Management
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Communicate
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Human Resources Management
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Establish/Maintain Documentation
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Human Resources Management
Establish and maintain security clearances. CC ID 01634	Human Resources management	Human Resources Management
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Human Resources management	Establish/Maintain Documentation
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764	Human Resources management	Establish Roles
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960	Human Resources management	Technical Security
Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain job applications. CC ID 16180	Human Resources management	Establish/Maintain Documentation
Include a space for previous addresses and previous residences on the job application. CC ID 12302 [All organizations whose staff, contractors, or volunteers process (or are expected to process) personal health information should, as a minimum, verify the identity, current address and previous employment of such staff, contractors and volunteers at the time of job application. § 7.1.1 Health-specific controls ¶ 1]	Human Resources management	Human Resources Management
Train all personnel and third parties, as necessary. CC ID 00785	Human Resources management	Behavior
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness program. CC ID 11746 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall implement appropriate prevention, detection and response controls to protect against malicious software and shall implement appropriate user awareness training. § 12.2.1 Health-specific control]	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Establish/Maintain Documentation
Include compliance requirements in the security awareness and training policy. CC ID 14092	Human Resources management	Establish/Maintain Documentation
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Communicate
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Establish/Maintain Documentation
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Establish/Maintain Documentation
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Establish/Maintain Documentation
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Establish/Maintain Documentation
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Establish/Maintain Documentation
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Training
Document security awareness requirements. CC ID 12146	Human Resources management	Establish/Maintain Documentation
Include safeguards for information systems in the security awareness program. CC ID 13046	Human Resources management	Establish/Maintain Documentation
Include security policies and security standards in the security awareness program. CC ID 13045	Human Resources management	Establish/Maintain Documentation
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Training
Include mobile device security guidelines in the security awareness program. CC ID 11803	Human Resources management	Establish/Maintain Documentation
Include updates on emerging issues in the security awareness program. CC ID 13184	Human Resources management	Training
Include cybersecurity in the security awareness program. CC ID 13183	Human Resources management	Training
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Training
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Training
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Human Resources management	Establish/Maintain Documentation
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 [In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]	Human Resources management	Establish/Maintain Documentation
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Establish/Maintain Documentation
Document the goals of the security awareness program. CC ID 12145	Human Resources management	Establish/Maintain Documentation
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Establish/Maintain Documentation
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources management	Human Resources Management
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Human Resources Management
Document the scope of the security awareness program. CC ID 12148	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Establish/Maintain Documentation
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Human Resources Management
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Training
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a Code of Conduct. CC ID 04897	Human Resources management	Establish/Maintain Documentation
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Human Resources management	Communicate
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a positive information control environment. CC ID 00813 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]	Operational management	Business Processes
Make compliance and governance decisions in a timely manner. CC ID 06490	Operational management	Behavior
Establish, implement, and maintain an information security program. CC ID 00812 [have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. § 6.1.1 Health-specific control ¶ 1(b)]	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373	Operational management	Establish/Maintain Documentation
Include system development in the information security program. CC ID 12389	Operational management	Establish/Maintain Documentation
Include system maintenance in the information security program. CC ID 12388	Operational management	Establish/Maintain Documentation
Include system acquisition in the information security program. CC ID 12387	Operational management	Establish/Maintain Documentation
Include access control in the information security program. CC ID 12386	Operational management	Establish/Maintain Documentation
Include operations management in the information security program. CC ID 12385	Operational management	Establish/Maintain Documentation
Include communication management in the information security program. CC ID 12384	Operational management	Establish/Maintain Documentation
Include environmental security in the information security program. CC ID 12383	Operational management	Establish/Maintain Documentation
Include physical security in the information security program. CC ID 12382	Operational management	Establish/Maintain Documentation
Include human resources security in the information security program. CC ID 12381	Operational management	Establish/Maintain Documentation
Include asset management in the information security program. CC ID 12380	Operational management	Establish/Maintain Documentation
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Establish/Maintain Documentation
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Establish/Maintain Documentation
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Establish/Maintain Documentation
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Establish/Maintain Documentation
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Establish/Maintain Documentation
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Establish/Maintain Documentation
Include risk management in the information security program. CC ID 12378	Operational management	Establish/Maintain Documentation
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Establish/Maintain Documentation
Provide management direction and support for the information security program. CC ID 11999	Operational management	Process or Activity
Monitor and review the effectiveness of the information security program. CC ID 12744	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information security policy. CC ID 11740 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control {ongoing basis} The health organization's information security policy should be subject to ongoing, staged review, such that the totality of the policy is addressed at least annually. The policy should be reviewed after the occurrence of a serious security incident. § 5.1.2 Health-specific control]	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Business Processes
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Establish/Maintain Documentation
Include information security objectives in the information security policy. CC ID 13493	Operational management	Establish/Maintain Documentation
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Approve the information security policy at the organization's management level or higher. CC ID 11737 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control]	Operational management	Process or Activity
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Business Processes
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Process or Activity
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Establish Roles
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Human Resources Management
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 [clearly define and assign information security responsibilities; § 6.1.1 Health-specific control ¶ 1(a)]	Operational management	Establish/Maintain Documentation
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Human Resources Management
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 [Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. § 5.1.1 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all organizations processing personal health information shall ensure that information security education and training are provided on induction and, that regular updates in organizational security policies and procedures are provided to all employees and, where relevant, third-party contractors, researchers, students and volunteers who process personal health information. § 7.2.2 Health-specific control ¶ 1]	Operational management	Communicate
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Establish/Maintain Documentation
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Business Processes
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Business Processes
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Behavior
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Establish/Maintain Documentation
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Establish/Maintain Documentation
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831	Operational management	Establish/Maintain Documentation
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Establish/Maintain Documentation
Include startup processes in operational control procedures. CC ID 00833	Operational management	Establish/Maintain Documentation
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Establish/Maintain Documentation
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Process or Activity
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Establish/Maintain Documentation
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Establish/Maintain Documentation
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Establish/Maintain Documentation
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Establish/Maintain Documentation
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Establish/Maintain Documentation
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Establish/Maintain Documentation
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Establish/Maintain Documentation
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Establish/Maintain Documentation
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Establish/Maintain Documentation
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Establish/Maintain Documentation
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Records Management
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Business Processes
Provide support for information sharing activities. CC ID 15644	Operational management	Process or Activity
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Business Processes
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Communicate
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Establish/Maintain Documentation
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 [{health information asset} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have rules for acceptable use of these assets that are identified, documented and implemented. § 8.1.1 Health-specific control ¶ 1(c)]	Operational management	Establish/Maintain Documentation
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall ensure that any use, outside its premises, of medical devices that record or report data has been authorized. This should include equipment used by remote workers, even where such usage is perpetual (i.e. where it forms a core feature of the employee's role, such as for ambulance personnel, therapists, etc.) § 11.2.6 Health-specific control]	Operational management	Establish/Maintain Documentation
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Establish/Maintain Documentation
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Establish/Maintain Documentation
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Establish/Maintain Documentation
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Establish/Maintain Documentation
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Establish/Maintain Documentation
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Establish/Maintain Documentation
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Establish/Maintain Documentation
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Establish/Maintain Documentation
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Establish/Maintain Documentation
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Technical Security
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Establish/Maintain Documentation
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Data and Information Management
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Establish/Maintain Documentation
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Establish/Maintain Documentation
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Establish/Maintain Documentation
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Establish/Maintain Documentation
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Establish/Maintain Documentation
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Establish/Maintain Documentation
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Establish/Maintain Documentation
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Communicate
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Business Processes
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Establish/Maintain Documentation
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Establish/Maintain Documentation
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Establish/Maintain Documentation
Identify the sender in all electronic messages. CC ID 13996	Operational management	Data and Information Management
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall have a confidentiality agreement in place that specifies the confidential nature of this information. The agreement shall be applicable to all personnel accessing health information. § 13.2.4 Health-specific control]	Operational management	Establish/Maintain Documentation
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191	Operational management	Communicate
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669	Operational management	Establish/Maintain Documentation
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818	Operational management	Business Processes
Establish, implement, and maintain an Asset Management program. CC ID 06630	Operational management	Business Processes
Assign an information owner to organizational assets, as necessary. CC ID 12729 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: have a designated custodian of these health information assets (see 8.1.2); § 8.1.1 Health-specific control ¶ 1(b) The source (authorship) of publicly available health information should be stated and its integrity should be protected. § 14.1.3.1 Health-specific controls ¶ 3]	Operational management	Human Resources Management
Establish, implement, and maintain an asset inventory. CC ID 06631 [In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should: account for health information assets (i.e. maintain an inventory of such assets); § 8.1.1 Health-specific control ¶ 1(a)]	Operational management	Business Processes
Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689	Operational management	Establish/Maintain Documentation
Include all account types in the Information Technology inventory. CC ID 13311	Operational management	Establish/Maintain Documentation
Include each Information System's system boundaries in the Information Technology inventory. CC ID 00695	Operational management	Systems Design, Build, and Implementation
Identify processes, Information Systems, and third parties that transmit, process, or store restricted data. CC ID 06289	Operational management	Data and Information Management
Include each Information System's major applications in the Information Technology inventory. CC ID 01407	Operational management	Establish/Maintain Documentation
Categorize all major applications according to the business information they process. CC ID 07182	Operational management	Establish/Maintain Documentation
Document the resources, hazards, and Evaluation Assurance Levels for each major application. CC ID 01164	Operational management	Establish/Maintain Documentation
Include the General Support Systems and security support structure in the Information Technology inventory. CC ID 01408	Operational management	Establish/Maintain Documentation
Include each Information System's minor applications in the Information Technology inventory. CC ID 01409	Operational management	Establish/Maintain Documentation
Conduct environmental surveys. CC ID 00690	Operational management	Physical and Environmental Protection
Categorize facilities in the Information Technology inventory according to their environmental risks. CC ID 06729	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a hardware asset inventory. CC ID 00691	Operational management	Establish/Maintain Documentation
Include network equipment in the Information Technology inventory. CC ID 00693	Operational management	Establish/Maintain Documentation
Include mobile devices that store restricted data or restricted information in the Information Technology inventory. CC ID 04719	Operational management	Establish/Maintain Documentation
Include interconnected systems and Software as a Service in the Information Technology inventory. CC ID 04885	Operational management	Process or Activity
Include software in the Information Technology inventory. CC ID 00692	Operational management	Establish/Maintain Documentation
Establish and maintain a list of authorized software and versions required for each system. CC ID 12093	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a storage media inventory. CC ID 00694	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a records inventory and database inventory. CC ID 01260	Operational management	Establish/Maintain Documentation
Add inventoried assets to the asset register database, as necessary. CC ID 07051	Operational management	Establish/Maintain Documentation
Organize the asset register database by grouping objects according to an organizational information classification standard. CC ID 07181	Operational management	Establish/Maintain Documentation
Use automated tools to collect Information Technology inventory information, as necessary. CC ID 07054	Operational management	Technical Security
Link the authentication system to the asset inventory. CC ID 13718	Operational management	Technical Security
Record a unique name for each asset in the asset inventory. CC ID 16305	Operational management	Data and Information Management
Record the decommission date for applicable assets in the asset inventory. CC ID 14920	Operational management	Establish/Maintain Documentation
Record the status of information systems in the asset inventory. CC ID 16304	Operational management	Data and Information Management
Record the communication interfaces for applicable assets in the asset inventory. CC ID 16301	Operational management	Data and Information Management
Record the Uniform Resource Locator for applicable assets in the asset inventory. CC ID 14918	Operational management	Establish/Maintain Documentation
Include source code in the asset inventory. CC ID 14858	Operational management	Records Management
Assign ownership of maintaining the asset inventory, as necessary. CC ID 12344 [{establish}{ownership} Assets maintained in the inventory should be owned. § 8.1.2 Control ¶ 2]	Operational management	Human Resources Management
Record the review date for applicable assets in the asset inventory. CC ID 14919	Operational management	Establish/Maintain Documentation
Record software license information for each asset in the asset inventory. CC ID 11736	Operational management	Data and Information Management
Record services for applicable assets in the asset inventory. CC ID 13733	Operational management	Establish/Maintain Documentation
Record protocols for applicable assets in the asset inventory. CC ID 13734	Operational management	Establish/Maintain Documentation
Record the software version in the asset inventory. CC ID 12196	Operational management	Establish/Maintain Documentation
Record the publisher for applicable assets in the asset inventory. CC ID 13725	Operational management	Establish/Maintain Documentation
Record the authentication system in the asset inventory. CC ID 13724	Operational management	Establish/Maintain Documentation
Tag unsupported assets in the asset inventory. CC ID 13723	Operational management	Establish/Maintain Documentation
Record the install date for applicable assets in the asset inventory. CC ID 13720	Operational management	Establish/Maintain Documentation
Record the make, model of device for applicable assets in the asset inventory. CC ID 12465	Operational management	Establish/Maintain Documentation
Record the asset tag for physical assets in the asset inventory. CC ID 06632	Operational management	Establish/Maintain Documentation
Record the host name of applicable assets in the asset inventory. CC ID 13722	Operational management	Establish/Maintain Documentation
Record network ports for applicable assets in the asset inventory. CC ID 13730	Operational management	Establish/Maintain Documentation
Record the MAC address for applicable assets in the asset inventory. CC ID 13721	Operational management	Establish/Maintain Documentation
Record the operating system version for applicable assets in the asset inventory. CC ID 11748	Operational management	Data and Information Management
Record the operating system type for applicable assets in the asset inventory. CC ID 06633	Operational management	Establish/Maintain Documentation
Record rooms at external locations in the asset inventory. CC ID 16302	Operational management	Data and Information Management
Record the department associated with the asset in the asset inventory. CC ID 12084	Operational management	Establish/Maintain Documentation
Record the physical location for applicable assets in the asset inventory. CC ID 06634	Operational management	Establish/Maintain Documentation
Record the manufacturer's serial number for applicable assets in the asset inventory. CC ID 06635	Operational management	Establish/Maintain Documentation
Record the firmware version for applicable assets in the asset inventory. CC ID 12195	Operational management	Establish/Maintain Documentation
Record the related business function for applicable assets in the asset inventory. CC ID 06636	Operational management	Establish/Maintain Documentation
Record the deployment environment for applicable assets in the asset inventory. CC ID 06637	Operational management	Establish/Maintain Documentation
Record the Internet Protocol address for applicable assets in the asset inventory. CC ID 06638	Operational management	Establish/Maintain Documentation
Record trusted keys and certificates in the asset inventory. CC ID 15486	Operational management	Data and Information Management
Record cipher suites and protocols in the asset inventory. CC ID 15489	Operational management	Data and Information Management
Link the software asset inventory to the hardware asset inventory. CC ID 12085	Operational management	Establish/Maintain Documentation
Record the owner for applicable assets in the asset inventory. CC ID 06640	Operational management	Establish/Maintain Documentation
Record all compliance requirements for applicable assets in the asset inventory. CC ID 15696	Operational management	Establish/Maintain Documentation
Record all changes to assets in the asset inventory. CC ID 12190	Operational management	Establish/Maintain Documentation
Record cloud service derived data in the asset inventory. CC ID 13007	Operational management	Establish/Maintain Documentation
Include cloud service customer data in the asset inventory. CC ID 13006	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include incident escalation procedures in the Incident Management program. CC ID 00856 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: to ensure that there is an effective and prioritized escalation path for incidents, such that crisis management and business continuity management plans can be invoked in the right circumstances and at the right time; § 16.1.2 Health-specific controls ¶ 1(b)]	Operational management	Establish/Maintain Documentation
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Include incident management procedures in the Incident Management program. CC ID 12689 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain temporary and emergency access revocation procedures. CC ID 15334	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Include incident response team structures in the Incident Response program. CC ID 01237	Operational management	Establish/Maintain Documentation
Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 [{incident management procedures} In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should establish security incident management responsibilities and procedures in order: § 16.1.2 Health-specific controls ¶ 1]	Operational management	Establish Roles
Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877	Operational management	Establish Roles
Include the head of information security's roles and responsibilities in the Incident Response program. CC ID 01878	Operational management	Establish Roles
Include the customer database owner's roles and responsibilities in the Incident Response program. CC ID 01879	Operational management	Establish Roles
Include the online sales department's roles and responsibilities in the Incident Response program. CC ID 01880	Operational management	Establish Roles
Include the incident response point of contact for credit card payment system's roles and responsibilities in the Incident Response program. CC ID 01881	Operational management	Establish Roles
Include the organizational legal counsel's roles and responsibilities in the Incident Response program. CC ID 01882	Operational management	Establish Roles
Include the Human Resources point of contact's roles and responsibilities in the Incident Response program. CC ID 01883	Operational management	Establish Roles
Include the organizational incident response network architecture point of contact's roles and responsibilities in the Incident Response program. CC ID 01884	Operational management	Establish Roles
Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program. CC ID 01885	Operational management	Establish Roles
Include the organizational incident response location manager's roles and responsibilities in the Incident Response program. CC ID 01886	Operational management	Establish Roles
Assign the distribution of security alerts to the appropriate role in the incident response program. CC ID 11887	Operational management	Human Resources Management
Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program. CC ID 12473	Operational management	Establish/Maintain Documentation
Assign the distribution of incident response procedures to the appropriate role in the incident response program. CC ID 12474	Operational management	Communicate
Include references to industry best practices in the incident response procedures. CC ID 11956	Operational management	Establish/Maintain Documentation
Include responding to alerts from security monitoring systems in the incident response procedures. CC ID 11949	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a change control program. CC ID 00886 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]	Operational management	Establish/Maintain Documentation
Include potential consequences of unintended changes in the change control program. CC ID 12243	Operational management	Establish/Maintain Documentation
Include version control in the change control program. CC ID 13119	Operational management	Establish/Maintain Documentation
Include service design and transition in the change control program. CC ID 13920	Operational management	Establish/Maintain Documentation
Separate the production environment from development environment or test environment for the change control process. CC ID 11864	Operational management	Maintenance
Integrate configuration management procedures into the change control program. CC ID 13646	Operational management	Technical Security
Establish, implement, and maintain a back-out plan. CC ID 13623	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373	Operational management	Establish/Maintain Documentation
Manage change requests. CC ID 00887 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure the appropriate control of host applications and systems and continuity of patient care. § 12.1.2 Health-specific control]	Operational management	Business Processes
Include documentation of the impact level of proposed changes in the change request. CC ID 11942	Operational management	Establish/Maintain Documentation
Establish and maintain a change request approver list. CC ID 06795	Operational management	Establish/Maintain Documentation
Document all change requests in change request forms. CC ID 06794	Operational management	Establish/Maintain Documentation
Approve tested change requests. CC ID 11783	Operational management	Data and Information Management
Validate the system before implementing approved changes. CC ID 01510	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807	Operational management	Behavior
Establish, implement, and maintain emergency change procedures. CC ID 00890	Operational management	Establish/Maintain Documentation
Perform emergency changes, as necessary. CC ID 12707	Operational management	Process or Activity
Back up emergency changes after the change has been performed. CC ID 12734	Operational management	Process or Activity
Log emergency changes after they have been performed. CC ID 12733	Operational management	Establish/Maintain Documentation
Perform risk assessments prior to approving change requests. CC ID 00888	Operational management	Testing
Implement changes according to the change control program. CC ID 11776	Operational management	Business Processes
Provide audit trails for all approved changes. CC ID 13120	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch management program. CC ID 00896	Operational management	Process or Activity
Document the sources of all software updates. CC ID 13316	Operational management	Establish/Maintain Documentation
Implement patch management software, as necessary. CC ID 12094	Operational management	Technical Security
Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087	Operational management	Technical Security
Establish, implement, and maintain a patch management policy. CC ID 16432	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain patch management procedures. CC ID 15224	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a patch log. CC ID 01642	Operational management	Establish/Maintain Documentation
Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796	Operational management	Business Processes
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain traceability documentation. CC ID 16388	Operational management	Systems Design, Build, and Implementation
Disseminate and communicate software update information to users and regulators. CC ID 06602	Operational management	Behavior
Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809	Operational management	Data and Information Management
Update associated documentation after the system configuration has been changed. CC ID 00891	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Establish/Maintain Documentation
Configure the time server in accordance with organizational standards. CC ID 06426	System hardening through configuration management	Configuration
Configure the time server to synchronize with specifically designated hosts. CC ID 06427 [Health information systems supporting time-critical-shared care activities shall provide time synchronization services to support tracing and reconstitution of activity timelines where required. § 12.4.4 Health-specific control]	System hardening through configuration management	Configuration
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Establish/Maintain Documentation
Archive appropriate records, logs, and database tables. CC ID 06321 [Publicly available health information (as distinct from personal health information) should be archived. § 14.1.3.1 Health-specific controls ¶ 1]	Records management	Records Management
Establish, implement, and maintain records management procedures. CC ID 11619 [Health information systems processing personal health information: shall be capable of merging duplicate or multiple records if it is determined that multiple records for the same subject of care have been created unintentionally or during a medical emergency. § 14.1.1.1 Health-specific control ¶ 1(b)]	Records management	Establish/Maintain Documentation
Maintain electronic records in an equivalent manner as printed records, as necessary. CC ID 11806	Records management	Records Management
Process restricted information in a secure environment. CC ID 13058	Records management	Process or Activity
Refrain from creating printed records as copies of electronic records. CC ID 11808	Records management	Records Management
Assign ownership for all electronic records. CC ID 14814	Records management	Establish/Maintain Documentation
Attribute electronic records, as necessary. CC ID 14820	Records management	Establish/Maintain Documentation
Validate transactions using identifiers and credentials. CC ID 13203	Records management	Technical Security
Establish, implement, and maintain a system storage log. CC ID 13532	Records management	Records Management
Establish, implement, and maintain a system input log. CC ID 13531	Records management	Establish/Maintain Documentation
Protect records from loss in accordance with applicable requirements. CC ID 12007	Records management	Records Management
Establish, implement, and maintain data completeness controls. CC ID 11649	Records management	Process or Activity
Establish, implement, and maintain authorization records. CC ID 14367	Records management	Establish/Maintain Documentation
Include the reasons for granting the authorization in the authorization records. CC ID 14371	Records management	Establish/Maintain Documentation
Include the date and time the authorization was granted in the authorization records. CC ID 14370	Records management	Establish/Maintain Documentation
Include the person's name who approved the authorization in the authorization records. CC ID 14369	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic health records. CC ID 14436	Records management	Data and Information Management
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437	Records management	Data and Information Management
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438	Records management	Records Management
Display required information automatically in electronic health records. CC ID 14442	Records management	Process or Activity
Create summary of care records in accordance with applicable standards. CC ID 14440	Records management	Establish/Maintain Documentation
Provide the patient with a summary of care record, as necessary. CC ID 14441	Records management	Actionable Reports or Measurements
Create export summaries, as necessary. CC ID 14446	Records management	Process or Activity
Import data files into a patient's electronic health record. CC ID 14448	Records management	Data and Information Management
Export requested sections of the electronic health record. CC ID 14447	Records management	Data and Information Management
Establish and maintain an implantable device list. CC ID 14444	Records management	Records Management
Display the implantable device list to authorized users. CC ID 14445	Records management	Data and Information Management
Establish, implement, and maintain decision support interventions. CC ID 14443	Records management	Business Processes
Include attributes in the decision support intervention. CC ID 16766	Records management	Data and Information Management
Establish, implement, and maintain a recordkeeping system. CC ID 15709	Records management	Records Management
Log the termination date in the recordkeeping system. CC ID 16181	Records management	Records Management
Log the name of the requestor in the recordkeeping system. CC ID 15712	Records management	Records Management
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711	Records management	Records Management
Log records as being received into the recordkeeping system. CC ID 11696	Records management	Records Management
Log the date and time each item is received into the recordkeeping system. CC ID 11709	Records management	Log Management
Log the date and time each item is made available into the recordkeeping system. CC ID 11710	Records management	Log Management
Log the number of routine items received into the recordkeeping system. CC ID 11701	Records management	Establish/Maintain Documentation
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707	Records management	Log Management
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705	Records management	Log Management
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703	Records management	Log Management
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711	Records management	Log Management
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718	Records management	Log Management
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719	Records management	Log Management
Log the number of non-routine items received into the recordkeeping system. CC ID 11706	Records management	Log Management
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716	Records management	Log Management
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708	Records management	Log Management
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704	Records management	Log Management
Log performance monitoring into the recordkeeping system. CC ID 11724	Records management	Log Management
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728	Records management	Log Management
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727	Records management	Log Management
Establish, implement, and maintain a transfer journal. CC ID 11729	Records management	Records Management
Log any notices filed by the organization into the recordkeeping system. CC ID 11725	Records management	Log Management
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723	Records management	Log Management
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720	Records management	Log Management
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717	Records management	Log Management
Provide a receipt of records logged into the recordkeeping system. CC ID 11697	Records management	Records Management
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712	Records management	Log Management
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726	Records management	Log Management
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715	Records management	Log Management
Establish, implement, and maintain data availability controls. CC ID 15301	Records management	Data and Information Management
Include record integrity techniques in the records management procedures. CC ID 06418 [The integrity of publicly available health information should be protected to prevent unauthorized modification. § 14.1.3.1 Health-specific controls ¶ 2]	Records management	Establish/Maintain Documentation
Note in electronic records converted from printed records, the location of the original. CC ID 11809	Records management	Records Management
Incorporate desktop publishing into the organization's Records Management program. CC ID 06535	Records management	Establish/Maintain Documentation
Provide structures for browsing records stored in the Electronic Document and Records Management system. CC ID 10009	Records management	Business Processes
Provide structures for searching for items stored in the Electronic Document and Records Management system. CC ID 10010	Records management	Business Processes
Provide structures for downloading records from the Electronic Document and Records Management system. CC ID 10011	Records management	Business Processes
Provide structures for managing e-mail stored in the Electronic Document and Records Management system. CC ID 10012	Records management	Business Processes
Provide structures for authorized parties to approve record updates in the Electronic Document and Records Management system. CC ID 11965	Records management	Records Management
Provide structures for version control of records stored in the Electronic Document and Records Management system. CC ID 10013	Records management	Business Processes
Establish, implement, and maintain electronic storage media security controls. CC ID 13204	Records management	Technical Security
Use automated entry devices to reduce errors during data input. CC ID 06626	Records management	Data and Information Management
Establish, implement, and maintain data processing integrity controls. CC ID 00923	Records management	Establish Roles
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Process or Activity
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Data and Information Management
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Establish/Maintain Documentation
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document security requirements for the output of records. CC ID 11656	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document handling procedures for paper documents. CC ID 00926	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Establish/Maintain Documentation
Establish, implement, and maintain security label procedures. CC ID 06747	Records management	Establish/Maintain Documentation
Label restricted storage media appropriately. CC ID 00966	Records management	Data and Information Management
Establish, implement, and maintain restricted material identification procedures. CC ID 01889	Records management	Establish/Maintain Documentation
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Establish/Maintain Documentation
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Establish/Maintain Documentation
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Establish/Maintain Documentation
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Establish/Maintain Documentation
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Establish/Maintain Documentation
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Data and Information Management
Establish, implement, and maintain label inheritance mechanisms for aggregate data sets. CC ID 06957	Records management	Technical Security
Establish the minimum originator requirements for security labels. CC ID 06579	Records management	Establish/Maintain Documentation
Establish the minimum intermediate system requirements for security labels. CC ID 06581	Records management	Establish/Maintain Documentation
Establish the minimum receiver requirements for records or electronic storage media marked with security labels. CC ID 06580	Records management	Establish/Maintain Documentation
Establish policy based processing rules to process incoming records or electronic storage media marked with security labels. CC ID 06582	Records management	Establish/Maintain Documentation
Establish and maintain access controls for all records. CC ID 00371	Records management	Records Management
Reproduce materials containing restricted data or restricted information in accordance with compliance requirements. CC ID 02202	Records management	Data and Information Management
Establish, implement, and maintain a records lifecycle management program. CC ID 00951	Records management	Establish/Maintain Documentation
Establish, implement, and maintain an information preservation policy. CC ID 16483	Records management	Establish/Maintain Documentation
Establish, implement, and maintain information preservation procedures. CC ID 06277	Records management	Establish/Maintain Documentation
Implement and maintain high availability storage, as necessary. CC ID 00952	Records management	Technical Security
Implement and maintain backups and duplicate copies of organizational records. CC ID 00953	Records management	Records Management
Establish, implement, and maintain the duplicate original of record indexes. CC ID 00954	Records management	Records Management
Establish, implement, and maintain a transparent storage media strategy. CC ID 00932	Records management	Records Management
Establish, implement, and maintain an online availability plan that is commensurate with the electronic storage media. CC ID 00934	Records management	Establish/Maintain Documentation
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Technical Security
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records management	Records Management
Provide encryption for different types of electronic storage media. CC ID 00945 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Records management	Technical Security
Implement electronic storage media integrity controls. CC ID 00946	Records management	Configuration
Automate electronic storage media integrity check controls. CC ID 00948	Records management	Configuration
Provide capacity for indexes on electronic storage media, as necessary. CC ID 00950	Records management	Configuration
Establish, implement, and maintain a removable storage media log. CC ID 12317 [{physical safeguard} In addition to the guidance given by ISO/IEC 27002, media containing personal health information shall be either physically protected or else have their data encrypted. The status and location of media containing unencrypted personal health information shall be monitored. § 8.3.1 Health-specific control]	Records management	Log Management
Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320	Records management	Establish/Maintain Documentation
Include the date and time in the removable storage media log. CC ID 12318	Records management	Establish/Maintain Documentation
Include the name and signature of the current custodian in the removable storage media log. CC ID 12315	Records management	Establish/Maintain Documentation
Include the number of physical media used for the data transfer in the removable storage media log. CC ID 12754	Records management	Establish/Maintain Documentation
Include the recipient's name for the data transfer in the removable storage media log. CC ID 12753	Records management	Establish/Maintain Documentation
Include the sender's name in the removable storage media log. CC ID 12752	Records management	Establish/Maintain Documentation
Include the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751	Records management	Establish/Maintain Documentation
Include the reason for transfer in the removable storage media log. CC ID 12316	Records management	Establish/Maintain Documentation
Establish, implement, and maintain storage media downgrading procedures. CC ID 10619	Records management	Process or Activity
Document all actions taken when downgrading electronic storage media. CC ID 10622	Records management	Establish/Maintain Documentation
Establish, implement, and maintain output distribution procedures. CC ID 00927	Records management	Establish/Maintain Documentation
Include printed output in output distribution procedures. CC ID 13477	Records management	Establish/Maintain Documentation
Establish, implement, and maintain document retention procedures. CC ID 11660	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic media distribution procedures. CC ID 11650	Records management	Establish/Maintain Documentation
Establish and maintain an error suspense file for rejected transactions. CC ID 06623	Records management	Records Management
Establish and maintain reconciliation audit trails. CC ID 11647	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing output log. CC ID 06624	Records management	Log Management
Establish, implement, and maintain paper document integrity requirements for the output of records. CC ID 00930	Records management	Establish/Maintain Documentation
Review and approve output exceptions. CC ID 06625	Records management	Records Management
Initiate the System Development Life Cycle planning phase. CC ID 06266	Systems design, build, and implementation	Systems Design, Build, and Implementation
Separate the design and development environment from the production environment. CC ID 06088 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Specify appropriate tools for the system development project. CC ID 06830	Systems design, build, and implementation	Establish/Maintain Documentation
Implement security controls in development endpoints. CC ID 16389	Systems design, build, and implementation	Testing
Initiate the System Development Life Cycle implementation phase. CC ID 06268	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system implementation standard. CC ID 01111	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain an implementation plan. CC ID 01114 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall separate (physically or virtually) development and testing environments for health information systems processing such information from operational environments hosting those health information systems. Rules for the migration of software from development to operational status shall be defined and documented by the organization hosting the affected application(s). § 12.1.4 Health-specific control]	Systems design, build, and implementation	Establish/Maintain Documentation
Include an implementation schedule in the implementation plan. CC ID 16124	Systems design, build, and implementation	Establish/Maintain Documentation
Include the allocation of resources in the implementation plan. CC ID 16122	Systems design, build, and implementation	Establish/Maintain Documentation
Include roles and responsibilities in the implementation plan. CC ID 16121	Systems design, build, and implementation	Establish/Maintain Documentation
Manage the system implementation process. CC ID 01115	Systems design, build, and implementation	Behavior
Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. § 14.2.9 Health-specific control ¶ 1]	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Authorize new assets prior to putting them into the production environment. CC ID 13530	Acquisition or sale of facilities, technology, and services	Process or Activity
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399	Privacy protection for information and data	Data and Information Management
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125 [In addition to implementing the control given by ISO/IEC 27002, all employees and contractors, upon termination of employment, shall return all personal health information in their possession that is in non-electronic form and ensure that all personal health information in their possession in electronic form is updated on relevant systems and then securely deleted from any devices on which it has resided. § 8.1.4 Health-specific control In addition to implementing the control given by ISO/IEC 27002, organizations processing health information applications shall securely erase or else destroy all media containing health information application software or personal health information when the media are no longer required for use. § 11.2.7 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control In addition to implementing the control given by ISO/IEC 27002, all personal health information shall be securely erased or else the media destroyed when no longer required for use. § 8.3.2 Health-specific control]	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502	Privacy protection for information and data	Communicate
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128	Privacy protection for information and data	Establish/Maintain Documentation
Process restricted data lawfully and carefully. CC ID 00086	Privacy protection for information and data	Establish Roles
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Data and Information Management
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 [Health information systems processing personal health information shall provide personally identifying information to assist health professionals in confirming that the electronic health record retrieved matches the subject of care under treatment. § 14.1.1.2 Health-specific control Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when a healthcare relationship exists between the user and the data subject (the subject of care whose personal health information is being accessed); § 9.1.1 Health-specific control ¶ 1(a)]	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 [Organizations processing personal health information shall control access to such information. In general, users of health information systems should only access personal health information: when the user is carrying out an activity on behalf of the data subject; § 9.1.1 Health-specific control ¶ 1(b)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{confidential information} All health information systems processing personal health information should inform users of the confidentiality of personal health information accessible from the system (e.g. at start-up or log-in) and should label hardcopy output as confidential when it contains personal health information. § 8.2.2 Health-specific control]	Privacy protection for information and data	Establish/Maintain Documentation
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Data and Information Management
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Technical Security
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Data and Information Management
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Configuration
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Configuration
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Configuration
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Technical Security
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Data and Information Management
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Log Management
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Log Management
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Technical Security
Implement security measures to protect personal data. CC ID 13606	Privacy protection for information and data	Technical Security
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Testing
Limit data leakage. CC ID 00356	Privacy protection for information and data	Data and Information Management
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Monitor and Evaluate Occurrences
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Business Processes
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Acquisition/Sale of Assets or Services
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Process or Activity
Develop remedies and sanctions for privacy policy violations. CC ID 00474	Privacy protection for information and data	Data and Information Management
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a supply chain management program. CC ID 11742	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The organization should identify and document all parties with whom patient data is exchanged and contractual agreements should be made with these parties regulating access and privileges, prior to exchange of patient data. § 9.1.1 Health-specific control ¶ 5]	Third Party and supply chain oversight	Business Processes
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [In addition to implementing the control given by ISO/IEC 27002, organizations processing health information shall assess the risks associated with access by external parties to these systems or the data they contain, and then implement security controls that are appropriate to the identified level of risk and to the technologies employed. § 15.1.1 Health-specific control]	Third Party and supply chain oversight	Establish/Maintain Documentation