ISO/IEC 27799
ISO 27799:2016 — Health informatics — Information security management in health using ISO/IEC 27002
(second edition)
Abstract
“ISO 27799:2016 gives guidelines for organisational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organisation's information security risk environment(s). ...”
[Source: ISO 27799:2016]
Introduction
This standard offers guidance on information security management and information security controls in the context of the healthcare industry and medical organisations of various kinds - hospitals, labs, surgeries, medical insurers etc.
Scope
The standard helps medical/healthcare organisations interpret and apply the ISO/IEC 27002:2013 information security controls.
Structure
Main sections:
5: Information security policies
6: Organization of information security
7: Human resource security
8: Asset management
9: Access control
10: Cryptography
11: Physical and environmental security
12: Operations security
13: Communications security
14: System acquisition, development and maintenance
15: Supplier relationships
16: Information security incident management
17: Information security aspects of business continuity management
18: Compliance
Annex A: Threats to health information security
Annex B: Practical action plan for implementing ISO/IEC 27002 in healthcare
Annex C: Checklist for conformance to ISO 27799
Status
The first edition was published in 2008.
The second edition, updated to reflect the 2013 releases of ISO/IEC 27001 and ’27002, was published in 2016.
The third edition is in preparation, following the release of ISO/IEC 27002:2022. It is at Final Draft International Standard stage and may surface later in 2025 with a new title: "Information security controls in health based on ISO/IEC 27002"
Commentary
This standard was developed and published by ISO technical committee TC 215 responsible for health informatics, rather than JTC 1/SC 27, the joint ISO + IEC committee responsible for ISO27k. Whether ISO 27799 is strictly a part of the ISO/IEC 27000 series standards is a moot point: it make little difference to users either way.
Whereas the stated scope is health, the standard has value beyond the intended audience. For example, advice on defining the scope, analysing gaps and establishing an Information Security Management Forum would apply to many organisations from other industry sectors implementing ISO27k. The advice on risk management draws heavily on ISO/IEC TR 13335 and goes beyond that provided in ISO/IEC 27002:2013. Even governance merits a few mentions.
The standard reads like an implementation guideline/book, something an experienced consultant might espouse. It offers pragmatic advice - nuggets of wisdom. The style is quite verbose, at one point stating that implementing ISO/IEC 27002 is not simply a matter of following a checklist. How true!