At a Glance
| Sector | Healthcare Technology (SaaS, clinical AI) |
| Starting point | Zero formal security programme — no policies, no controls documentation, no privacy framework, AI systems in production with no governance |
| Timeline | 10 weeks to integrated management system across all three frameworks |
| Frameworks | Essential Eight (ML2), ISO 27701:2019, ISO 42001:2023 |
| Environment | Microsoft 365 (SharePoint, Intune, Defender, Entra ID, Purview) |
The Challenge
The organisation had built a genuinely strong clinical product — but security, privacy, and AI governance had not kept pace with growth. As the business moved toward enterprise health system contracts, three procurement requirements landed almost simultaneously:
- Essential Eight ML2 — required by the health system’s IT security policy for all software vendors handling clinical data
- ISO 27701 (Privacy) — required to demonstrate compliance with the Australian Privacy Act, My Health Records Act, and the health system’s own privacy obligations
- AI governance evidence — required following the health system’s own ISO 42001 implementation, which had created supply chain obligations for AI-enabled vendors
The compounding challenge: a health system procuring a clinical AI platform wasn’t going to accept three separate documentation packs — they needed to see an integrated, coherent governance posture.
The starting point was stark:
- No security policies, no risk register, no control documentation
- AI models in production with no inventory, risk assessment, or oversight framework
- Personal health information being processed with no DPIA, no ROPA, and no data rights workflow
- No incident response procedure
- Essential Eight maturity at ML0 across most controls
Our Approach
The only viable path to the 10-week objective was integration from the start — building a single management system where the shared infrastructure (scope, risk, evidence, governance) served all three frameworks simultaneously.
1. Integrated scope and governance (weeks 1–2)
Defined a single management system scope covering cyber security, privacy, and AI governance. Established the policy hierarchy, leadership roles, and operating cadences that would underpin all three frameworks — with a shared risk register and evidence repository.
2. Essential Eight uplift (weeks 2–6)
Assessed current maturity against ASD’s ML2 criteria across all eight controls. Implemented in sequence using the existing Microsoft 365 environment:
- MFA — Conditional Access policies deployed, phishing-resistant methods for privileged accounts
- Patch management — Defender Vulnerability Management onboarded, patching cadence formalised
- Application control — WDAC policies authored and deployed via Intune in audit-then-enforce mode
- Admin privileges — Entra PIM configured, Windows LAPS deployed for local admin rotation
- Office macro restrictions — Intune ADMX profiles deployed, Defender ASR rules enforced
- User application hardening — Edge, Office, and Adobe hardening profiles via Intune
- Backups — M365 backup tooling deployed, immutable retention configured, restore tested
Evidence packs assembled against ASD ML2 criteria for each control milestone.
3. ISO 27701 privacy framework (weeks 3–7)
Built the Privacy Information Management System on top of the ISMS foundation:
- AI model and system data flows mapped and documented
- DPIA conducted for high-risk processing activities (AI-assisted clinical decision support)
- ROPA established covering all personal information processing activities
- Data rights workflow built in Microsoft 365 for access, correction, and deletion requests
- Third-party privacy risk assessments completed for cloud infrastructure and clinical data processors
4. ISO 42001 AI governance (weeks 4–8)
Implemented an AI Management System covering the clinical AI systems in production:
- AI model inventory compiled — all production models, training datasets, versions, and risk tier
- AI risk and impact assessments conducted for clinical decision support features
- Human oversight model defined — clinical review thresholds, escalation paths, and override procedures
- Monitoring programme established — model performance, drift detection, incident logging
- AI governance policy and acceptable use framework documented
The AIMS was integrated with the ISMS and PIMS — shared risk register, shared evidence infrastructure, single management review.
5. Integration and audit readiness (weeks 8–10)
Consolidated the three management systems into a single audit-ready structure. Conducted an integrated internal audit. Prepared the evidence pack for the health system’s vendor assessment — structured to answer all three sets of requirements from a single document set.
Results
All three frameworks delivered in 10 weeks — Essential Eight ML2, ISO 27701, and ISO 42001 — in an integrated management system that answered the procurement team’s requirements without multiple rounds of back-and-forth.
The enterprise health system contract proceeded to execution. Additional outcomes:
- The governance infrastructure could be maintained by a lean team without ongoing external dependency — all evidence automated in Microsoft 365
- The integrated management system was structured to scale as new AI models were deployed and the client base grew
- The AI risk assessment process identified one model feature requiring additional clinical oversight controls before deployment — caught during the governance programme, not after a procurement query
Key Deliverables
- Integrated management system scope, policy hierarchy, and governance cadence
- Essential Eight ML2 evidence packs across all eight controls, indexed against ASD criteria
- AI model inventory, risk and impact assessments, and oversight framework
- DPIA for high-risk AI-assisted clinical processing
- ROPA covering all personal information processing activities
- Data rights workflow in Microsoft 365
- Third-party privacy risk assessments for critical data processors
- Integrated internal audit report covering all three frameworks
- Vendor assessment evidence pack structured for health system procurement review
The Bottom Line
Enterprise health system procurement doesn’t wait for vendors to mature their governance programmes sequentially. When three framework requirements arrive simultaneously, the only viable response is an integrated programme that builds the shared infrastructure once and lets each framework draw from it.
10 weeks. From zero. No existing tools replaced, no team disruption beyond what was necessary — and three enterprise framework requirements answered with a single, coherent governance posture.
