Topic-specific policies
ISO 27799

Search this site

ISMS templates

< Previous standard      ^ Up a level ^


ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002 (second edition)



“ISO 27799:2016 gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment(s). ...”
[Source: ISO 27799:2016]


This standard offers guidance on information security management and information security controls in the context of the healthcare industry and medical organisations of various kinds - hospitals, labs, surgeries, medical insurers etc.


Scope and purpose

The standard helps users interpret and apply the ISO/IEC 27002:2013 controls in the context of a medical/healthcare organisation.


Status of the standard

The standard was first published in 2008.

The second edition, updated to reflect the 2013 releases of ISO/IEC 27001 and ’27002, was published in 2016.

The third edition is now under development following the release of ISO/IEC 27002:2022.


Personal comments

This standard was developed and published by ISO technical committee TC 215 responsible for health informatics, rather than JTC 1/SC 27, the joint ISO + IEC committee responsible for ISO27k. Whether ISO 27799 is strictly a part of the ISO/IEC 27000 series standards is a moot point: it make little difference to users either way.

Whereas the stated scope is health, the standard has value beyond the intended audience. For example, advice on defining the scope, analysing gaps and establishing an Information Security Management Forum would apply to many organisations from other industry sectors implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002:2013. Even governance merits a few mentions.

The standard reads like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom.  The style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true!



< Previous standard      ^ Up a level ^

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights