What is ISO 27799?
ISO 27799:2016 is an international standard that provides guidance on implementing ISO 27002 controls specifically within the health informatics sector. It addresses the particular information security requirements of health organisations — including the protection of personal health information (PHI) in electronic form.
While HIPAA addresses US-specific legal requirements for health data, ISO 27799 provides a globally applicable framework for health information security that complements ISO 27001 and ISO 27002 with healthcare-specific guidance.
| Standard Body | ISO — International Organization for Standardization |
| Current Version | 2016 |
| Mandatory or Voluntary | Voluntary |
| Geography | Global |
| Official Resource | iso.org/standard/62777 |
Key Areas Covered
| Area | Guidance provided |
|---|---|
| Personal health information | Classification, handling and protection of PHI in electronic health record systems |
| Clinical systems security | Security requirements for clinical information systems, medical devices and health IT infrastructure |
| Healthcare-specific threats | Guidance addressing ransomware, medical device vulnerabilities and clinical workflow interruptions |
| Cross-border data flows | International transfer of health information across jurisdictions with different legal frameworks |
| Regulatory alignment | Bridges ISO 27001/27002 controls with healthcare regulations including HIPAA, GDPR and national health data laws |
Securitora Assessment
ISO 27799 is a valuable reference for healthcare organisations implementing ISO 27001 who need healthcare-specific security guidance. It is less widely adopted than HIPAA or HITRUST but provides a globally applicable baseline for health information security that is particularly useful for international healthcare organisations or those operating across multiple jurisdictions.
| Recommended for | Healthcare organisations implementing ISO 27001 seeking healthcare-specific guidance |
| Difficulty to implement | Medium — guidance document used alongside ISO 27001/27002 |
| Best used with | ISO 27001 · ISO 27002 · HIPAA · HITRUST CSF |
| Official resource | iso.org → |