ISO 27799

ISO 27799 is an international standard for information security
management in the healthcare industry. It provides guidelines for
establishing, implementing, maintaining, and continually improving an
information security management system (ISMS) specifically for
healthcare organizations. The standard is based on the ISO 27001
standard, but includes additional requirements and controls that are
specific to the healthcare industry.
ISO 27799 covers the protection of sensitive healthcare information,
including personal health information (PHI), electronic health records
(EHRs), and medical images. It includes requirements for risk assessment,
incident management, business continuity management, and compliance
with legal and regulatory requirements.
The standard includes controls for:
 Access control
 Network security
 Mobile device security
 Incident management
 Business continuity management
 Compliance with legal and regulatory requirements
ISO 27799 is intended to help healthcare organizations protect sensitive
patient information and comply with relevant regulations and laws, such as
the Health Insurance Portability and Accountability Act (HIPAA) and the
General Data Protection Regulation (GDPR). Compliance with the
standard can also help organizations to protect their reputation,
demonstrate their commitment to information security and provide
assurance to their patients, customers, and other stakeholders.
Like ISO 27001, the certification process for ISO 27799 includes an initial
assessment and a surveillance audit to ensure that the organization
continues to meet the requirements of the standard. Organizations can
achieve certification to ISO 27799 by demonstrating that their ISMS meets
the requirements of the standard and passing an assessment by an
accredited certification body.

Skip to content