EURUSD
Your shopping cart is empty.
CEN

FprEN ISO 27799

(Main)

Health informatics - Information security controls in health based on ISO/IEC 27002 (ISO/FDIS 27799:2025)

Health informatics - Information security controls in health based on ISO/IEC 27002 (ISO/FDIS 27799:2025)

ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.
ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care.
It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected.
ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes.
As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016.
The following areas of information security are outside the scope of ISO 27799:2016:
a) methodologies and statistical tests for effective anonymization of personal health information;
b) methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic);
c) network quality of service and methods for measuring availability of networks used for health informatics;
d) data quality (as distinct from data integrity).

Medizinische Informatik - Informationssicherheitsmanagement im Gesundheitswesen bei Verwendung der ISO/IEC 27002 (ISO/FDIS 27799:2025)

Informatique de santé - Management de la sécurité de l'information relative à la santé en utilisant l'ISO/IEC 27002 (ISO/FDIS 27799:2025)

L'ISO 27799 :2016 donne des lignes directrices en matière de normes organisationnelles relatives à la sécurité de l'information et des bonnes pratiques de management de la sécurité de l'information, incluant la sélection, la mise en ?uvre et la gestion de mesures de sécurité prenant en compte le ou les environnement(s) à risques pour la sécurité de l'information de l'organisme.
Elle spécifie des lignes directrices permettant d'interpréter et de mettre en ?uvre l'ISO/IEC 27002 dans le domaine de l'informatique de santé et constitue un complément à cette dernière.
L'ISO 27799 :2016 fournit des préconisations de mise en ?uvre des mesures décrites dans l'ISO/IEC 27002 et les complète, le cas échéant, de façon à ce qu'elles puissent être utilisées efficacement dans le mangement de la sécurité des informations de santé. La mise en ?uvre de l'ISO 27799 :2016 permettra aux organismes de santé et aux autres dépositaires d'informations de santé de garantir le niveau minimal requis de sécurité approprié aux conditions de leur organisme et de protéger la confidentialité, l'intégrité et la disponibilité des informations personnelles de santé dans leurs activités de soins.
L'ISO 27799 :2016 s'applique à tous les aspects des informations de santé, quelle que soit la forme (mots, chiffres, enregistrements sonores, dessins, vidéos et images médicales), le support utilisé pour les stocker (imprimés, documents manuscrits ou stockage électronique) ou les moyens mis en ?uvre pour leur transmission (en main propre, par fax, par réseau informatique ou par courrier), de sorte que l'information soit toujours correctement protégée.
L'ISO 27799 :2016 et l'ISO/IEC 27002 définissent les exigences en termes de sécurité de l'information dans les soins de santé, mais elles ne définissent pas la façon de satisfaire à ces exigences. En d'autres termes, dans toute la mesure du possible, la technologie est absente de l'ISO 27799 :2016. La neutralité sur les technologies de mise en ?uvre est une caractéristique importante. La technologie en matière de sécurité continue de se développer rapidement. Le rythme de cette évolution se mesure actuellement en mois et non plus en années. En revanche, bien que les Normes internationales soient soumises à des révisions régulières, il est prévu qu'elles restent valides pendant plusieurs années. De manière également importante, la neutralité sur les technologies laisse aux fournisseurs et aux prestataires de services l'entière liberté de suggérer des technologies nouvelles ou en développement qui peuvent répondre aux exigences décrites dans l'ISO 27799 :2016.
Comme mentionné dans l'introduction, la connaissance de l'ISO/IEC 27002 est indispensable à la compréhension de l'ISO 27799 :2016.
Les domaines suivants de la sécurité de l'information ne relèvent pas du domaine d'application de l'ISO 27799 :2016:
a) les méthodologies et les essais statistiques en vue d'une anonymisation efficace des informations personnelles de santé;
b) les méthodologies en vue de la pseudonymisation des informations personnelles de santé (voir la bibliographie pour une brève description d'une Spécification technique qui traite spécifiquement de ce sujet);
c) la qualité des services fournis par le réseau et les méthodes pour évaluer la disponibilité des réseaux utilisés pour l'informatique de santé;
d) la qualité des données (par opposition à l'intégrité des données).

Zdravstvena informatika - Kontrola informacijske varnosti v zdravstvu na podlagi standarda ISO/IEC 27002 (ISO/FDIS 27799:2025)

General Information

Status
Not Published
Publication Date
15-Feb-2026
ICS
35.030 - IT Security
35.240.80 - IT applications in health care technology
Technical Committee
CEN/TC 251 - Medical informatics
Drafting Committee
CEN/TC 251/WG 1 - Information models
Current Stage
6055 - CEN Ratification completed (DOR) - Publishing
Start Date
14-Dec-2025
Completion Date
14-Dec-2025
Ref Project
kSIST FprEN ISO 27799:2025 - Health informatics - Information security controls in health based on ISO/IEC 27002 (ISO/FDIS 27799:2025)

Relations

Revises
EN ISO 27799:2016 - Health informatics - Information security management in health using ISO/IEC 27002 (ISO 27799:2016)
Effective Date
18-Jan-2023
prEN ISO 27799:2025prEN ISO 27799:2025
PreviousNext
Draft
prEN ISO 27799:2025
English language
82 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
oSIST prEN ISO 27799:2025
01-marec-2025
Nadomešča:
SIST EN ISO 27799:2017
Zdravstvena informatika - Vodenje informacijske varnosti v zdravstvu z uporabo
standarda ISO/IEC 27002 (ISO/DIS 27799:2025)
Health informatics - Information security management in health using ISO/IEC 27002
(ISO/DIS 27799:2025)
Medizinische Informatik - Informationssicherheitsmanagement im Gesundheitswesen bei
Verwendung der ISO/IEC 27002 (ISO/DIS 27799:2025)
Informatique de santé - Management de la sécurité de l'information relative à la santé en
utilisant l'ISO/IEC 27002 (ISO/DIS 27799:2025)
Ta slovenski standard je istoveten z: prEN ISO 27799
ICS:
35.030 Informacijska varnost IT Security
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
oSIST prEN ISO 27799:2025 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN ISO 27799:2025
oSIST prEN ISO 27799:2025
DRAFT
International
Standard
ISO/DIS 27799
ISO/TC 215
Health informatics — Information
Secretariat: ANSI
security management in health
Voting begins on:
using ISO/IEC 27002
2025-01-20
Informatique de santé — Management de la sécurité de
Voting terminates on:
l'information relative à la santé en utilisant l'ISO/IEC 27002
2025-04-14
ICS: 35.030; 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
ISO/DIS 27799:2025(en)
oSIST prEN ISO 27799:2025
DRAFT
ISO/DIS 27799:2025(en)
International
Standard
ISO/DIS 27799
ISO/TC 215
Health informatics — Information
Secretariat: ANSI
security management in health
Voting begins on:
using ISO/IEC 27002
Informatique de santé — Management de la sécurité de
Voting terminates on:
l'information relative à la santé en utilisant l'ISO/IEC 27002
ICS: 35.030; 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/DIS 27799:2025(en)
ii
oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
3.1 Terms and definitions .2
3.2 Abbreviated terms .3
4 General . 3
4.1 Structure of this Document .3
4.2 Safety.3
4.3 Selecting and applying controls .4
4.3.1 Determining controls .4
4.3.2 Application of Guidance .4
4.3.3 Use with ISO/IEC 27001:2022 .4
5 Organizational controls . 4
5.1 Policies for information security . .4
5.2 Information security roles and responsibilities .6
5.3 Segregation of duties.7
5.4 Management responsibilities .7
5.5 Contact with authorities .7
5.6 Contact with special interest groups . .7
5.7 Threat intelligence .7
5.8 Information security in project management .8
5.9 Inventory of information and other associated assets .8
5.10 Acceptable use of information and other associated assets .9
5.11 Return of assets .9
5.12 Classification of information .9
5.13 Labelling of information .10
5.14 Information transfer .10
5.15 Access control .11
5.16 Identity management .11
5.17 Authentication information . 12
5.18 Access rights . 12
5.19 Information security in supplier relationships . 13
5.20 Addressing information security within supplier agreements . 13
5.21 Managing information security in the ICT supply chain . 13
5.22 Monitoring, review and change management of supplier services .14
5.23 Information security for use of cloud services .14
5.24 Information security incident management planning and preparation .14
5.25 Assessment and decision on information security events .14
5.26 Response to information security incidents .14
5.27 Learning from information security incidents .14
5.28 Collection of evidence . .14
5.29 Information security during disruption . 15
5.30 ICT readiness for business continuity . 15
5.31 Legal, statutory, regulatory and contractual requirements . 15
5.32 Intellectual property rights . 15
5.33 Protection of records .16
5.34 Privacy and protection of PII .16
5.35 Independent review of information security .17
5.36 Conformance with policies, rules and standards for information security .17
5.37 Documented operating procedures .17
5.38 HLT – Information security requirements analysis and specification .18

iii
oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
5.39 HLT – Uniquely identifying subjects of care .19
5.40 HLT – Validation of displayed/printed data . 20
5.41 HLT – Publicly available health information . 20
5.42 HLT – Emergency communication .21
5.43 HLT – External incident reporting . 22
6 People controls .22
6.1 Screening . 22
6.2 Terms and conditions of employment . 23
6.3 Information security awareness, education and training . 23
6.4 Disciplinary process . 23
6.5 Responsibilities after termination or change of employment. 23
6.6 Confidentiality or non-disclosure agreements .24
6.7 Remote working .24
6.8 Information security event reporting.24
6.9 HLT – Management training . 25
7 Physical controls .25
7.1 Physical security perimeters . 25
7.2 Physical entry . 26
7.3 Securing offices, rooms and facilities . 26
7.4 Physical security monitoring . . 26
7.5 Protecting against physical and environmental threats . 26
7.6 Working in secure areas . 26
7.7 Clear desk and clear screen . 26
7.8 Equipment siting and protection .27
7.9 Security of assets off-premises .27
7.10 Storage media .27
7.11 Supporting utilities . 28
7.12 Cabling security . 28
7.13 Equipment maintenance . 28
7.14 Secure disposal or re-use of equipment . 29
8 Technological controls .29
8.1 User endpoint devices . 29
8.2 Privileged access rights . 29
8.3 Information access restriction . 29
8.4 Access to source code . 29
8.5 Secure authentication . 30
8.6 Capacity management . 30
8.7 Protection against malware . 30
8.8 Management of technical vulnerabilities . 30
8.9 Configuration management .31
8.10 Information deletion .31
8.11 Data masking .32
8.12 Data leakage prevention .32
8.13 Information backup.32
8.14 Redundancy of information processing facilities .32
8.15 Logging .32
8.16 Monitoring activities .32
8.17 Clock synchronization . 33
8.18 Use of privileged utility programs . 33
8.19 Installation of software on operational systems . 33
8.20 Networks security . 33
8.21 Security of network services . 33
8.22 Segregation of networks . 33
8.23 Web filtering . 34
8.24 Use of cryptography . 34
8.25 Secure development life cycle . 34
8.26 Application security requirements . 34

iv
oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
8.27 Secure system architecture and engineering principles . 34
8.28 Secure coding. 34
8.29 Security testing in development and acceptance . 35
8.30 Outsourced development . 35
8.31 Separation of development, test and production environments. 35
8.32 Change management . 35
8.33 Test information . 35
8.34 Protection of information systems during audit testing . 35
8.35 HLT – Zero trust principles. 36
Annex A (informative) Information security controls for health reference .37
Annex B (informative) Correspondence of this document with ISO 27799:2016 .39
Annex C (informative) Information security in health organizations .40
Annex D (informative) Example security and privacy requirements for health information
systems and their mapping to the ISO 27799 controls and IEC TS 81001-2-2 security
capabilities . 51
Bibliography .73

v
oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
This third edition cancels and replaces the second edition (ISO 27799:2016), which has been technically
revised.
The main changes are as follows:
— alignment with the new structure of ISO/IEC 27002:2022 and other changes to that standard from the
previous version
— revision and addition of controls specific to health
— removal of material that is in ISO/IEC 27002:2022 but was not in the previous version of that standard.
— addition of informative Annexes providing i) supplementary guidance on cybersecurity in health
organizations and ii) example security and privacy requirements for health information systems.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

vi
oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
Introduction
0.1  General
This document provides a set of information security controls including implementation guidance and
other supporting information for health organizations. It is based on ISO/IEC 27002:2022 and has a similar
structure.
0.2  Context and Background
When considering information security in the context of healthcare, a wide range of factors has to be taken
into account including the following:
a) Equipment that relies on digital technologies for its operation and is deployed exclusively or
predominantly in the healthcare domain. Medical devices incorporating health software are the prime
example.
b) The need to balance clinical safety and effectiveness with information security.
c) Maintaining the privacy of subjects of care while ensuring access to relevant personal health information
for diagnosis and treatment.
d) The distributed nature of personal health information both within and between organizations (possibly
in different jurisdictions) resulting in the need for high levels of interoperability between diverse
systems, applications and devices.
e) Users of many different kinds including doctors, nurses, other clinicians, trainees, students, healthcare
assistants, technicians, administrative staff and volunteers as well as subjects of care and their proxies.
f) The multiple interdependencies and information flows between and within organizations responsible
for one or more of: healthcare, clinical research, teaching, education and training.
g) The need for some healthcare services to be available on a continuous basis (24 hours a day every day)
under normal circumstances. In addition, natural disasters and other unusual events that can lead to
surges in demand for healthcare services.
h) Organizations providing health services as well as manufacturers or suppliers of systems, devices and
equipment are all subject to a wide range of legal, statutory, regulatory and contractual requirements
which can vary between jurisdictions.
i) Overlapping or incomplete requirements for accountability and professional responsibility between
different professions (such as ICT and medical devices staff) for ensuring security and safety of systems,
devices and equipment.
Given this overall context, healthcare has a number of sector-specific, if not unique, information security
requirements. However, the controls in ISO/IEC 27002:2022 are intentionally generic, hence the need for
this document.
0.3  Audience and Uses
This document is targeted at organizations that:
— provide healthcare services or are custodians of personal health information for other reasons;
— supply software, systems, devices, equipment or services that are used to process personal health
information;
— are responsible for healthcare regulation, accreditation, inspection, assurance or similar.
Individuals for whom this document is particularly relevant include:
— ICT and medical devices or equipment professionals working in the types of organizations listed above;

vii
oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
— information security professionals (particularly those unfamiliar with the health domain): these
professionals can include consultants, penetration testers, auditors and those working for bodies that
provide certification to ISO/IEC 27001.
Appropriate implementation of the controls in this document can provide assurance to individuals, including
subjects of care, their proxies and members of an organization's workforce. Appropriate implementation
can also provide assurance to a wide range of stakeholder bodies including management and governance
boards of healthcare organizations, other healthcare organizations with which information is exchanged or
shared, public authorities, regulators, auditors, and organizations that finance, insure, accredit or inspect
healthcare services.
This document can be used in healthcare settings when determining and implementing controls for an
information security management system (ISMS) conformant to ISO/IEC 27001.

viii
oSIST prEN ISO 27799:2025
DRAFT International Standard ISO/DIS 27799:2025(en)
Health informatics — Information security management in
health using ISO/IEC 27002
1 Scope
This document provides a set of information security controls, including implementation guidance, for
health organizations. It is based on ISO/IEC 27002:2022.
In addition to generic ICT equipment and software used in many other environments, the scope of this
document includes software and systems specifically for healthcare, such as electronic health record
systems and medical devices incorporating health software. Such medical devices can be programmed or
programmable and can contain software, firmware or both.
Also in scope is other digital equipment (such as that for environmental and infection control, building
management, and physical security) that can be used in premises where healthcare is provided.
This document applies to health and other relevant information in all its aspects, whatever form the
information takes (including text and numbers, sound recordings, drawings, images and video), by whatever
means it has been acquired or captured, whatever means are used to store it (such as printing or writing on
paper or storage electronically), and whatever means are used to transfer or exchange it (orally, by hand, by
post, movement of storage media, direct links or networking).
This document is for organizations of all types and sizes that provide healthcare or are custodians of personal
health information for other reasons. The information that they are responsible for can be stored and
processed in many possible ways and locations, including on premises or in the cloud, but remains in scope.
This document applies to all physical settings where healthcare is intended to be delivered, such as hospitals,
clinics and other locations or facilities designated for healthcare purposes such as ambulances and mobile
imaging or diagnostic units. It also applies to care provided elsewhere, such as in residential premises. In
addition to the range of settings, this document applies to all methods of service provision including remote
or virtual healthcare.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security
controls
3 Terms, definitions and abbreviated terms
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27002:2022,
ISO 81001-1:2021 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/

oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
3.1 Terms and definitions
3.1.1
health
complete physical, mental and social well-being
Note 1 to entry: Health is not merely the absence of disease or infirmity.
[SOURCE: World Health Organization constitution, https:// www .who .int/ about/ governance/ constitution ,
modified changed second part of definition into a note.]
3.1.2
health software
software intended to be used specifically for managing, maintaining, or improving health of individual
persons, or the delivery of care, or which has been developed for the purpose of being incorporated into a
medical device
Note 1 to entry: Health software fully includes what is considered software as a medical device.
[SOURCE: ISO 81001-1:2021, 3.3.9]
3.1.3
healthcare
care activities, services, management or supplies related to the health of an individual
3.1.4
personal health information
information about an identifiable person that relates to the physical or mental health of the individual
Note 1 to entry: Personal health information may include:
a) information about the registration of the individual for the provision of health services;
b) information about payments or eligibility for healthcare in respect to the individual;
c) a number, symbol, or particular assigned to an individual to uniquely identify the individual for health purposes;
d) any information about the individual that is collected in the course of the provision of health services to the
individual;
e) information derived from the testing or examination of a body part or bodily substance;
f) identification of a person (for instance a health professional) as a provider of healthcare to the individual.
Note 2 to entry: Personal health information does not include information that, either by itself or when combined
with other information available to the holder, is anonymized and, therefore, the identity of the individual who is the
subject of the information cannot be ascertained from the information.
3.1.5
subject of care
person who seeks to receive, is receiving, or has received healthcare
[SOURCE: ISO 13940:2015, 5.2.1, modified - the words "healthcare actor with a person role" replaced with
"person"]
3.1.6
subject of care proxy
person with the right to take decisions on behalf of the subject of care
EXAMPLE 1 Parents of children who are not yet adults.
EXAMPLE 2 Guardians of adults with learning disabilities or lacking mental capacity.
[SOURCE: ISO 13940:2015, 5.2.3.3.1 modified and examples added]

oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
3.2 Abbreviated terms
HLT health
ICT information and communication technology
ISMS information security management system
PII personally identifiable information
4 General
4.1 Structure of this Document
This document lists all the controls in ISO/IEC 27002:2022, using the same control titles and structure as
Clauses 5-8 in that standard, and:
a) indicates which controls (including their purposes, guidance and any other information) in
ISO/IEC 27002:2022 apply unchanged in health;
b) for certain controls in ISO/IEC 27002:2022: provides guidance, other information, or both on how to
apply the controls in health;
c) for the remaining controls in ISO/IEC 27002:2022: supplements what each control is, its purpose and
guidance. Other information for health is also provided in some of these instances;
d) specifies controls that are specific to health and that are not based on any existing controls in
ISO/IEC 27002:2022. These additional controls have the same layout as the controls in ISO/IEC 27002
and the control titles are prefixed with "HLT" (for HeaLTh).
In relation to ISO/IEC 27002:2022, controls in c) and d) are supplementary and additional respectively.
This document contains 4 Annexes:
— Annex A is a reference list of the controls specific to health, namely those under c) and d). The Annex also
complements ISO/IEC 27001:2022, Annex A.
— Annex B provides a mapping table showing the correspondence of the HLT controls in this document
with controls in ISO 27799:2016. It provides support for the transition between the two editions and
complements ISO/IEC 27002:2022, Annex B.
— Annex C provides information on aspects of healthcare that are of particular importance in the context
of information security.
— Annex D provides requirements for the development and acquisition of health IT systems and a mapping
to MDS2 (manufacturer disclosure statement for medical device security).
4.2 Safety
Security, safety and health information system effectiveness are interdependent. It is essential to take this
into account when assessing and managing risks and their risk control measures. For example, a risk that
systems or data will not be available at the point-of-care is not just a security risk; it can have significant
impact on safety if decision-making about care is compromised. In turn, this can impact the effectiveness of
the health system.
A consequence of the interdependence of security, safety and effectiveness is that well-intended risk control
measures can, in some instances, adversely impact one or both of the other properties. For instance, adding
controls to reduce the risk resulting from unauthorized access can impact system usability and availability and
hence compromise system effectiveness. It can also result in system workarounds that adversely impact safety.

oSIST prEN ISO 27799:2025
ISO/DIS 27799:2025(en)
Safety should be taken into account in all aspects of infor
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN 13245-1:2025(Main)
Plastics - Unplasticized poly(vinyl chloride) (PVC-U) profiles for building applications - Part 1: Designation of PVC-U profiles
kSIST FprEN 13245-1:2025

This document establishes a system of designation for profiles made of unplasticized poly(vinyl chloride) (PVC-U) intended to be used for building applications. This system is intended to be used in product specification after the application is specified.
NOTE   It is intended to use this system for the designation of PVC-U profiles for information related to technical literature of the manufacturer, not for the marking of the products.
This part is applicable to PVC-U profiles of any colour, obtained by a mono-extrusion or a co-extrusion process, with or without surface finishing (e.g. foil, paint or print).
This document defines minimum requirements for the surface finishing of PVC-U profiles.
Profiles for the management of electrical power cables, communication cables and power track systems used for the distribution of electrical power, profiles for windows or doors and profiles for guttering are not covered by this document.

  • Draft
    24 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13245-3:2025(Main)
Plastics - Unplasticized poly(vinyl chloride) (PVC-U) profiles for building applications - Part 3: Designation of PVC-UE profiles
kSIST FprEN 13245-3:2025

This document establishes a system of designation for profiles made of cellular unplasticized poly(vinyl chloride) (PVC-UE) intended to be used for building applications. This system is intended to be used in product specification after the application is specified.
NOTE   It is intended to use this method for the designation of PVC-UE profiles for information related to technical literature of the manufacturer, not for the marking of the products.
This part is applicable to PVC-UE profiles of any colour, obtained by a mono-extrusion or a co-extrusion process, with or without surface finishing (e.g. foil, paint or print).
This document defines minimum requirements for the surface finishing of PVC-UE profiles.
Profiles for the management of electrical power cables, communication cables and power track systems used for the distribution of electrical power, profiles for windows or doors and profiles for guttering are not covered by this document.

  • Draft
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 12080:2025(Main)
Railway applications - Axleboxes - Rolling bearings
SIST EN 12080:2026

This document is a part of a package of standards: EN 12080, EN 12081, EN 12082-1 and EN 12082-2. This document specifies the quality parameters of axlebox rolling bearings supporting the load of the vehicle, required for reliable operation of trains on European networks. It covers metallurgical and material properties as well as geometric and dimensional characteristics. It also specifies methods for quality assurance and non-destructive testing of the products.

  • Draft
    53 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 4855-02:2025(Main)
Aerospace series - ECO efficiency of catering equipment - Part 02: Oven equipment
kSIST FprEN 4855-02:2025

This document specifies a test procedure to identify performance characteristics and a weight rating of convection and steam ovens used on aircraft. Furthermore, it specifies the calculation procedure to determine an energy consumption index and a performance index. There is no direct correlation between the ECO efficiency and cooking performance in terms of food quality and appearance. The two index values represent the ECO efficiency.

  • Draft
    11 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 10059-1:2025(Main)
Dense shaped refractory products - Determination of cold compressive strength - Part 1: Referee test without packing (ISO 10059-1:2025)
oSIST prEN ISO 10059-1:2025

This document specifies a method for determination of the cold compressive strength of dense shaped refractory products.
Shaped refractories are those which have fixed geometry and dimensions when delivered to the user. This document is accordingly applicable to standard shape refractory bricks, but also special shapes refractory products and pre-cast products.

  • Draft
    16 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 71-5:2025(Main)
Safety of toys - Part 5: Chemical toys (sets) other than experimental sets
kSIST FprEN 71-5:2025

This document specifies requirements and test methods for toy materials (substances and mixtures) used in chemical toys (sets) other than experimental sets. These substances and mixtures are:
-   those classified as dangerous by the EU legislation applying to dangerous substances and dangerous mixtures [5];
-   substances and mixtures which in excessive amounts could harm the health of the children using them and which are not classified as dangerous by the above-mentioned legislation; and
-   any other chemical substance(s) and mixture(s) delivered with the chemical toy.
NOTE   The terms "substance" and "mixture" are defined in the REACH regulation No. (EC)1907/2006 and in the CLP regulation (EC) No. 1272/2008.
Additionally, requirements are specified for markings, warnings, safety rules, contents list, instructions for use and first aid information.
This document applies to:
-   plaster of Paris (gypsum) moulding sets;
-   oven-hardening plasticised PVC modelling clay sets;
-   polystyrene granules sets;
-   embedding sets;
-   adhesives, paints, lacquers, varnishes, thinners and cleaning agents (solvents), supplied or recommended in model sets;
-   slime kits.

  • Draft
    81 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 1135-5:2025(Main)
Transfusion equipment for medical use - Part 5: Transfusion sets for single use with pressure infusion apparatus (ISO 1135-5:2025)
kSIST FprEN ISO 1135-5:2025

This document specifies requirements for single use transfusion sets for use with pressure infusion equipment capable of generating pressures. It ensures compatibility with containers for blood and blood components as well as intravenous equipment.
This document also provides guidance on specifications relating to the quality and performance of materials used in transfusion sets, to present designations for transfusion set components, and to ensure the compatibility of sets with red cell and plasma blood components.
NOTE            In some countries, the national pharmacopoeia or other national regulations are legally binding and take precedence over this document.

  • Draft
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 18227:2025(Main)
Environmental solid matrices - Determination of elemental composition by X-ray fluorescence spectrometry (ISO 18227:2025)
kSIST FprEN ISO 18227:2025

This document specifies the procedure for a quantitative determination of major and trace element concentrations in homogeneous solid waste, soil, soil-like material and sludge by energy dispersive X-ray fluorescence (EDXRF) spectrometry or wavelength dispersive X-ray fluorescence (WDXRF) spectrometry using a calibration with matrix-matched standards.
This document is applicable for the following elements: Na, Mg, Al, Si, P, S, Cl, K, Ca, Ti, V, Cr, Mn, Fe, Co, Ni, Cu, Zn, As, Se, Br, Rb, Sr, Y, Zr, Nb, Mo, Ag, Cd, Sn, Sb, Te, I, Cs, Ba, Ta, W, Hg, Tl, Pb, Bi, Th and U. Concentration levels between a mass fraction of approximately 0,000 1 % and 100 % can be determined depending on the element and the instrument used.
An optional XRF screening method for solid and liquid material as waste, sludge and soil is added in Annex A which provides a total element characterization at a semi-quantitative level, where the calibration is based on matrix-independent calibration curves, previously set up by the manufacturer.

  • Draft
    42 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18209:2025(Main)
LPG equipment and accessories - Cylinders transportation racks controls
kSIST-TS FprCEN/TS 18209:2025

This document specifies the operational procedures and best practices when checking transportation racks for LPG cylinders before and during loading and unloading prior to the vehicles going on the road and at any break during the journey.
This document applies to racks containing transportable refillable LPG cylinders of water capacity from 0,5 l up to and including 150 l.
This document applies to the following equipment:
-   rack frame/structure;
-   rack closures;
-   rack fixing equipment or accessories on to the vehicle.
This document applies to checks performed:
-   at cylinder filling plants and depots;
-   or at cylinder manufacturing and/or refurbishment facilities;
-   or at any place where racks are used or moved.
This document also provides guidance and examples for rack maintenance and repair procedures, including rejection criteria and for establishing operational procedures. Transportation racks are also called stillages, pallets or racks (see Clause 3).
This document does not cover the design and the manufacturing of racks.
This document does not apply to presentation display racks at points of sale.

  • Draft
    23 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13001-3-5:2025(Main)
Cranes - General design - Part 3-5: Limit states and proof of competence of forged and cast hooks
kSIST FprEN 13001-3-5:2025

This document covers shank hooks made of steel forgings or steel castings, including stainless steel, with shanks machined for a thread/nut suspension of the hook.
Plate hooks, which are those, assembled of one or several parallel parts of rolled steel plates, are not covered by this document.
The significant hazardous situations and hazardous events that could result in risks to persons during intended use and reasonably foreseeable misuse are identified in Annex N. Clauses 4 to 6 of this document provide requirements and methods to reduce or eliminate the risks of exceeding the limits of strength (yield, ultimate, fatigue, brittle fracture) considering temperature limits of material.
The hazards covered by this document are identified in Annex N. This document is applicable to hooks installed in cranes manufactured after the date of approval of this European Standard by CEN and serves as a reference base for product standards of particular crane types.
This part of EN 13001 deals only with the limit state method in accordance with EN 13001-1:2015.

  • Draft
    87 pages
    English language
    sale 10% off
    e-Library read for
    1 day