ISO 27799 provides information security controls, including implementation guidance, for health organisations. It is based on ISO/IEC 27002:2022
In addition to generic ICT equipment and software used in many other environments, the scope of this standard includes software and systems specifically for healthcare. Such examples are electronic health record systems and medical devices incorporating health software. Medical devices can be programmed or programmable and can contain software, firmware or both. Other digital equipment (such as that for environmental and infection control, building management, and physical security), which can be used in premises where healthcare is provided, is also in scope.
ISO 27799 applies to information in all its forms, regardless of how the information is represented. This includes text, numerical data, sound recordings, drawings, images, and video.
The standard applies irrespective of how the information is acquired or captured, how it is stored (for example, on paper or electronically), or how it is transferred or exchanged, including oral communication, physical delivery, postal services, movement of storage media, direct links, or networked systems.
ISO 27799 is for organisations of all types and sizes that provide healthcare or are custodians of personal health information for other reasons. The information that they are responsible for can be stored and processed in many possible ways and locations, including on premises or in the cloud.
This standard applies to all physical settings where healthcare is intended to be delivered. Examples are hospitals, clinics and other locations or facilities designated for healthcare purposes such as ambulances and mobile imaging or diagnostic units. It also applies to care provided elsewhere, such as in residential premises. In addition to the range of settings, ISO 27799 applies to all methods of service provision including remote or virtual healthcare.
ISO 27799:2025 text has been approved in Europe as EN ISO 27799:2026 without any changes.
