Knowledge Center / ISO 27799
ISO · Global

ISO 27799 (Health Informatics Security)

Health-sector application of ISO 27002 controls.

Introduction: ISO 27799 and the protection of Personal Health Information

ISO 27799:2016, Health informatics — Information security management in health using ISO/IEC 27002, is the definitive international standard for applying information security management to Personal Health Information (PHI). It is a sector-specific companion to ISO/IEC 27002, translating the generic control catalogue of the ISO/IEC 27000 family into the concrete operational realities of hospitals, clinics, diagnostic laboratories, insurers, pharmacies, telehealth providers, health-information exchanges and any organisation that creates, receives, stores, processes or transmits health data. Where ISO/IEC 27001 tells an organisation how to build an Information Security Management System (ISMS), and ISO/IEC 27002 provides the reference control set, ISO 27799 tells health organisations precisely how those controls must be selected, interpreted and reinforced when the asset being protected is a person's medical record.

The standard exists because health information is uniquely sensitive and uniquely demanding. A breach of PHI is not merely a privacy incident — it can lead to discrimination, denial of insurance or employment, social stigma, blackmail, and in the worst case direct harm to patient safety where availability or integrity is compromised (for example, a tampered allergy record or an inaccessible medication history during an emergency). ISO 27799 therefore elevates the classic confidentiality-integrity-availability triad and adds explicit emphasis on accountability, auditability and patient-safety-linked availability. It is designed to be implementable by organisations of any size and to interoperate with national health-privacy regimes such as HIPAA/HITECH (United States), the UK Data Protection Act 2018/UK GDPR and NHS Data Security and Protection Toolkit, the EU GDPR (with health data as a special category under Article 9), the Digital Personal Data Protection Act 2023 and the proposed Digital Information Security in Healthcare Act (DISHA) in India, and the ABDM/Ayushman Bharat Digital Mission ecosystem.

Copyright and licensing note
ISO 27799:2016 is a copyrighted international standard published by the International Organization for Standardization (ISO). The normative text, control wording and annexes are protected and must be purchased from ISO or an authorised national standards body (for example BIS in India, BSI in the UK, or ANSI in the United States) — they cannot be reproduced. This guide is an original, independent explanatory commentary written by CyberSigma auditors. It paraphrases requirements for educational and readiness purposes and does not reproduce the copyrighted normative text. Always work from a licensed copy of the standard (and of ISO/IEC 27002:2013/2022 which it references) when conducting a formal assessment or certification.

What is ISO 27799

ISO 27799 is an implementation guideline, not a certifiable standard in its own right. Organisations do not certify against ISO 27799; they certify their ISMS against ISO/IEC 27001 and demonstrate — through the Statement of Applicability, risk treatment and control implementation — that they have applied the health-sector guidance of ISO 27799 to the ISO/IEC 27002 controls. In effect, ISO 27799 is the sectoral lens through which a health organisation reads ISO/IEC 27002.

The current edition, ISO 27799:2016, was developed by ISO Technical Committee ISO/TC 215 (Health informatics) and aligned to the 2013 edition of ISO/IEC 27002 (14 control clauses, 35 control objectives, 114 controls). It supersedes the 2008 first edition. Note that ISO/IEC 27002 was substantially restructured in its 2022 edition (into 93 controls across four themes — organisational, people, physical and technological — with attributes), so mature implementers should map the ISO 27799 guidance forward to the 2022 control structure while awaiting a future revision of 27799 itself.

Key defining characteristics of the standard:

  • It is scoped exclusively to the protection of Personal Health Information (PHI) — data about the physical or mental health of an identifiable individual, including data that becomes health-related through inference or linkage.
  • It mandates that health organisations implement the minimum set of controls necessary to secure PHI in a manner proportionate to threats, and it explicitly names the security objectives PHI requires: confidentiality, integrity, availability, accountability, authenticity/non-repudiation and auditability.
  • It provides health-specific implementation guidance for every relevant control clause of ISO/IEC 27002, including guidance on unique-patient identification, break-glass emergency access, pseudonymisation and anonymisation of health data, secondary use for research, and the handling of highly sensitive categories (mental health, sexual health, genetic and HIV/AIDS data).
  • It defines the concept of the health information custodian/data controller and the duties of care owed to the data subject (the patient/service user).
  • It is deliberately technology-neutral and applicable to paper, electronic and hybrid records, and to organisations of any size — from a single-practitioner clinic to a national health service.

Who must comply / scope of applicability

ISO 27799 applies to any organisation, and any role within it, that is responsible for or has access to Personal Health Information. Because health data flows across a complex ecosystem, applicability extends well beyond hospitals to the full chain of custodians and processors. The following table sets out the principal categories of organisation in scope and how the standard bites for each.

Organisation type / roleWhy in scopePrimary ISO 27799 obligations
Hospitals, clinics and health systemsPrimary custodians of the electronic health/medical record (EHR/EMR)Full ISMS with 27799 health interpretation; break-glass access; patient-safety-linked availability; unique patient ID
Diagnostic laboratories and imaging centresGenerate and transmit sensitive results (pathology, genetics, radiology)Integrity and authenticity of results; secure transmission; result-release controls; audit trails
Health insurers and payers (TPAs)Process claims containing diagnosis and treatment dataPurpose limitation; access minimisation; secondary-use controls; strong confidentiality for underwriting-sensitive data
Pharmacies and pharmacy benefit managersHold prescription and dispensing historiesConfidentiality of medication data; identity proofing; e-prescription integrity
Telehealth and digital-health / mHealth vendorsCapture PHI over consumer channels and cloudEncryption in transit/at rest; device/endpoint security; consent and data-subject rights; cloud shared-responsibility
Health information exchanges (HIE) and interoperability hubsRoute PHI between multiple custodiansFederated identity; end-to-end integrity; consent enforcement; cross-border transfer controls
Research institutions and biobanksPerform secondary use of health dataPseudonymisation/anonymisation; ethics-approval linkage; re-identification risk management
Cloud, hosting and managed-service providers to healthProcess PHI on behalf of custodiansData-processing agreements; sub-processor control; segregation; audit rights; breach notification SLAs
Medical device and health-IoT manufacturersDevices generate and store PHISecure-by-design; firmware integrity; identity; patch management; end-of-life data handling
Public-health authorities and registriesAggregate PHI for surveillanceLegal basis; minimisation; disclosure controls; statistical-disclosure limitation
  • In scope regardless of format: paper case notes, electronic records, images, biosignals, genomic files, audio/video consultations and inferred health data.
  • In scope regardless of organisation size: the standard explicitly supports small practices through to national programmes.
  • Data processors (not only controllers/custodians) are bound through contract to apply equivalent controls; the custodian remains accountable.
  • Employees, contractors, clinicians, volunteers and third parties with any access to PHI fall within personnel-security scope.

Structure of ISO 27799

ISO 27799:2016 is organised into normative clauses that first establish health-sector context and then map, clause by clause, onto the control structure of ISO/IEC 27002:2013. The following table summarises the architecture of the standard and the control domains it interprets. The 14 security-control clauses correspond to Clauses 5–18 of ISO/IEC 27002:2013 (114 controls in total).

Clause / componentTitle (paraphrased)Purpose in ISO 27799
Clauses 1–4Scope, references, terms, symbolsEstablish scope (protection of PHI), define health-security terms and the CIA+ objectives
Clause 5Health information securitySets out why health information needs protecting, the threats, and the security objectives for PHI
Clause 6Practical action plan for implementing ISO/IEC 27002Defines management commitment, planning, obtaining management support and operating the ISMS in a health context
Clause 7 (maps to 27002 §5)Information security policiesHealth-specific policy content: PHI, consent, disclosure, break-glass
Clause 7 (maps to 27002 §6)Organization of information securityRoles: health information custodian, security officer, segregation of duties
Clause 7 (maps to 27002 §7)Human resource securityClinician screening, confidentiality undertakings, awareness on PHI
Clause 7 (maps to 27002 §8)Asset managementClassification of PHI, media handling of records and images
Clause 7 (maps to 27002 §9)Access controlRole-based access, minimum necessary, break-glass, unique user ID
Clause 7 (maps to 27002 §10)CryptographyEncryption of PHI at rest/in transit, key management, digital signatures on records
Clause 7 (maps to 27002 §11)Physical and environmental securityProtection of records rooms, servers, devices, secure disposal
Clause 7 (maps to 27002 §12)Operations securityMalware, backup of records, logging and monitoring of PHI access, change control
Clause 7 (maps to 27002 §13)Communications securitySecure network and transfer of PHI, HIE messaging, email of clinical data
Clause 7 (maps to 27002 §14)System acquisition, development and maintenanceSecure development of clinical systems, test-data protection
Clause 7 (maps to 27002 §15)Supplier relationshipsManaging cloud/BPO/device suppliers touching PHI
Clause 7 (maps to 27002 §16)Information security incident managementBreach detection, response and notification for PHI
Clause 7 (maps to 27002 §17)Business continuity (ISMS aspects)Availability of PHI for patient care and disaster recovery
Clause 7 (maps to 27002 §18)ComplianceLegal/regulatory compliance, records protection, privacy, audits
Annex AThreats to health information securityCatalogue of health-specific threats used to justify controls
Annex BTasks and related documents of the ISMSGuidance on documentation and ISMS operational tasks

Master assessment checklist

This is the operational heart of the guide. It enumerates every control domain that ISO 27799 interprets from ISO/IEC 27002, with the health-specific security objectives layered on top. For each domain we list the concrete items an auditor must verify and the typical evidence that demonstrates conformity. Where ISO 27799 adds guidance beyond the base control (for example break-glass, patient identification, or secondary use), that guidance is called out. No control area is skipped.

5.x Health information security objectives (foundational)

What to verifyTypical evidence
PHI is formally identified and inventoried across paper, electronic and hybrid holdingsData inventory / record of processing; asset register flagged for PHI
The six security objectives (confidentiality, integrity, availability, accountability, authenticity, auditability) are documented as requirements for PHIInformation security objectives document; ISMS scope statement
Health-specific threats (Annex A) are reflected in the risk assessmentRisk assessment report referencing health threat catalogue
Duty of care to data subjects and the custodian role are definedData-protection policy; custodian appointment; RACI

§5 (27002) Information security policies

What to verifyTypical evidence
An approved information security policy set exists and explicitly addresses PHI, consent and disclosureSigned policy suite with version control and approval dates
Policies define lawful bases for processing and rules for disclosure to third partiesDisclosure/consent policy; legal-basis register
Policies are reviewed at planned intervals and after significant changeReview log; management review minutes
Break-glass / emergency-access policy is documentedEmergency access policy referencing clinical override

§6 (27002) Organization of information security

What to verifyTypical evidence
A health information security officer / DPO and information custodian roles are assignedAppointment letters; org chart; job descriptions
Segregation of duties prevents unilateral access to or modification of recordsSoD matrix; access-review evidence
Contact with authorities (regulators, CERT) and special-interest groups is maintainedRegulator contact list; CERT-In/sectoral CERT registration
Information security in project management includes clinical-system projectsProject security checklists; SDLC gate records
Mobile device and teleworking policy covers clinician remote access to PHIBYOD/MDM policy; teleworking agreements

§7 (27002) Human resource security

What to verifyTypical evidence
Pre-employment screening covers clinicians, contractors and volunteers with PHI accessBackground-check records; verification logs
Confidentiality / non-disclosure undertakings signed by all with PHI accessSigned confidentiality agreements
Security and privacy awareness training is role-appropriate and repeatedTraining records; completion metrics; content covering PHI
A disciplinary process exists for security/privacy breachesDisciplinary policy; sanction records
Termination/role-change triggers timely revocation of PHI accessLeaver checklist; de-provisioning tickets

§8 (27002) Asset management

What to verifyTypical evidence
All PHI assets are inventoried with an assigned ownerAsset register with owners and PHI classification
An information classification scheme labels PHI and highly sensitive subsets (mental/sexual/genetic/HIV)Classification policy; labelling examples
Acceptable-use rules for handling records and images are defined and communicatedAcceptable-use policy; acknowledgement records
Media handling and secure disposal of records, films and drives is controlledMedia-disposal certificates; destruction logs

§9 (27002) Access control

What to verifyTypical evidence
Access to PHI follows role-based access control and the minimum-necessary / need-to-know principleRBAC role definitions; access-request approvals
Every user has a unique identity; shared/generic accounts are eliminated for PHI systemsIAM user list; exception register
Break-glass emergency access is technically constrained, logged and reviewed after the factBreak-glass configuration; post-access review reports
User access rights are reviewed at defined intervals (recertification)Access recertification reports
Strong authentication (MFA) protects remote and privileged access to PHIMFA configuration; privileged-access records
Patient/service-user access to their own records is provisioned securelyPatient-portal identity-proofing; access logs

§10 (27002) Cryptography

What to verifyTypical evidence
PHI is encrypted at rest on servers, databases, endpoints and backupsEncryption configuration; disk/database encryption evidence
PHI is encrypted in transit across all networks including HIE and emailTLS configuration; message-security settings
A key-management policy governs generation, rotation, storage and destruction of keysKey-management policy; HSM/KMS records
Digital signatures / integrity seals protect the authenticity of clinical records where requiredSignature configuration; non-repudiation evidence

§11 (27002) Physical and environmental security

What to verifyTypical evidence
Secure areas protect records rooms, data centres and imaging/server equipmentAccess-control logs; zoning plans
Clear-desk / clear-screen enforced in clinical areas where PHI is visibleClear-desk policy; walkthrough audit notes
Environmental controls (fire, power, cooling) protect availability of records systemsUPS/generator/fire-suppression records
Secure equipment disposal ensures PHI is unrecoverable from decommissioned assetsSanitisation/destruction certificates

§12 (27002) Operations security

What to verifyTypical evidence
Documented operating procedures exist for PHI systems and are kept currentSOP library; change history
Change management controls prevent uncontrolled changes to clinical systemsChange tickets; CAB minutes
Anti-malware protection is deployed and monitored on all PHI endpoints and serversEDR/AV console reports
Backups of PHI are taken, encrypted, tested for restorability and retained per policyBackup schedule; restore-test results
Access to PHI is logged; logs are protected, monitored and retainedAudit-log samples; SIEM alerting; retention policy
Technical vulnerabilities are identified and remediated on a risk basisVulnerability-scan reports; patch SLAs

§13 (27002) Communications security

What to verifyTypical evidence
Networks carrying PHI are segmented and protected (firewalls, segregation of clinical/guest networks)Network diagrams; firewall rulesets
Information-transfer agreements govern electronic exchange of PHI with partnersData-sharing agreements; interface specs
Email and messaging of clinical data is secured or restrictedSecure-email configuration; DLP policy
Electronic messaging integrity (HL7/FHIR/DICOM) is protected end to endInterface security config; message-signing evidence

§14 (27002) System acquisition, development and maintenance

What to verifyTypical evidence
Security and privacy requirements are specified for new clinical systemsRequirements docs; security acceptance criteria
Secure development lifecycle practices apply to in-house/EHR customisationSDLC policy; code-review and testing records
Test environments do not use live PHI, or PHI is masked/pseudonymisedTest-data policy; masking evidence
Security testing (SAST/DAST/pentest) precedes go-live of PHI systemsTest reports; remediation tracker

§15 (27002) Supplier relationships

What to verifyTypical evidence
Supplier/processor agreements include security, privacy and breach-notification clauses for PHISigned DPAs/BAAs; contract clauses
Cloud shared-responsibility for PHI is documented and understoodResponsibility matrix; cloud config baseline
Supplier security performance is monitored and periodically reviewedVendor assessments; audit reports; SOC 2/ISO certificates
Sub-processor changes are controlled and notifiedSub-processor register; change notifications

§16 (27002) Information security incident management

What to verifyTypical evidence
An incident-response plan defines detection, triage, containment and PHI-breach handlingIR plan; playbooks for PHI breach
Roles, reporting channels and escalation paths are definedIR RACI; contact tree
Breach notification to regulators and affected individuals meets statutory deadlinesNotification templates; past notification records
Lessons learned feed back into controls and risk assessmentPost-incident reviews; corrective actions

§17 (27002) Information security aspects of business continuity

What to verifyTypical evidence
Availability requirements for PHI are set with RTO/RPO linked to patient safetyBIA; RTO/RPO definitions
Continuity and disaster-recovery plans cover clinical systems and downtime proceduresBCP/DRP; clinical downtime procedures
Continuity arrangements are tested and results actionedDR test reports; exercise records
Redundancy is provided for critical PHI systemsHA/failover architecture evidence

§18 (27002) Compliance

What to verifyTypical evidence
Applicable legal and regulatory requirements (privacy, retention, e-signature) are identifiedLegal register mapped to controls
Records (medical, audit, consent) are protected and retained per statutory periodsRetention schedule; records-management policy
Privacy and data-protection of PHI is demonstrably ensuredDPIA/PIA records; consent management evidence
Independent reviews and internal audits of the ISMS are conductedInternal audit reports; management review minutes

Scoping and materiality / tiering

Effective ISO 27799 adoption begins with disciplined scoping so that control rigour is proportionate to the sensitivity and volume of PHI and to the harm a compromise would cause. ISO 27799 encourages a risk-based, tiered approach rather than uniform maximum controls everywhere.

Scoping / materiality dimensionHow to determine tierEffect on control depth
Data sensitivityStandard PHI vs. highly sensitive (mental health, sexual/reproductive, genetic, HIV/substance-use)Highly sensitive subsets warrant stricter access, enhanced logging and additional consent controls
Volume and aggregationSingle-patient view vs. bulk datasets / registries / research extractsLarger aggregations raise re-identification and mass-breach risk; add statistical-disclosure and DLP controls
Patient-safety linkageWhether unavailability/integrity loss can harm patientsSystems tied to care delivery get higher availability tiers, faster RTO and integrity assurance
Data-subject identifiabilityIdentified vs. pseudonymised vs. anonymisedAnonymised data may fall outside PHI scope; pseudonymised remains in scope with key-separation controls
Cross-border and third-party flowDomestic vs. cross-border, in-house vs. processor/cloudCross-border transfer and processor controls, contractual safeguards and residency requirements apply
Regulatory overlayWhich regimes apply (HIPAA, GDPR Art. 9, DPDP Act, NHS DSPT, DISHA)Determines mandatory breach timelines, consent model and certification expectations

The materiality of a control gap should be judged by the potential harm to the data subject and to patient safety, not merely by system criticality. A gap in break-glass logging on a psychiatric records system is materially more severe than the same gap on a facilities database.

Implementation approach

CyberSigma recommends a phased implementation that layers the ISO 27799 health interpretation onto an ISO/IEC 27001 ISMS. Each phase below lists the core activities and the deliverables an assessor will expect to see.

Phase 1 — Initiate and mandate (weeks 1–4)

  • Activities: secure executive sponsorship; appoint the information security officer, DPO and health information custodian; define ISMS scope covering all PHI; establish governance and steering committee.
  • Deliverables: signed ISMS mandate; scope statement; governance charter; role appointments; project plan and RACI.

Phase 2 — Discover and assess risk (weeks 3–10)

  • Activities: build the PHI data inventory and data-flow maps; classify data including highly sensitive subsets; conduct the risk assessment using the ISO 27799 health-threat catalogue; run DPIAs for high-risk processing.
  • Deliverables: PHI asset register; data-flow diagrams; risk assessment report and risk register; DPIA records; gap analysis against ISO/IEC 27002 with 27799 guidance.

Phase 3 — Design controls and treatment plan (weeks 8–16)

  • Activities: define the risk-treatment plan; draft the Statement of Applicability with health-specific justifications; author policies (access, break-glass, disclosure, retention, cryptography); design RBAC and logging architecture.
  • Deliverables: risk-treatment plan; Statement of Applicability; approved policy suite; access-control and audit-logging designs.

Phase 4 — Implement and operationalise (weeks 14–30)

  • Activities: deploy technical controls (encryption, MFA, EDR, SIEM, DLP, break-glass, backups); enforce SoD and recertification; roll out training; execute supplier/DPA remediation.
  • Deliverables: control-implementation evidence; training completion records; updated supplier contracts; configured logging/monitoring.

Phase 5 — Measure, audit and improve (weeks 26–40)

  • Activities: run internal audit and management review; test incident response and continuity; measure KPIs; remediate findings; conduct stage 1/2 certification readiness.
  • Deliverables: internal audit report; management review minutes; DR/IR test results; corrective-action plan; certification-readiness pack.

Phase 6 — Sustain and mature (ongoing)

  • Activities: continuous monitoring; periodic recertification of access; annual risk reassessment; surveillance-audit support; maturity uplift.
  • Deliverables: continuous-improvement register; annual risk refresh; surveillance-audit evidence.

Maturity / capability model

While ISO 27799 does not itself prescribe a maturity scale, CyberSigma applies a five-level capability model (aligned to common ISMS maturity practice) to benchmark a health organisation's protection of PHI and to plan uplift.

LevelNameCharacteristics for PHI protection
1Initial / Ad hocPHI handled informally; no documented policy; access uncontrolled; reliance on individual discretion; no audit trail
2Repeatable / ManagedBasic policies exist; some access control and encryption; inconsistent application; reactive incident handling
3DefinedDocumented ISMS with 27799 interpretation; RBAC, break-glass and logging in place; training delivered; risk assessment performed
4Quantitatively managedControls measured via KPIs; access recertified; continuous monitoring and SIEM; DPIAs routine; supplier assurance operational
5OptimisingContinuous improvement; threat-informed control tuning; automation of access review and breach detection; near-real-time assurance and full certification maintained

Assessment and audit approach

A rigorous ISO 27799 assessment follows the ISO/IEC 27001 audit discipline with a health overlay. The recommended sequence is as follows.

  1. Confirm scope and objectives: agree the boundary of PHI processing, systems, sites and third parties to be assessed.
  2. Review documentation (stage 1): examine the ISMS scope, policies, Statement of Applicability, risk assessment and 27799-specific procedures for completeness.
  3. Perform data-flow and inventory validation: verify the PHI inventory and flows reflect reality, including cloud and processor touchpoints.
  4. Assess risk treatment: check that identified health-specific risks are addressed by selected controls with documented justification.
  5. Conduct control testing (stage 2): sample-test each control domain — access control, break-glass, encryption, logging, backup, incident response — against evidence and live configuration.
  6. Interview roles: interview clinicians, IT, custodian, DPO and suppliers to confirm operating effectiveness, not just design.
  7. Test incident and continuity readiness: review or observe an IR/DR exercise and breach-notification capability against statutory deadlines.
  8. Evaluate metrics and management review: confirm KPIs are tracked and drive improvement, and that management review closes the loop.
  9. Document findings and rate materiality: classify nonconformities (major/minor) and observations by patient-harm potential.
  10. Agree corrective actions and re-test: set remediation timelines, verify closure and issue the assessment report / certification recommendation.

Evidence request list

The following categorised evidence list is what CyberSigma requests at the outset of an ISO 27799 readiness or audit engagement.

  • Governance and scope: ISMS scope statement; information security and privacy policies; role appointments (security officer, DPO, custodian); management review minutes.
  • Risk and data: PHI data inventory and data-flow maps; data classification scheme; risk assessment and register; DPIA/PIA records; Statement of Applicability.
  • Access control: RBAC role catalogue; access-request/approval records; access recertification reports; break-glass policy and post-access reviews; MFA configuration.
  • Cryptography and data protection: encryption-at-rest and in-transit configuration; key-management policy; DLP policy and reports.
  • Operations and monitoring: SOPs; change-management records; backup schedule and restore-test results; audit-log samples and SIEM alerting; vulnerability and patch reports.
  • Human resources: screening records; signed confidentiality undertakings; training content and completion metrics; joiner/mover/leaver records.
  • Supplier assurance: DPAs/BAAs; sub-processor register; vendor assessments and third-party certificates (SOC 2, ISO/IEC 27001).
  • Incident and continuity: IR plan and playbooks; breach-notification templates and past records; BCP/DRP and test results; BIA with RTO/RPO.
  • Physical security: secure-area access logs; media-disposal and equipment-sanitisation certificates; environmental-control records.
  • Compliance: legal/regulatory register; records-retention schedule; internal audit reports; consent-management evidence.

Roles and responsibilities

RoleKey responsibilities under ISO 27799Accountable for
Executive management / BoardProvide mandate, resources and risk appetite; approve ISMSOverall accountability for PHI protection
Health information custodian / Data controllerOwn the duty of care to data subjects; authorise disclosuresLawful, secure handling of PHI
Information Security Officer / CISODesign, operate and maintain the ISMS and controlsControl effectiveness and security posture
Data Protection Officer (DPO)Ensure privacy compliance, DPIAs and data-subject rightsRegulatory privacy compliance
System / application ownersImplement controls on clinical systems; manage accessSecurity of their PHI systems
Clinicians and care staffFollow acceptable use, minimum-necessary access, report incidentsCorrect day-to-day handling of PHI
IT operationsRun backups, patching, monitoring, IAM and encryptionOperational control execution
Internal auditIndependently assess conformity and effectivenessAssurance to management
Suppliers / processorsApply contractually required controls; notify breachesSecurity of PHI they process

KPIs / metrics to track

  • Percentage of PHI assets inventoried and classified (target 100%).
  • Percentage of PHI systems with encryption at rest and in transit enforced.
  • MFA coverage for remote and privileged access to PHI systems.
  • Access-recertification completion rate and overdue count.
  • Number of break-glass access events and percentage reviewed within SLA.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) for PHI incidents.
  • Percentage of PHI breaches notified to regulators within the statutory deadline.
  • Backup restore-test success rate and RTO/RPO achievement for critical systems.
  • Security-awareness training completion rate for staff with PHI access.
  • Percentage of suppliers processing PHI with a signed DPA/BAA and current assurance.
  • Critical/high vulnerability remediation within SLA on PHI systems.
  • Number of open nonconformities from internal/external audit and their ageing.

Readiness checklist

  • ISMS scope covering all PHI processing is defined and approved.
  • Security officer, DPO and health information custodian appointed in writing.
  • Complete PHI data inventory and data-flow maps produced.
  • Data classification distinguishes standard from highly sensitive PHI.
  • Risk assessment using health-specific threats completed with a risk register.
  • Statement of Applicability documents 27799-informed control selection.
  • RBAC with minimum-necessary access enforced; generic accounts removed.
  • Break-glass emergency access is constrained, logged and reviewed.
  • Encryption at rest and in transit enforced across all PHI holdings.
  • MFA protects remote and privileged access to PHI.
  • Audit logging of PHI access enabled, protected and monitored via SIEM.
  • Backups encrypted and restore-tested; RTO/RPO linked to patient safety.
  • Incident-response and breach-notification procedures meet statutory deadlines.
  • Business continuity and clinical downtime procedures tested.
  • Confidentiality undertakings signed and role-based training delivered.
  • Supplier DPAs/BAAs in place with breach-notification clauses.
  • Retention and disposal schedules align with legal requirements.
  • Internal audit and management review completed with corrective actions tracked.

Common gaps and findings

  • Shared or generic clinical logins that defeat accountability and audit trails.
  • Break-glass access implemented without after-the-fact review, so emergency overrides are never scrutinised.
  • Incomplete PHI inventory — imaging archives (PACS), medical devices and shadow/legacy systems omitted from scope.
  • Live PHI used in test and training environments without masking or pseudonymisation.
  • Backups present but never restore-tested, or backups unencrypted.
  • Audit logs enabled but not retained, protected or actively monitored.
  • Supplier and cloud processing of PHI without a signed DPA/BAA or defined shared-responsibility model.
  • Breach-notification processes that cannot meet statutory deadlines (e.g. GDPR 72 hours; HIPAA within 60 days).
  • Highly sensitive categories (mental health, HIV, genetics) not given enhanced access and logging controls.
  • Access recertification not performed, leaving orphaned and excessive entitlements.
  • Patient-safety-linked availability not translated into concrete RTO/RPO and tested continuity plans.
  • Awareness training generic and not tailored to PHI handling and clinical workflows.

ISO 27799 mapped to other frameworks

ISO 27799 rarely operates alone; health organisations must reconcile it with statutory privacy regimes and other security standards. The following mapping helps teams reuse a single control set across obligations.

Framework / regulationRelationship to ISO 27799Key point of alignment
ISO/IEC 27001ISMS management system that ISO 27799 operationalisesCertify against 27001; apply 27799 health guidance in the SoA
ISO/IEC 27002 (2013/2022)Reference control set that 27799 interprets for healthMap 27799 guidance onto the 93 controls of the 2022 edition
HIPAA Security & Privacy Rules (US)National health-privacy regime; complementaryAccess control, audit, encryption, BAAs, breach notification (60 days)
HITECH Act (US)Strengthens HIPAA breach and enforcementBreach notification and safeguards for electronic PHI
EU GDPR (Art. 9 special category)Overarching privacy law for health dataLawful basis, DPIA, data-subject rights, 72-hour breach notice
UK DPA 2018 / NHS DSPTUK privacy law and NHS assurance toolkitAnnual DSPT submission maps to 27799 control evidence
India DPDP Act 2023 / DISHA (proposed)Indian personal-data and health-data regimesConsent, data-fiduciary duties, breach notification to Data Protection Board
ABDM / Ayushman Bharat Digital MissionIndian digital-health ecosystem standardsHealth-ID, consent manager and data-security expectations
NIST SP 800-66 (HIPAA guidance)US implementation guidance for health securityCross-references NIST controls to health safeguards
ISO/IEC 27701Privacy extension to the ISMSAdds PIMS controls for PHI as personal data
ISO 13606 / HL7 FHIR securityHealth-informatics interoperability with securitySecure exchange of PHI across systems

How CyberSigma helps

Partner with CyberSigma for ISO 27799 assurance
CyberSigma's CERT-In empanelled auditors and PCI QSAs deliver end-to-end ISO 27799 and ISO/IEC 27001 services for the health sector: PHI data-flow discovery and classification, health-threat risk assessment, DPIA facilitation, Statement of Applicability drafting with health interpretation, break-glass and RBAC design, encryption and logging architecture, supplier/BAA remediation, incident-response and breach-notification playbooks aligned to GDPR, HIPAA and the DPDP Act, and full internal-audit and certification-readiness support. We benchmark your maturity, close the gaps, and stand alongside your team through certification and surveillance audits — so your patients' data, and your patient safety, are provably protected. Contact CyberSigma to scope an ISO 27799 readiness assessment for your organisation.

Frequently asked questions

Is ISO 27799 separately certifiable?
It is guidance that supports ISO/IEC 27001 certification in a health context rather than a standalone certification.
Official documents

Need help with ISO 27799?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.