If I treat ISO 27001 risk with a control checklist first, I can miss the threats that hurt healthcare most: downtime, PHI leaks, and vendor access. The article’s core point is simple: I should start with the threat, score the risk the same way each time, choose one treatment path, link it to named controls, and then get sign-off on what risk is left.
Here’s the full process in plain English:
- Define scope first: list systems, data, vendors, devices, and workflows tied to patient care.
- Build threat scenarios: ransomware, insider misuse, vendor compromise, and device flaws.
- Score risk: rate likelihood and impact, then compare before and after controls.
- Pick one treatment: modify, avoid, transfer, or retain.
- Turn decisions into action: assign owners, due dates, and proof.
- Review residual risk: confirm controls work, document exceptions, and get approval.
A few points stand out:
- In healthcare, availability can be the top issue because outages can affect care delivery.
- ISO 27001 Clause 6.1.3 requires documented treatment decisions and residual risk acceptance.
- The Statement of Applicability (SoA) must show why Annex A controls are included or left out.
- Risk reviews should happen on a set cycle and again when things change, like a new PHI system, new vendor access, or a security event.
- A stale risk record can mislead teams, so the article suggests alerts for entries older than 90 days.
Here’s the article at a glance:
| Step | What I do | What comes out |
|---|---|---|
| 1 | Set scope, assets, and threats | Risk scenarios tied to care impact |
| 2 | Score likelihood and impact | Priority ranking |
| 3 | Choose treatment path | Decision with reason |
| 4 | Assign controls and owners | Evidence and due dates |
| 5 | Review remaining risk | Approval trail and review cycle |
In short, the article says I should treat ISO 27001 risk in healthcare by working from actual attack paths to control choices, not the other way around.
ISO 27001 Threat-Centric Risk Treatment: 5-Step Process for Healthcare
ISO 27001 Clause 6.1.3 - Risk Treatment Explained
sbb-itb-535baee
1. Define scope, assets, and threat scenarios before choosing treatments
Start by listing the assets, processes, and data flows that are in scope. Then group them by how they affect patient care. In healthcare, that usually includes EHRs, connected medical devices, cloud applications, PHI repositories, and vendor connections such as HIEs.
Next, sort those assets into tiers based on how directly they affect care delivery. That gives you a treatment-ready view of where clinical harm, PHI exposure, and downtime can begin.
| Tier | Example Systems | Primary Impact |
|---|---|---|
| Critical Clinical | Real-time monitoring, Emergency Dept systems | Availability & Integrity |
| Standard Clinical | EHR, Laboratory, Pharmacy | Availability & Confidentiality |
| Administrative | Scheduling, Registration, Discharge | Availability |
| Business Systems | HR, Finance, Supply Chain | Confidentiality |
| Research Data | Clinical trials, Genomic databases | Confidentiality & Integrity |
Use these tiers as your starting point before scoring likelihood and impact.
Build a threat inventory around healthcare attack paths
Once scope is clear, build threat scenarios around the ways those assets could be attacked or misused. In healthcare, that often means ransomware during active patient care, insider misuse of approved access, compromised vendor connections, and medical device flaws that can affect patient safety [2].
A good way to do this is to work backward from Annex A controls and identify the threats and weaknesses those controls are meant to reduce [4].
Map each threat to confidentiality, integrity, and availability impact
For each threat scenario, assign a primary confidentiality, integrity, or availability impact. In healthcare, availability failures can directly disrupt care delivery and patient safety [2]. For connected devices and clinical systems, add patient harm to the review. That helps capture direct physical risk to patients caused by cybersecurity failures [5].
Connected devices turn cybersecurity failures into patient-safety risks.
Carry these impact ratings into Step 2, where you score and rank the risks.
2. Analyze and prioritize risks by inherent and residual risk
Use the CIA impact ratings from Step 1 to score each scenario. After you build your threat inventory, score every scenario with one repeatable method so you can compare results over time [6].
Score likelihood and impact in a repeatable way
Assign likelihood and impact values in a structured risk register. Then stick with that same scoring method for every assessment [6].
That consistency matters. If one team scores loosely and another scores more strictly, the results stop being useful. You want a method that gives you apples-to-apples comparisons each time you review risk.
Separate inherent risk from residual risk
Inherent risk is the level of risk before any controls or safeguards are applied. Residual risk is the score that remains after controls are in place. Recalculate residual risk with the same method used for the original assessment [3][6].
This distinction helps you see two things at once:
- how serious the scenario is on its own
- how much your current controls are actually doing
A risk may look severe at first glance, but the residual score can drop once strong safeguards are factored in. On the flip side, a risk that still scores high after controls needs attention fast.
Rank treatment priority as high, medium, or low
Prioritize risks using healthcare-specific criteria such as patient safety impact, clinical workflow criticality, regulatory exposure, and operational downtime [2].
| Priority | Criteria | Treatment Cadence |
|---|---|---|
| High | Direct patient-safety risk; clinical outage | Immediate mitigation; daily monitoring |
| Medium | Major workflow disruption; HIPAA/HITECH exposure | Scheduled treatment; monthly review |
| Low | Minor disruption; no ePHI or patient-safety impact | Formal acceptance or deferral |
Use the priority rank to choose the treatment option next.
3. Choose the right treatment option for each threat
Use the Step 2 ranking to pick the treatment that keeps residual risk within your acceptance criteria. Then turn that decision into controls, owners, and evidence.
Apply mitigate, avoid, transfer, or accept based on the scenario
Mitigate lowers likelihood or impact. Avoid removes the activity. Transfer shifts financial or contract exposure to a third party. Accept means keeping the risk, with written approval.
Match treatment decisions to common healthcare threats
Ransomware usually calls for mitigation. Network segmentation under ISO Control A.8.22 separates clinical systems and helps limit lateral movement. A.5.24 connects incident response with patient safety protocols [2].
Legacy medical devices are a different story. If a device can't be patched but is still needed for care, the risk may be formally accepted with compensating controls and a signed risk acceptance form from the CISO or Medical Director [2].
Third-party vendor risk management exposure often needs both mitigation and transfer. ISO Control A.5.21 sets security duties in vendor contracts, while cyber insurance shifts the financial hit [2]. If a telehealth platform doesn't meet security standards, avoidance makes more sense. Decommissioning the platform, or ending the high-risk data-sharing practice, removes the risk at the source.
Compare treatment paths before approval
Before approval, document why you chose one path over the others. Keep the comparison tied to impact, effort, and the proof you'll need.
| Treatment | Best Use in Healthcare | Expected Evidence |
|---|---|---|
| Mitigate | Ransomware segmentation; MFA for EHR access; encrypting PHI | Configuration audits, control logs, patch reports [7] |
| Avoid | Decommissioning unpatched legacy systems; ending high-risk data sharing | Decommissioning records, updated policy documentation [7] |
| Transfer | Cyber insurance; liability clauses in vendor BAAs | Insurance policies, signed contracts, SLAs [7][2] |
| Accept | Low-impact administrative risks; risks where mitigation cost exceeds potential loss | Signed Risk Acceptance Form, Risk Register entry [7] |
Once the path is chosen, Step 4 turns it into assigned controls and tracked evidence.
4. Turn treatment decisions into controls, owners, and evidence
Once you pick a treatment path, the next job is simple: make it real.
Choosing a treatment option is just the starting line. After that, you need to turn the decision into controls that auditors can check and teams can actually run day to day.
Map threats to healthcare-relevant control actions
Take each prioritized threat and translate it into a specific, named control. Then record that control in the SoA. Every control should tie back to the attack path it is meant to stop, whether that's ransomware, vendor compromise, or unauthorized PHI access.
That link matters. The control should match the original threat scenario, not just the policy bucket it seems to fit into.
For example, unauthorized PHI access can map to controls like:
- MFA
- encryption
- logging
- monitoring
- vulnerability management
Workforce-related risks usually map to role-based access, onboarding and offboarding checklists, and mandatory training. Organizational controls can cover PHI handling rules, retention and disposal workflows, and asset inventory for systems that store, process, or transmit PHI, including EHR and EMR integrations.
Clinical devices can add another layer. If patient safety is part of the risk, ownership may need to be shared with quality and regulatory teams. In every case, keep each control tied to the original threat.
Assign owners, timelines, and proof of completion
A formal Risk Treatment Plan should list the risk, the selected treatment option, the accountable owner, the target date, and the status [3].
| Treatment Area | Accountable Owner | Required Evidence |
|---|---|---|
| MFA and access controls | IT Security / Identity team | Access provisioning tickets, SSO configuration exports, access review logs |
| PHI handling policies and retention workflows | Privacy / Compliance | Approved policies, retention schedules |
| Asset inventory and data flow mapping | IT / Application owners | Asset register, data flow diagrams |
| Workforce security and training | HR / Compliance | Training completion records, onboarding/offboarding checklists |
| Vulnerability management and patching | IT Operations | Patch reports, vulnerability scan results |
| Incident response exercises | CISO / Security Operations | IR plan, tabletop exercise records |
Each row in the Risk Treatment Plan should also include a target completion date, a status, and completion criteria. Evidence should be tracked along the way, not chased down later. That includes configuration baselines, logs, tickets, patch reports, and training records.
Use centralized workflows to manage treatment at scale
Spreadsheets tend to fall apart here. Ownership gets fuzzy. Evidence ends up scattered. Review tracking slips through the cracks.
That gets messy fast in healthcare, where PHI may sit across clinical applications, medical devices, third-party vendors, and supply chains. You need a system that keeps those moving parts connected.
Censinet RiskOps™ centralizes treatment workflows, owners, and evidence across PHI systems, medical devices, clinical applications, and supply chains.
As controls are finished, record the completed control package so residual risk can be reviewed in Step 5.
5. Review residual risk, document approvals, and monitor changes
Confirm residual risk is acceptable after controls are in place
After controls are in place, check whether the treatment actually reduced exposure. Recalculate residual risk with the same scoring method from Step 2, then compare that result against your risk appetite.
This check should come from operational proof, not paperwork alone. Use operational evidence - scan results, penetration tests, access logs, system logs, change tickets, baselines, and monitoring reports - to confirm that controls are working as intended [3][6]. If residual risk still sits above your accepted threshold after controls are live, escalate it.
Document decisions, exceptions, and review cycles
Once you've validated residual risk, lock down the decision trail. Auditors want to see a clear audit trail - links between the risks you identified, the controls you applied, and proof that those controls work [6].
That trail usually runs through four core documents: the Risk Treatment Plan, the residual risk record, the Statement of Applicability (SoA), and management review minutes.
| Documentation Component | Purpose | Evidence Examples |
|---|---|---|
| Risk Treatment Plan | Selected treatment, owner, due date | Treatment option, owners, timelines, status |
| Residual Risk Record | Post-control score, sign-off | Post-control risk scores, management sign-off |
| Statement of Applicability | Included/excluded controls, rationale | Justification for control selection or exclusion |
| Management Review Minutes | Approval and resource decisions | Risk acceptance records, program update decisions |
Require risk-owner approval for both the treatment plan and the residual risk [6][8]. If someone accepts above-threshold risk, that decision needs documented business justification and risk-owner sign-off [8][3]. Those approvals should also appear in management review minutes [1][6].
Reviews need a fixed cadence. But they also need to happen right away when conditions shift - for example, when:
- a new PHI system goes live
- a vendor gets onboarded with EHR or billing access and undergoes third-party risk assessment
- a major workforce change takes place
- a security incident changes control performance
- a regulatory update changes your compliance duties [1][6]
Set automated alerts for any risk review date older than 90 days so stale entries don't give a false picture of current exposure [6].
Conclusion: The core steps of threat-centric ISO 27001 treatment
With residual risk approved, the treatment cycle is complete unless the environment changes. Threat-centric ISO 27001 treatment closes the loop: define scope, score threats, choose treatments, map controls, and keep residual risk under review as conditions shift.
FAQs
How do I write a good threat scenario?
A good threat scenario should feel grounded in how a healthcare setting actually works. That means keeping it realistic, specific, and tied to healthcare, not just describing a generic cyberattack.
Start with the assets that matter most, such as medical devices, clinical systems, and patient data. Then look at the weak spots an attacker could use, like outdated software, poor access controls, or insider access.
From there, describe a likely threat. In healthcare, that could be:
- ransomware
- phishing
- insider activity
- supply chain issues
The key is to show how the threat could take advantage of those weak points and what happens next. For example, a phishing email might give an attacker access to a clinical system, which could then lead to encrypted files, downtime, exposed patient records, or delays in care.
In short, the scenario should connect the dots between the asset, the weakness, the threat, and the impact on operations, data, or patient safety.
Who should approve residual risk?
Risk owners should approve residual risk. They need to formally accept the risk that remains and record that approval in management review meetings.
How often should I review ISO 27001 risks?
Review ISO 27001 risks on a regular schedule, most often once a year. For high-priority risks, check them more often so you can spot changes before they turn into bigger problems.
You should also reassess risks right away after any major change or event. That includes new system rollouts, process updates, or security incidents. If something shifts, your risk picture shifts too.
