HIPAA vs ISO 27001: What’s the Difference?

What’s the difference between HIPAA and ISO 27001? We know that comparing infosec acronyms seems like comparing apples and oranges but HIPAA vs ISO 27001 is actually a really cool comparison! Don’t believe us? See for yourself.



What do you call a provider if they have violated patient confidentiality? HIPAAcrit! You could also say they’re in big trouble because they broke the law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law in the United States overseeing the privacy and security of protected health information (PHI). PHI is essential stuff like names, telephone numbers, license plates or addresses. Essentially anything that could personally identify an individual is considered digital gold by bad actors! So HIPAA states that covered entities put all possible safeguards in place. 

Covered entities and business associates include: 

  • Health insurers like health insurance companies, company health plans, etc.
  • Healthcare providers like doctors, clinics, dentists, chiropractors, pharmacies, etc.
  • Healthcare entities that process nonstandard health information which they receive from another entity into a standard format

… in other words, any organization that comes in contact with patients’ PHI. 



Do you get to pick which laws apply to you? No, and HIPAA is no exception. This is why responsible organizations bake HIPAA into their business as usual activities. Those who don’t take it seriously face hardy fines and are featured on the “Wall of Shame.” You can’t put a price on irreparable damage to your reputation.


The Process of HIPAA Certification

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) enforces steep penalties for HIPAA violations but there is no certification body for HIPAA. Because HIPAA is law, it’s not auditable or certifiable. However, the law’s security rule includes an evaluation standard requiring organizations to perform periodic technical and nontechnical evaluations. It’s how businesses prove and ensure compliance. 

What do you call someone excited about HIPAA knowledge? HIPAA-go-lucky! Learn about HIPAA vs HITRUST, SOC 2 vs HIPAA and HIPAA vs GDPR too!


What Is ISO 27001

The International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC), publishes Information technology — Security techniques — Information security management systems — Requirements. It documents requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system (ISMS).

ISO 27001 protects three aspects of information:

  • Confidentiality
  • Integrity
  • Availability

Basically, ISO 27001 ensures that only authorized individuals have the right to access and change information and that it’s accessible to them whenever it is needed.


Why ISO 27001

ISO 27001 is kind of a big deal! ISO 27001 is one of the most widely recognized, internationally accepted independent security standards globally. Any organization that wants to formalize and improve its processes around guarding data assets can work towards compliance. While ISO 27001 is optional, some vendors may require companies to attain certification before working with them. Any organization that collects sensitive information, small or large, government or private, profit or non-profit, can advance their business from ISO certification. 


Process of ISO 27001 Certification

Similar to SOC 2, an accredited certification body independently performs audits. To achieve certification, auditors carefully look at your ISMS, evaluating how you implemented several critical items. 

To gain your ISO 27001 certification, you’ll complete a two-stage external audit:

  • Stage 1 is a preliminary, informal/desktop review of your ISMS. Auditors generally look over whether your organization has established the ISMS by auditing the mandatory clauses and verifying your InfoSec policies against ISO 27001 requirements, Statement of Applicability (SoA), and Risk Treatment Plan (RTP). 
  • Stage 2 is a formal compliance audit. Auditors revisit your policies and test appropriate ISMS controls listed in the SoA against ISO 27001 requirements. And they collect evidence validating your management system is appropriately designed and implemented. 

Passing stage 2 results in ISO 27001 certification! But, what do you call tears from getting too many non-conformances on an ISO 27001 audit? ISOB! Here, you can learn more about the ISO 27001 process and non-conformances in our IS0 27001 Bootcamp without the lame jokes.   

ISO 27001 certification is accurate for three years, and companies must do surveillance audits for two years. And in year three, they’ll complete a recertification audit. So this circle of ISO compliance continues as long as you wish to prove compliance. 

If you’re ISO (In Search Of) more ISO 27001 because you’re wisdom is only ISO-SO, check out What Is ISO 27001 CertificationNIST vs ISO and ISO 27001 vs SOC 2

More Certifications, Less Work

Find out how to leverage your existing InfoSec program to get compliant with new frameworks faster.

Find Framework Overlaps

Differences Between HIPAA vs ISO 27001

Let’s start with the most noticeable difference between HIPAA and ISO 27001. HIPAA is a law legislating protection for sensitive health and patient data only in the United States for health organizations. ISO 27001 is an optional standard for information security management and applies to any industry, regardless of geographic location. Now that that’s out of the way let’s look closely at the differences.


HIPAA vs ISO 27001: Cost

Estimating costs for implementing any security framework is complicated. This is because so many variables factor into the bottom line. But, generally, the smaller and more sophisticated your business is, the less expensive it’ll be. This estimate represents a best-case HIPAA scenario for a startup, but $4000 – $12,000. And that’s only for small covered entities or business associates. So the actual cost is likely higher. 

ISO 27001 is a multi-stage process and maintaining compliance comes with an ongoing cost. We have a blog deep-diving into how much ISO 27001 costs, but regardless of how you tackle ISO 27001 (in-house, consultant or software like Tugboat Logic), your starting costs range from $43,000 to $66,000! 


HIPAA vs ISO 27001: Function

HIPAA and ISO 27001 might protect some of the same data (more on that below), but compliance with one does not mean compliance with both. ISO 27001 does not have some necessary controls to handle specific HIPAA requirements, like privacy-related controls. Why? ISO 27001 protects all data, while HIPAA explicitly applies to the protection of PHI.


Similarities Between HIPAA vs ISO 27001

HIPAA and ISO 27001 are complementary infosec frameworks and function well together. Having both standards creates an undeniably strong security posture, signaling to others that they’d be aligned with a trustworthy organization.

ISO 27001 consists of 114 security controls and over 40 comply with HIPAA requirements. For example, both frameworks require security awareness training. The langue used by each framework is different, but the actionable items are the same. Create an awareness training plan and roll it out to all employees regularly.

Fun fact: This blog is based on ISO27001:2013 but ISO just released ISO27002:2022, which is guidance for ISO27001:2022 publishing in the next few months, and it has 93 controls in common with HIPAA!  


How Tugboat Logic Can Help

There’s no doubt that ISO 27001 compliance will help HIPAA compliance efforts, but they’re very different infosec frameworks. Tugboat Logic can help with ISO 27001 and HIPAA compliance without duplicating work. So, if you’re looking more in-depth understanding of HIPAA or ISO 27001, connect with one of our experts today. Or, maybe you already know the ins and outs of HIPAA vs ISO 27001 and a free trial of our product is more your speed. Either way, we are here to help, so feel free to reach out for more information.

More Certifications, Less Work

Find out how to leverage your existing InfoSec program to get compliant with new frameworks faster.

Find Framework Overlaps