Topic-specific policies
ISO 27799


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition)

 

Abstract

“ISO 27799:2016 gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment(s). ...”
[Source: ISO webpage for this standard]
 

Introduction

This standard offers guidance on information security management and information security controls in the context of the healthcare industry and medical organisations of various kinds - hospitals, labs, surgeries, medical insurers etc.

 

Scope and purpose

The standard helps users interpret and apply the ISO/IEC 27002:2013 controls in the context of a medical/healthcare organisation.

 

Status of the standard

The standard was first published in 2008.

The second edition, updated to reflect the 2013 releases of ISO/IEC 27001 and ‘27002, was published in 2016.

It has been proposed to adopt this standard formally into the ISO27k family as a sector-specific standard under SC 27.

 

Personal comments

This standard was developed and published by ISO technical committee TC215 responsible for health informatics, rather than JTC 1/SC 27, the joint ISO + IEC committee responsible for ISO27k. Whether ISO 27799 is strictly a part of the ISO/IEC 27000 series standards is a moot point: it make little difference to users either way.

Whereas the stated scope is health, the standard has value beyond the intended audience. For example, advice on defining the scope, analysing gaps and establishing an Information Security Management Forum would apply to many organisations from other industry sectors implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002. Even governance merits a few mentions.

The standard reads like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom.  The style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true!

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.