iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

prEN ISO 27799

(Main)

Health informatics - Information security management in health using ISO/IEC 27002 (ISO/DIS 27799:2025)

Health informatics - Information security management in health using ISO/IEC 27002 (ISO/DIS 27799:2025)

ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard.
ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care.
It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected.
ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes.
As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016.
The following areas of information security are outside the scope of ISO 27799:2016:
a) methodologies and statistical tests for effective anonymization of personal health information;
b) methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic);
c) network quality of service and methods for measuring availability of networks used for health informatics;
d) data quality (as distinct from data integrity).

Medizinische Informatik - Informationssicherheitsmanagement im Gesundheitswesen bei Verwendung der ISO/IEC 27002 (ISO/DIS 27799:2025)

Informatique de santé - Management de la sécurité de l'information relative à la santé en utilisant l'ISO/IEC 27002 (ISO/DIS 27799:2025)

L'ISO 27799 :2016 donne des lignes directrices en matière de normes organisationnelles relatives à la sécurité de l'information et des bonnes pratiques de management de la sécurité de l'information, incluant la sélection, la mise en ?uvre et la gestion de mesures de sécurité prenant en compte le ou les environnement(s) à risques pour la sécurité de l'information de l'organisme.
Elle spécifie des lignes directrices permettant d'interpréter et de mettre en ?uvre l'ISO/IEC 27002 dans le domaine de l'informatique de santé et constitue un complément à cette dernière.
L'ISO 27799 :2016 fournit des préconisations de mise en ?uvre des mesures décrites dans l'ISO/IEC 27002 et les complète, le cas échéant, de façon à ce qu'elles puissent être utilisées efficacement dans le mangement de la sécurité des informations de santé. La mise en ?uvre de l'ISO 27799 :2016 permettra aux organismes de santé et aux autres dépositaires d'informations de santé de garantir le niveau minimal requis de sécurité approprié aux conditions de leur organisme et de protéger la confidentialité, l'intégrité et la disponibilité des informations personnelles de santé dans leurs activités de soins.
L'ISO 27799 :2016 s'applique à tous les aspects des informations de santé, quelle que soit la forme (mots, chiffres, enregistrements sonores, dessins, vidéos et images médicales), le support utilisé pour les stocker (imprimés, documents manuscrits ou stockage électronique) ou les moyens mis en ?uvre pour leur transmission (en main propre, par fax, par réseau informatique ou par courrier), de sorte que l'information soit toujours correctement protégée.
L'ISO 27799 :2016 et l'ISO/IEC 27002 définissent les exigences en termes de sécurité de l'information dans les soins de santé, mais elles ne définissent pas la façon de satisfaire à ces exigences. En d'autres termes, dans toute la mesure du possible, la technologie est absente de l'ISO 27799 :2016. La neutralité sur les technologies de mise en ?uvre est une caractéristique importante. La technologie en matière de sécurité continue de se développer rapidement. Le rythme de cette évolution se mesure actuellement en mois et non plus en années. En revanche, bien que les Normes internationales soient soumises à des révisions régulières, il est prévu qu'elles restent valides pendant plusieurs années. De manière également importante, la neutralité sur les technologies laisse aux fournisseurs et aux prestataires de services l'entière liberté de suggérer des technologies nouvelles ou en développement qui peuvent répondre aux exigences décrites dans l'ISO 27799 :2016.
Comme mentionné dans l'introduction, la connaissance de l'ISO/IEC 27002 est indispensable à la compréhension de l'ISO 27799 :2016.
Les domaines suivants de la sécurité de l'information ne relèvent pas du domaine d'application de l'ISO 27799 :2016:
a) les méthodologies et les essais statistiques en vue d'une anonymisation efficace des informations personnelles de santé;
b) les méthodologies en vue de la pseudonymisation des informations personnelles de santé (voir la bibliographie pour une brève description d'une Spécification technique qui traite spécifiquement de ce sujet);
c) la qualité des services fournis par le réseau et les méthodes pour évaluer la disponibilité des réseaux utilisés pour l'informatique de santé;
d) la qualité des données (par opposition à l'intégrité des données).

Zdravstvena informatika - Vodenje informacijske varnosti v zdravstvu z uporabo standarda ISO/IEC 27002 (ISO/DIS 27799:2025)

General Information

Status
Not Published
Publication Date
17-Aug-2026
ICS
35.030 - IT Security
35.240.80 - IT applications in health care technology
Technical Committee
CEN/TC 251 - Medical informatics
Drafting Committee
CEN/TC 251/WG 1 - Information models
Current Stage
4020 - Submission to enquiry - Enquiry
Start Date
23-Jan-2025
Due Date
23-Jan-2025
Completion Date
23-Jan-2025
Ref Project
oSIST prEN ISO 27799:2025 - Health informatics - Information security management in health using ISO/IEC 27002 (ISO/DIS 27799:2025)

Relations

Revises
EN ISO 27799:2016 - Health informatics - Information security management in health using ISO/IEC 27002 (ISO 27799:2016)
Effective Date
18-Jan-2023

Buy Standard

prEN ISO 27799:2025prEN ISO 27799:2025
PreviousNext
Draft
prEN ISO 27799:2025
English language
82 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-marec-2025
Nadomešča:
SIST EN ISO 27799:2017
Zdravstvena informatika - Vodenje informacijske varnosti v zdravstvu z uporabo
standarda ISO/IEC 27002 (ISO/DIS 27799:2025)
Health informatics - Information security management in health using ISO/IEC 27002
(ISO/DIS 27799:2025)
Medizinische Informatik - Informationssicherheitsmanagement im Gesundheitswesen bei
Verwendung der ISO/IEC 27002 (ISO/DIS 27799:2025)
Informatique de santé - Management de la sécurité de l'information relative à la santé en
utilisant l'ISO/IEC 27002 (ISO/DIS 27799:2025)
Ta slovenski standard je istoveten z: prEN ISO 27799
ICS:
35.030 Informacijska varnost IT Security
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/DIS 27799
ISO/TC 215
Health informatics — Information
Secretariat: ANSI
security management in health
Voting begins on:
using ISO/IEC 27002
2025-01-20
Informatique de santé — Management de la sécurité de
Voting terminates on:
l'information relative à la santé en utilisant l'ISO/IEC 27002
2025-04-14
ICS: 35.030; 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
ISO/DIS 27799:2025(en)
DRAFT
ISO/DIS 27799:2025(en)
International
Standard
ISO/DIS 27799
ISO/TC 215
Health informatics — Information
Secretariat: ANSI
security management in health
Voting begins on:
using ISO/IEC 27002
Informatique de santé — Management de la sécurité de
Voting terminates on:
l'information relative à la santé en utilisant l'ISO/IEC 27002
ICS: 35.030; 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/DIS 27799:2025(en)
ii
ISO/DIS 27799:2025(en)
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
3.1 Terms and definitions .2
3.2 Abbreviated terms .3
4 General . 3
4.1 Structure of this Document .3
4.2 Safety.3
4.3 Selecting and applying controls .4
4.3.1 Determining controls .4
4.3.2 Application of Guidance .4
4.3.3 Use with ISO/IEC 27001:2022 .4
5 Organizational controls . 4
5.1 Policies for information security . .4
5.2 Information security roles and responsibilities .6
5.3 Segregation of duties.7
5.4 Management responsibilities .7
5.5 Contact with authorities .7
5.6 Contact with special interest groups . .7
5.7 Threat intelligence .7
5.8 Information security in project management .8
5.9 Inventory of information and other associated assets .8
5.10 Acceptable use of information and other associated assets .9
5.11 Return of assets .9
5.12 Classification of information .9
5.13 Labelling of information .10
5.14 Information transfer .10
5.15 Access control .11
5.16 Identity management .11
5.17 Authentication information . 12
5.18 Access rights . 12
5.19 Information security in supplier relationships . 13
5.20 Addressing information security within supplier agreements . 13
5.21 Managing information security in the ICT supply chain . 13
5.22 Monitoring, review and change management of supplier services .14
5.23 Information security for use of cloud services .14
5.24 Information security incident management planning and preparation .14
5.25 Assessment and decision on information security events .14
5.26 Response to information security incidents .14
5.27 Learning from information security incidents .14
5.28 Collection of evidence . .14
5.29 Information security during disruption . 15
5.30 ICT readiness for business continuity . 15
5.31 Legal, statutory, regulatory and contractual requirements . 15
5.32 Intellectual property rights . 15
5.33 Protection of records .16
5.34 Privacy and protection of PII .16
5.35 Independent review of information security .17
5.36 Conformance with policies, rules and standards for information security .17
5.37 Documented operating procedures .17
5.38 HLT – Information security requirements analysis and specification .18

iii
ISO/DIS 27799:2025(en)
5.39 HLT – Uniquely identifying subjects of care .19
5.40 HLT – Validation of displayed/printed data . 20
5.41 HLT – Publicly available health information .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN 18037:2025(Main)
Guidelines on a sectoral cybersecurity assessment
kSIST FprEN 18037:2024

This document contains guidelines to be used in the process of drafting requirements of cybersecurity certification schemes for sectoral ICT services and systems. It includes all steps necessary to define, implement and maintain such requirements.

  • Draft
    64 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 12900:2025(Main)
Refrigerant compressors - Rating conditions, tolerances and presentation of performance data
kSIST FprEN 12900:2024

This document specifies the rating conditions, tolerances and the method of presenting performance data of refrigerant compressors to enable comparison of different compressors.
This document is applicable to single-stage compressor and two-stage compressor data with or without an additional intermediate pressure inlet.
The performance data of compressors used with R-744 in transcritical operation are covered in this document.
The data relating to the refrigerating capacity, heating capacity and power absorbed include requirements for part-load operation where applicable.

  • Draft
    19 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 12390-4:2025(Main)
Testing hardened concrete - Part 4: Compressive strength - Specification for testing machines
kSIST FprEN 12390-4:2024

This document specifies the requirements for the performance of compression testing machines for the measurement of the compressive strength of concrete test specimen in accordance with EN 12390 3 or cores in accordance with EN 12504-1.
Other additional or different requirements may apply for different uses.

  • Draft
    17 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13204:2025(Main)
Powered rescue tools for fire and rescue service use - Safety and performance requirements
kSIST FprEN 13204:2024

This document specifies safety and performance requirements for powered rescue tools manufactured after the date of publication.
This document is applicable to powered rescue tools which are intended for use by the firefighting and rescue services, principally for cutting, crushing, spreading, squeezing, pushing or pulling the structural parts of road vehicles, ships, trains, aircraft and building structures involved in accidents. This document is not applicable to hydraulic power packs covered by 2000/14/EC.
Powered rescue tools consist of tool(s) and the necessary system components (e.g. energy source, drive system and prime mover) and intended accessories, as defined in Clause 3.
This document deals with all significant hazards, hazardous situations or hazardous events relevant to the machinery, when it is used as intended and under conditions or misuse which are reasonably foreseeable by the manufacturer.
NOTE 1   The aim of powered rescue tools is to assist the firefighting and rescue services while extracting the casualties or to create a working space for paramedical services taking the local conditions into account.
This document does not include:
-   tools with pneumatic drive systems or pneumatic energy sources;
-   tools which are single acting (for example spring /gravity return jacks, powered struts, etc.).
It is not applicable to additional requirements for:
a)   operation in severe conditions (e.g. extreme environmental conditions such as temperatures outside the range –20 °C and +55 °C, corrosive environment, tropical environment, contaminating environments, strong magnetic fields, potentially explosive atmospheres, underwater use);
b)   the risk directly arising from the means provided for the portability, transportability, mobility and decommissioning of powered rescue tools during periods of their operation;
c)   generic tools such as, but not limited to, powered drills, angle grinders, saws, not solely intended for extrication purposes;
d)   tools intended to lift and/or hoist, not solely intended for extrication purposes.
NOTE 2   EN 13731:2007 deals with lifting bag systems for fire and rescue services.
NOTE 3   For the EU/EEA other Directives can be applicable to the equipment in the scope, for example the Electro Magnetic Compatibility Directive.

  • Draft
    69 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13806-2:2025(Main)
Foodstuffs - Determination of trace elements - Part 2: Determination of total mercury in foodstuffs by atomic fluorescence spectrometry (AFS) - cold vapour technique after pressure digestion
kSIST FprEN 13806-2:2024

This document specifies a method for the determination of total mercury in foodstuffs by cold vapour atomic fluorescence spectrometry (AFS) after pressure digestion.
This method was tested in an interlaboratory study carried out in connection with the pressure digestion method EN 13805 on seven different materials with a mercury concentration in the range from 0,006 mg/kg to 5,38 mg/kg and successfully validated in this range.
The following foodstuffs were analysed:
—   Saithe (dried);
—   Celery (dried);
—   Wheat noodle powder;
—   Wild mushrooms (dried);
—   Pig liver (dried);
—   Cacao powder;
—   Tuna fish (dried).
The lower limit of the method’s applicability varies depending on the food matrix and the water content of the foodstuff. It is a laboratory-specific value and is defined by the laboratory when calculating the limit of quantification (see 9.2).

  • Draft
    17 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 9212:2025(Main)
Aerospace series - Industrialization - Guidelines for establishing the manufacturing and inspection file and the associated justifications
kSIST FprEN 9212:2024

The aim of a MIF and the associated justifications is to ensure that manufacturing and/or inspection operations are realized in a compliant and reproducible manner.
The purpose of this document is to provide a guide to the elaboration of the MIF and the associated justifications by:
—   positioning them within the framework:
o   of a programme and its objectives, on the one hand;
o   of the realization of a product, on the other;
—   describing, until production of the product ceases:
o   the principles and conditions applying to the elaboration and then the validation of the MIF within the framework of the industrialization process;
o   the principles and conditions applying to the elaboration and then the validation of the MIJF associated with the MIF, within the framework of the industrialization process;
o   the principles and change and control conditions applying to the MIF and the MIJF.
This document can be used for all processes or sets of processes implemented on a tangible product, which may incorporate software associated with the product. It does not apply to purely software product, commercial-off-the-shelf product (catalogue part) or service (intangible product).
This document applies more particularly to serial production. Nevertheless, the principles and conditions set forth in this document may be applied, making any necessary adaptations, to unit production or to the realization of products to meet development needs (prototypes, demonstrators, etc.).
This document covers the MIF and the MIJF of a product, including the activities related to procurement and the associated industrial means in particular.

  • Draft
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO 17828:2025(Main)
Solid biofuels - Determination of bulk density (ISO 17828:2025)
kSIST FprEN ISO 17828:2024

This document specifies a method for determining the bulk density of solid biofuels using a standardized measuring container. This method is applicable to all pourable solid biofuels with a nominal top size of maximum 63 mm while the maximum particle length is 200 mm. For fuels with a nominal top size larger than 63 mm, a different method is described.
Bulk density is not an absolute value; therefore, conditions for its determination have to be standardized in order to gain comparative measuring results.
NOTE            Bulk density of solid biofuels is subject to variation due to several factors such as vibration, shock, pressure, biodegradation, drying, and wetting. Measured bulk density can therefore deviate from actual conditions during transportation, storage, or transhipment.

  • Draft
    15 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 4075:2025(Main)
Aerospace series - Screw, pan head, offset cruciform recess, threaded to head, in corrosion resisting steel, passivated, metric - Classification: 490 MPa (at ambient temperature)/425 °C
kSIST FprEN 4075:2024

This document specifies the characteristics of screws, pan head, offset cruciform recess, threaded to head, in corrosion resisting steel, passivated, metric.
Classification: 490 MPa /425 °C

  • Draft
    9 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13806-3:2025(Main)
Foodstuffs - Determination of trace elements - Part 3: Determination of total mercury in foodstuffs with atomic absorption directly from the foodstuff (elemental mercury analysis)
kSIST FprEN 13806-3:2024

This document specifies a method for the determination of total mercury (Hg) in foodstuffs using direct atomic absorption spectrometry after thermal decomposition in an oxygen or air flow and concentration by amalgam formation. The method is applicable for solid and liquid samples.
This method was tested in a interlaboratory study carried out on seven different materials with a mercury concentration in the range from 0,005 mg/kg to 5,20 mg/kg and successfully validated in this range.
The following foodstuffs were analysed:
—   Saithe (dried);
—   Celery (dried);
—   Wheat noodle powder;
—   Wild mushrooms (dried);
—   Pig liver (dried);
—   Cacao powder;
—   Tuna fish (dried).
The lower limit of the method’s applicability varies depending on the food matrix and the water content of the foodstuff. It is a laboratory-specific value and is defined by the laboratory when calculating the limit of quantification (see 9.2).

  • Draft
    20 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13806-1:2025(Main)
Foodstuffs - Determination of trace elements - Part 1: Determination of total mercury in foodstuffs by atomic absorption spectrometry (AAS) - cold vapour technique after pressure digestion
kSIST FprEN 13806-1:2024

This document specifies a method for the determination of total mercury in foodstuffs by cold vapour atomic absorption spectrometry (AAS) after pressure digestion.
This method was tested in an interlaboratory study carried out in connection with the pressure digestion method EN 13805 on seven different materials with a mercury concentration in the range from 0,005 mg/kg to 5,06 mg/kg and successfully validated in the range from 0,015 mg/kg to 5,06 mg/kg.
The following foodstuffs were analysed:
—   Saithe (dried);
—   Celery (dried);
—   Wheat noodle powder;
—   Wild mushrooms (dried);
—   Pig liver (dried);
—   Cacao powder;
—   Tuna fish (dried).
The lower limit of the method’s applicability varies depending on the food matrix and the water content of the foodstuff. It is a laboratory-specific value and is defined by the laboratory when calculating the limit of quantification (see 9.2).

  • Draft
    17 pages
    English language
    sale 10% off
    e-Library read for
    1 day