ISO 27799-2016 PDF

Full title and description

Health informatics — Information security management in health using ISO/IEC 27002. ISO 27799:2016 provides guidance for information security management specifically in healthcare settings by interpreting and applying the information security controls of ISO/IEC 27002 to the protection of personal health information and other health data custodianship practices.

Abstract

ISO 27799:2016 gives implementation guidance for information security controls described in ISO/IEC 27002 so they can be effectively used to manage confidentiality, integrity and availability of health information. It explains how the ISO/IEC 27002 controls should be interpreted and supplemented for the health sector (all forms of health information and all means of storage and transfer). The standard is technology-neutral and is intended to support selection, implementation and management of controls within the health information risk environment.

General information

• Status: Withdrawn (replaced / revised by a later edition).
• Publication date: July 2016 (2016-07).
• Publisher: International Organization for Standardization (ISO).
• ICS / categories: 35.240.80 (IT applications in health care technology).
• Edition / version: Edition 2 (2016).
• Number of pages: 99 pages (second edition).

Scope

ISO 27799:2016 applies to health information in all its aspects (text, images, sound, recordings, medical images, etc.), regardless of how it is stored or transmitted, and provides interpretation and implementation guidance for the information security controls in ISO/IEC 27002 specifically for healthcare organisations and other custodians of personal health information. It does not set how requirements must be met (it is technology-neutral) and excludes specific topics such as detailed anonymization or pseudonymization methodologies and network QoS measurement methods.

Key topics and requirements

• Interpretation of ISO/IEC 27002 controls for healthcare contexts (mapping security controls to health information workflows).
• Health information classification, ownership and handling rules tailored to patient data confidentiality and consent management.
• Access control, role-based access for clinical systems, audit trails and accountability for clinical data access.
• Guidance on secure use of mobile health, telemedicine, EHR systems and medical devices that contain software/firmware.
• Supplier and third-party arrangements, data exchange security, and cross-border transfer considerations for health data.
• Information security incident management, continuity of clinical systems and availability requirements for patient care.

Typical use and users

Used by hospitals, clinics, primary care providers, health information exchanges, health IT vendors, medical device integrators, and any organisations that store, transmit or process personal health information. Typical users include information security managers, compliance officers, clinical informaticians, risk managers, and IT architects who need health-specific interpretation of ISO/IEC 27002 controls.

Related standards

Key related documents include ISO/IEC 27002 (information security controls — the base code of practice) and ISO/IEC 27001 (requirements for an Information Security Management System). ISO 27799:2016 was later revised and superseded by ISO 27799:2025, which updates health-specific controls based on ISO/IEC 27002:2022. Also relevant are standards and technical specifications on health data privacy, medical device cybersecurity and local/regional healthcare information regulations.

Keywords

health informatics; information security; personal health information; ISO 27799; ISO/IEC 27002; confidentiality; integrity; availability; access control; medical device security; health data governance; telemedicine security.

FAQ

Q: What is this standard?

A: ISO 27799:2016 is an International Standard that provides healthcare-specific guidance for implementing information security controls by interpreting ISO/IEC 27002 for health information protection.

Q: What does it cover?

A: It covers guidance on selection, implementation and management of information security controls in healthcare — including classification, access control, audit trails, supplier relationships, incident management and technical/organizational measures relevant to health data. It is technology-neutral and focuses on protecting confidentiality, integrity and availability of health information.

Q: Who typically uses it?

A: Security and compliance teams in healthcare providers, health IT vendors, medical device manufacturers, health information exchanges, and consultants working on health data protection and clinical system security. Clinical informaticians and risk managers also use it to align clinical processes with security controls.

Q: Is it current or superseded?

A: ISO 27799:2016 (the second edition) has been withdrawn and superseded — the standard was revised and a new edition ISO 27799:2025 was published. Users should normally adopt the latest edition (2025) for current guidance.

Q: Is it part of a series?

A: Yes — ISO 27799 is part of the ISO family of health informatics standards maintained by ISO/TC 215 and sits alongside the ISO/IEC 27000-series (notably ISO/IEC 27002 and ISO/IEC 27001) as sector-specific guidance for health information security.

Q: What are the key keywords?

A: Health informatics, information security, health data protection, ISO 27799, ISO/IEC 27002, confidentiality, integrity, availability, access control, audit trails, medical device cybersecurity.