ISO 27799-2025 PDF

Full title and description

ISO 27799:2025 — Health informatics — Information security controls in health based on ISO/IEC 27002. Provides health-specific information security controls and implementation guidance derived from ISO/IEC 27002 and tailored to electronic health records, medical devices, telehealth, cloud services and other health-care contexts.

Abstract

This third edition of ISO 27799 gives information security controls and implementation guidance for organizations that create, hold or process personal health information. It adapts and interprets the controls of ISO/IEC 27002:2022 for healthcare settings, including software and systems specific to healthcare (EHRs, clinical systems, medical devices), ancillary digital equipment used in care environments, and all forms and transfer methods of health information. The guidance is intended for organizations of any size and across all care delivery models, including remote and mobile care.

General information

• Status: Published.
• Publication date: 18 December 2025 (published December 2025).
• Publisher: International Organization for Standardization (ISO).
• ICS / categories: 35.030; 35.240.80 (health informatics / IT security in healthcare).
• Edition / version: Edition 3 (2025).
• Number of pages: 72 pages.

Key bibliographic and lifecycle details (status, edition and page count) are recorded on the ISO catalogue entry for ISO 27799:2025; the published standard replaces the 2016 edition.

Scope

ISO 27799:2025 applies to information security controls for health information in all its forms (paper, electronic, images, audio, video) and across all settings where healthcare is provided (hospitals, clinics, ambulances, mobile and remote care). The scope explicitly includes both general ICT equipment and software and healthcare-specific systems such as electronic health records and medical devices that contain software/firmware, as well as other digital equipment used in care environments. The standard is intended to be technology-neutral and to guide organizations in selecting, implementing and managing controls appropriate to their risk environment.

Key topics and requirements

• Health-specific mapping and interpretation of ISO/IEC 27002:2022 controls for confidentiality, integrity and availability of health data.
• Implementation guidance for clinical systems, EHRs and medical devices (software/firmware considerations).
• Controls for telehealth, mobile health, cloud-hosted health services and cross-border data transfer considerations.
• Organizational, technical, personnel and physical security controls tailored to care delivery environments.
• Risk assessment and treatment guidance specific to health information and clinical safety interactions.
• Incident response, business continuity and supplier/third-party management in health contexts.
• Privacy-supporting measures and alignment with applicable legal/regulatory obligations for personal health information.

These topic areas follow the structure and control intent originating in ISO/IEC 27002 while adding sector-specific examples and implementation notes for healthcare practice.

Typical use and users

Primary users are healthcare providers (hospitals, clinics, primary care practices), health IT vendors, medical device manufacturers, cloud and managed service providers for health data, health information custodians, privacy and security officers, auditors, and consultants supporting compliance and risk management in health settings. Regulators and accreditation bodies may reference the standard for best-practice guidance.

Related standards

ISO 27799:2025 is closely related to and based on ISO/IEC 27002:2022 (information security controls). It replaces earlier editions ISO 27799:2016 and the withdrawn ISO 27799:2008 (and builds on prior Technical Specifications such as ISO/TS 14441 where relevant). It is part of the broader ISO 27000 family of information security standards and is intended to be used alongside ISO/IEC 27001 and other healthcare informatics standards where applicable.

Keywords

health informatics; information security; health data; electronic health record; medical device security; ISO/IEC 27002; privacy; telehealth; risk management; incident response; supplier management.

FAQ

Q: What is this standard?

A: ISO 27799:2025 is an ISO international standard that provides health-sector-specific information security controls and implementation guidance derived from ISO/IEC 27002.

Q: What does it cover?

A: It covers selection, implementation and management of information security controls for health information across media, facilities and delivery methods, including guidance for EHRs, clinical systems, medical devices, telehealth and cloud services.

Q: Who typically uses it?

A: Healthcare organizations, health IT and medical device vendors, cloud/service providers handling health data, privacy and security officers, auditors and consultants supporting health-sector information security.

Q: Is it current or superseded?

A: ISO 27799:2025 is the current (third) edition, published in December 2025, and supersedes ISO 27799:2016 (and the earlier 2008 edition).

Q: Is it part of a series?

A: Yes — it is aligned with and derived from the ISO/IEC 27000 family (particularly ISO/IEC 27002:2022) and is intended to be used alongside ISO/IEC 27001 and other ISO health informatics standards.

Q: What are the key keywords?

A: Health informatics, information security, personal health information, EHR, medical device security, ISO/IEC 27002, risk management, privacy, telehealth, incident response.