ISO 27799
ISO 27799:2025 — Health informatics — Information security controls in health using ISO/IEC 27002
(third edition)
Abstract
ISO 27799:2025 "contains a set of information security controls for health organizations. It considers all the controls in ISO/IEC 27002:2022 and, in some cases, supplements the controls or provides guidance on their application in health. There are also some additional controls specific to health which are not derived from any in ISO/IEC 27002:2022”
[Source: ISO 27799:2025]
Introduction
This standard offers guidance on information security controls applicable to the health industry and medical-related organisations of various kinds - hospitals, labs, surgeries, medical insurers, medical device suppliers etc.
Information security controls are appropriate to mitigate unacceptable risks to the confidentiality, integrity and availability of:
Personal information, including private health information and safety-related time-sensitive information;
Health-related information provided by or released to third parties such as lab test results, medical histories/records and research studies;
Data processed by medical devices such as electronic heart monitors, pacemakers and various scanners.
Healthcare companies also face risks associated with non-health commercial information in any business, such as the information used for financial, personnel and commercial management. Furthermore, they are required to comply with various laws, regulations, standards and codes, some of which relate to information security, privacy, safety, essential infrastructure services etc. Although not explicitly excluded from the scope, such areas are not the focus of ISO 27799.
Scope
The standard helps medical/healthcare-related organisations, plus professionals working for them on information risk, security, privacy and related matters (including assurance), interpret and apply information security controls from ISO/IEC 27002 (with some extensions) plus ISO 81001-1 Health software and health IT systems safety, effectiveness and security — Part 1: Principles and concepts and other cited references.
Structure
Main sections:
4 - General
5 - Organizational controls
6 - People controls
7 - Physical controls
8 - Technological controls
Annex A - Information security controls for health reference (checklist?)
Annex B - Correspondence between the second and third editions of ISO 27799
Annex C - Information security in health organizations (overview?)
Annex D - Example infosec and privacy requirements (risks?) mapped to controls
Status
The first edition was published in 2008. It was developed by ISO/TC215 Health informatics, not ISO/IEC JTC 1/SC 27, based on ISO/IEC 17799:2005.
The second edition, updated to reflect ISO/IEC 27001:2013 and ISO/IEC 27002:2013, was published in 2016.
The current third edition was published in 2025. It was updated for ISO/IEC 27002:2022, and is now focused on the information security controls, omitting the ISO/IEC 27001 Information Security Management System aspects from the previous edition.
Commentary
Unfortunately I don't have access to the content of this standard so have nothing substantial to add beyond the general information provided publically on ISO.org.
However, speaking as a former phamaceuticals infosec pro, I wonder how much of the medical supply chain is in-scope e.g. are pharmaceuticals suppliers covered, given that they accumulate, generate, process, use, manage and disclose often sensitive commercial and technical information on drugs including clinical trials, extremely valuable intellectual property and, of course, safety-critical information about drug use and efficacy? Pharmacies and pharmacists?
And as a former microbial geneticist, what about medical-related research on, say, infectious diseases such as COVID? What about public health and statistical information on disease outbreaks, 'cancer clusters', obesity etc., or the effectiveness and side effects of various treatments (not just conventional, approved drugs - 'alternative therapies' such as homeopathy, herbalism and self-administed narcotics spring to mind here)? Forensic pathology? Councelling? Rehabilitation? Smart prosthetics? Gyms and sports coaches?
And then what about animal health e.g. veterinarians? Non-human animals' privacy may be of not concern to humans but again there are commercial, healthcare and safety aspects.
Bottom line: this standard may have some application and value way beyond its stated scope. Maybe not. If you are involved in any way with the intersection of health and information, I suggest taking a good look at this standard.