Why This Comparison Matters More Than Ever
If your organisation handles health information in any capacity, you have almost certainly encountered both ISO 27001 and HIPAA in the same conversation. Maybe a US-based client asked whether your ISO 27001 certification covers their HIPAA obligations. Maybe your legal team flagged that you need both. Or maybe you are simply trying to figure out which one to prioritise and whether pursuing one makes the other easier.
On this page
This is one of the most common questions I get from businesses operating across borders, particularly Australian and global organisations that handle US patient data or work with American healthcare providers. The short answer is that ISO 27001 and HIPAA are not the same thing, they do not replace each other, but they share enough common ground that a well-implemented ISO 27001 system gives you a genuine head start on HIPAA compliance. Let me walk you through the key differences, where they overlap, and what that means practically for your business.
What Is ISO 27001?
ISO 27001 is an internationally recognised standard for information security management systems, published by the International Organisation for Standardisation. It provides a framework for identifying, assessing, and treating information security risks across an entire organisation. Certification is voluntary, and it is awarded by accredited third-party certification bodies after a formal audit process.
The standard applies to any organisation, in any industry, anywhere in the world. It does not care whether you handle medical records, financial data, or intellectual property. Its scope is information security broadly defined, which is both its strength and its limitation when you are trying to meet a specific regulatory requirement like HIPAA.
If you want a solid foundation for what the standard actually requires, our beginner's guide to ISO 27001 covers the core structure and Annex A controls in plain language.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act, a United States federal law enacted in 1996. The Privacy Rule and Security Rule under HIPAA set specific requirements for how covered entities and their business associates must handle protected health information, known as PHI.
HIPAA is not a certification standard. There is no accredited certification body that issues a HIPAA certificate the way a certification body issues an ISO 27001 certificate. Instead, HIPAA compliance is a legal obligation enforced by the US Department of Health and Human Services Office for Civil Rights. Non-compliance can result in civil penalties, criminal charges, and reputational damage that can be severe.
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. If you are an Australian software company that processes US patient data on behalf of an American hospital, you are a business associate and HIPAA applies to you, regardless of where your servers are located.
The Core Differences Between ISO 27001 and HIPAA
Scope and Applicability
ISO 27001 is a voluntary international standard that any organisation can pursue. HIPAA is a mandatory US federal law that applies to specific categories of organisations based on the type of data they handle and their relationship to the US healthcare system. You choose ISO 27001. HIPAA chooses you.
This is the most fundamental difference. ISO 27001 certification demonstrates that you have built and maintain an information security management system that meets the standard's requirements. HIPAA compliance demonstrates that you meet specific legal obligations around protected health information. One is a framework you adopt, the other is a law you must follow.
Certification vs Compliance
ISO 27001 results in a formal certificate issued by an accredited certification body, valid for three years with annual surveillance audits. You can display that certificate, include it in tender responses, and use it to demonstrate your security posture to clients and partners.
HIPAA has no equivalent certificate. Some organisations undergo third-party HIPAA assessments and receive a report or attestation, but this is not a formal certification recognised by regulators. The Office for Civil Rights does not maintain a list of certified organisations. Compliance is demonstrated through documentation, policies, training records, risk assessments, and your ability to respond to a breach or audit investigation.
Specificity of Requirements
HIPAA is far more prescriptive about certain things, particularly around protected health information. The Security Rule specifies required and addressable implementation specifications. Required specifications must be implemented. Addressable specifications must either be implemented or you must document why an equivalent measure was adopted instead.
ISO 27001 takes a risk-based approach. Annex A contains 93 controls across four themes in the 2022 version of the standard, but you do not have to implement all of them. You select controls based on your risk assessment and document your reasoning in a Statement of Applicability. This gives you more flexibility but also more responsibility to justify your decisions.
Geography and Legal Force
ISO 27001 is globally recognised and carries commercial weight in procurement, tendering, and client relationships across Australia, Europe, Asia, and beyond. HIPAA is a US law. Outside the United States, it has no direct legal force, but it absolutely affects non-US organisations that handle US patient data through contractual obligations, specifically Business Associate Agreements.
Where ISO 27001 and HIPAA Genuinely Overlap
Despite their differences, the two frameworks share significant common ground. This is good news if you are implementing one and need to satisfy the other, because the work is not entirely duplicated.
Risk Assessment
Both frameworks require a formal risk assessment process. ISO 27001 requires you to identify information security risks, assess their likelihood and impact, and implement controls to treat them. HIPAA's Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.
The terminology differs, but the underlying activity is very similar. An ISO 27001 risk assessment that includes PHI in its scope will satisfy a significant portion of HIPAA's risk analysis requirement. The key is ensuring your risk assessment explicitly addresses PHI and the specific threats relevant to health information.
Access Controls
Both frameworks require organisations to restrict access to sensitive information based on business need. ISO 27001 Annex A Control 5.15 covers information access control, and Control 5.18 covers access rights. HIPAA's Security Rule requires unique user identification, emergency access procedures, automatic logoff, and encryption and decryption of electronic PHI.
If you have implemented ISO 27001 access controls properly, you will have most of the technical groundwork in place for HIPAA's access control requirements. The gap is usually in the specificity around PHI, for example, ensuring audit logs capture access to health records specifically, not just general system access.
Incident Response
ISO 27001 requires an information security incident management process, including detection, reporting, assessment, and response to incidents. HIPAA has a Breach Notification Rule that requires covered entities to notify affected individuals, the Secretary of HHS, and in some cases the media, within specific timeframes following a breach of unsecured PHI.
Your ISO 27001 incident response procedures provide the operational backbone for HIPAA breach response. However, you will need to layer HIPAA-specific notification requirements on top, including the 60-day notification window and the specific content requirements for breach notifications.
Physical Security
Both frameworks address physical security controls. ISO 27001 Annex A includes controls around physical access to facilities, equipment security, and clear desk policies. HIPAA's Physical Safeguards cover facility access controls, workstation use, workstation security, and device and media controls.
Again, the overlap is substantial. An organisation that has implemented ISO 27001 physical controls will have addressed most of HIPAA's Physical Safeguards requirements, though the documentation needs to explicitly reference PHI to satisfy HIPAA auditors.
Supplier and Third-Party Management
ISO 27001 requires you to manage information security risks in your supply chain and with third-party service providers. HIPAA requires covered entities to execute Business Associate Agreements with any third party that creates, receives, maintains, or transmits PHI on their behalf.
If you have a mature ISO 27001 supplier management process, you already have a mechanism for assessing and managing third-party security. Mapping your supplier controls to HIPAA's Business Associate Agreement requirements is a logical extension of that work.
Where the Gaps Are: What ISO 27001 Does Not Cover
This is the part that trips people up. Achieving ISO 27001 certification does not make you HIPAA compliant. The frameworks are complementary, not equivalent. Here are the areas where ISO 27001 certification alone leaves you exposed from a HIPAA perspective.
Privacy Rule Requirements
HIPAA's Privacy Rule goes well beyond information security. It governs how PHI can be used and disclosed, patients' rights to access their own records, the minimum necessary standard for PHI use, and specific requirements around authorisations and notices of privacy practices. ISO 27001 does not address patient rights or the legal basis for processing health information. If you need privacy controls specifically, ISO 27701 is a better companion standard for that gap.
Breach Notification Specifics
HIPAA's Breach Notification Rule has very specific timelines and content requirements that go beyond what ISO 27001 mandates. The 60-day notification window, the requirement to notify HHS, and the media notification threshold for breaches affecting more than 500 residents of a state are all HIPAA-specific obligations that need to be documented separately.
Minimum Necessary Standard
HIPAA requires that access to PHI be limited to the minimum necessary to accomplish the intended purpose. While ISO 27001 access controls align with this principle, the specific documentation and policy requirements under HIPAA are more detailed and need to be addressed explicitly.
Employee Training on PHI
Both frameworks require security awareness training, but HIPAA requires training that is specific to PHI handling, privacy rights, and the consequences of non-compliance under US law. Your ISO 27001 training programme will need to be supplemented with HIPAA-specific content if you handle PHI.
A Practical Approach for Businesses Navigating Both
If you are starting from scratch, pursue ISO 27001 first. It gives you the management system infrastructure, the risk assessment methodology, the documentation framework, and the control library that will make your HIPAA compliance programme significantly easier to build. Think of ISO 27001 as the foundation and HIPAA as a specialist layer on top.
If you are already ISO 27001 certified and need to demonstrate HIPAA compliance, start with a gap analysis that maps your existing controls against HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule. You will find that a large portion of the Security Rule is already addressed. The gaps will typically be in the Privacy Rule, breach notification specifics, and PHI-specific documentation.
One important practical note: your Statement of Applicability under ISO 27001 is a powerful tool here. If you have explicitly scoped PHI into your ISMS and documented your control decisions with HIPAA in mind, you have already created a document that supports HIPAA compliance demonstrations.
For organisations that are genuinely handling US patient data, I strongly recommend getting a formal HIPAA risk analysis conducted by a specialist, separate from your ISO 27001 certification audit. The two processes serve different purposes and a certification auditor is not assessing HIPAA compliance. According to the HHS guidance on HIPAA Security Rule implementation, the risk analysis must be thorough and accurate, which requires explicit attention to PHI-specific threats and vulnerabilities.
Understanding how integrated management systems work can also help you see how ISO 27001 and HIPAA fit together operationally. Our guide to integrated management systems explains how to run multiple frameworks under a single management system without duplicating effort.
Which One Should You Pursue First?
The answer depends on your situation. If you are an Australian business that handles US patient data and your US client is asking for HIPAA compliance, you need to address HIPAA regardless of your ISO status. If you are building your information security posture from the ground up and want a globally recognised certification that also positions you well for HIPAA, start with ISO 27001.
If you are a healthcare technology company targeting the US market, you will likely need both. ISO 27001 certification gives you credibility with enterprise buyers globally. HIPAA compliance is a legal requirement for operating in the US health sector. They are not either-or choices for most organisations in that space.
The cost of ISO 27001 certification is a real consideration. Our detailed breakdown of ISO 27001 certification costs in Australia gives you realistic figures based on actual provider quotes, which is useful when you are planning a compliance budget that may also need to accommodate HIPAA assessment costs.
Getting the Right Help
The biggest mistake I see organisations make is assuming that their ISO 27001 consultant also understands HIPAA, or that their HIPAA specialist understands ISO 27001. These are different disciplines. When you are working across both frameworks, you need either a consultant with genuine expertise in both, or two specialists who communicate with each other.
If you are at the stage of finding the right ISO 27001 consultant or certification body, CertBetter makes that process straightforward. You submit one form and receive up to three competing quotes from vetted providers who have been assessed for their credentials and experience. It is free to use and takes about two minutes. Whether you are starting your ISO 27001 journey or looking to switch providers ahead of a recertification, it is worth getting a few quotes before you commit.
