ISO/TR 11633-2:2021

TECHNICAL ISO/TR
REPORT 11633-2
Second edition
2021-02
Health informatics — Information
security management for remote
maintenance of medical devices and
medical information systems —
Part 2:
Implementation of an information
security management system (ISMS)
Informatique de santé — Management de la sécurité de l'information
pour la maintenance à distance des dispositifs médicaux et des
systèmes d'information médicale —
Partie 2: Mise en œuvre d'un système de management de la sécurité
de l'information (ISMS)
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Application of ISMS to remote maintenance services . 1
4.1 Overview . 1
4.2 Compliance scope . 3
4.3 Security policy . 3
4.4 Assessing risks . 4
4.5 Risks to be managed . 4
4.6 Identification of risks that are not described in this document . 5
4.7 Treating risks . 5
5 Security management measures for remote maintenance services .6
6 Approving residual risks . 6
7 Security audit . 7
7.1 Security audit of remote maintenance services . 7
7.2 Recommendation of security audit by third parties . 7
Annex A (informative) Example of risk assessment in remote maintenance services .8
Bibliography .70
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics.
This second edition cancels and replaces the first edition (ISO/TR 11633-2:2009), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— complete revision of the bibliography;
— update of Figure 1;
— update of Annex A.
A list of all parts in the ISO 11633 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved

Introduction
The advancement and spread of technology in the information and communication technology field,
and the infrastructure based on them, have brought many changes in how technology and networks
are used in modern society. Similarly, in healthcare, information systems once closed systems in each
healthcare facility (HCF) are now connected by networks, and are progressing to the point of being
able to facilitate mutual use of health information accumulated in these information systems. Such
information and communication networks are spreading not only in between HCFs but also between
HCFs and vendors of medical devices and healthcare information systems. Maintenance of such systems
is paramount to keeping them up-to-date. By practicing so-called 'remote maintenance services' (RMS),
it becomes possible to reduce down-time and lower costs for this maintenance activity.
Whilst there are benefits to remote maintenance, such remote connections with external organizations
also expose HCFs and vendors to risks regarding confidentiality, integrity and availability of information
and systems; risks which previously received scant consideration.
This document stipulates the risk assessment to protect remote maintenance activities, taking into
consideration the special characteristics of the healthcare field such as patient safety, and applicable
requirements and privacy protections. Although normal remote maintenance is generally done on
a contract basis, in the case of medical devices, risk assessment is commonly a legal prerequisite.
Therefore, appropriate risk assessment where remote maintenance is provided in any healthcare
context should be implemented. The risk assessment examples provided in this document support for
HCFs and RMS providers to implement risk assessment effectively.
By implementing the risk assessment process and employing controls referenced in this document,
HCFs owners and RMS providers will be able to obtain the following benefits:
— Risk assessment can result in improved efficiency. If the risk assessment document, created through
the use of this document, does not fully conform, it may be used in part in a risk assessment of an
incompatible area, thus reducing the risk assessment effort required.
— Documented validity of the RMS security countermeasures in place will be available to third parties.
— If providing RMS to two or more sites, the provider can apply countermeasures consistently and
effectively.
TECHNICAL REPORT ISO/TR 11633-2:2021(E)
Health informatics — Information security management
for remote maintenance of medical devices and medical
information systems —
Part 2:
Implementation of an information security management
system (ISMS)
1 Scope
This document gives a guideline for implementation of an ISMS by showing practical examples of risk
analysis on remote maintenance services (RMS) for information systems in healthcare facilities (HCFs)
as provided by vendors of medical devices or health information systems in order to protect both sides’
information assets (primarily the information system itself and personal health data) in a safe and
efficient (i.e. economical) manner.
This document consists of:
— application of ISMS to RMS;
— security management measures for RMS;
— an example of the evaluation and effectiveness based on the “controls” defined in the ISMS.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/TS 11633-1, Health informatics — Information security management for remote maintenance of
medical devices and medical information systems — Part 1: Requirements and risk analysis
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/TS 11633-1 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
4 Application of ISMS to remote maintenance services
4.1 Overview
The information security management system (ISMS) is a mechanism that operates as a series of plan/
do/check/act processes under the security policy. This series of processes means that the organization
plans out proper security measures (plan), puts those security measures into practice (do), reviews
those security measures (check), and reconsiders them if necessary (act). The ISMS is already
standardized internationally as ISO/IEC 27001, therefore, it is convenient to construct and operate an
ISMS referring to ISO/IEC 27001. This also helps to persuade patients, medical treatment evaluation
organizations, and others of the efficacity of the security measures.
General steps of ISMS construction are shown in Figure 1.
Figure 1 — ISMS steps
Security measures for protecting personal information in the remote maintenance services (RMS) are
described below in accordance with the concepts of ISMS.
Both the healthcare organization and the RMS provider should construct the appropriate ISMS.
Additionally, the healthcare organization should ideally do the work to adjust the information security
management among all RMS providers to protect personal information. The RMS connects the network
of the RMS provider and the network of the healthcare organization. After connecting these networks,
there are risks of new security holes being created. In the RMS, a different problem may occur in system
construction in a single organization, because the RMS acts between the healthcare organization and
the remote maintenance service centre (RSC), two organizations that are independent of each other. It
will therefore be a burden on both the healthcare organization and RSC, if security measures are not
considered an integral part of the RMS from the outset. In this regard, using ISMS (a well-evaluated
technique) can be considered as a better way to implement RMS security efficiently.
Under many jurisdictional laws for personal information protection, the healthcare organization
will assume the obligations and responsibilities of being custodian of the personal information. In
the RMS, the healthcare organization should request, from the RMS provider, appropriate measures
for protecting personal information because the provider will access the target device set up in a
healthcare facility from the RSC through the network. The healthcare organization must independently
adjust all RMS providers' information security management systems that provide the RMS, and confirm
that security holes have not been created. Additionally, the healthcare organization should confirm
each RMS provider's security level is kept appropriate.
The following items should be documented and established in the ISMS:
— security policy;
— security measures standard;
2 © ISO 2021 – All rights reserved

— mapping of security policy;
— selection of solutions;
— operation execution rule;
— security auditing standards;
— security audit and audit trail.
A healthcare organization should write items into the maintenance contract or agreement between the
healthcare organization and RMS provider that the RSC implements to ensure appropriate measures
in the RSC. As a result, the healthcare organization will distribute the obligation and the responsibility
concerning the protection of personal information during maintenance work to the RMS provider
through the contract and agreement. The healthcare organization should construct the appropriate
ISMS and, at the same time, should put into writing in the maintenance contract or the business
consignment contract the obligation on the part of the RMS provider of providing supervision as the
final authority in charge of personal information management.
The risk analysis and measures are illustrated in this document by the ISMS method. Therefore, it is
thought that constructing the remote maintenance service security (RSS) with this content will bring
advantages to both the healthcare organization and the RSC. When the content of this risk assessment
is not complete, additional risk assessment need only be done on parts that are missing.
4.2 Compliance scope
The coverage of the ISMS in the operational model described in ISO/TS 11633-1:2019, Annex A is as
follows:
— target device for maintenance in healthcare facility (HCF);
— internal network of healthcare organization;
— route from an RMS access point in healthcare organization to the RSC;
— internal network of the RSC;
— equipment management in the RSC.
Because the following risks exist independent of the presence of the RMS, they are excluded from the
coverage of the ISMS of this clause:
— threats related to availability of equipment and software that treats protected health information
(PHI);
— threats related to computer virus;
— threats related to staff which pertain to adoption, education and training.
4.3 Security policy
The desired content included in a basic policy is referred to in ISO/IEC 27002:2013, Clause 5.1.1.
When these considerations are applied to RSS, it should be able to secure the availability of the system,
and to secure the integrity, readability, and preservation of patient personal information.
The technical, systematic, human resources and physical safety measures of the RSS should be specified
in a basic security policy of the RSS.
The following explanations assume large-scale integrated HCF. Since it is possible that the RSC which
receives RMS exists in two or more sections of a large-scale HCF, a united management policy is needed.
When the HCF scale and the operation form are different from large-scale integrated HCF, it is important
to implement in conformity with the actual situation.
4.4 Assessing risks
In risk assessment, analysis of information assets is performed with regard to the following.
— What threats exists?
— To what extent is each threat possible and what is its frequency of occurrence?
— When the threat is actualized, how much influence does it exert?
The technique of the analysis is broadly classified into the following four approaches.
a) Baseline approach
This is a technique for analysing risk based on the standards and guidelines that are required in the
target field. This approach measures security based on standard risk assessment done beforehand in
industry.
Though it is advantageous from the perspective of time and cost because the risk need not be evaluated
by oneself, the adaptability of the standardized risks to the risks of a specific organization can be
problematic.
b) Detailed risk analysis
Carrying out a detailed risk assessment includes risk analysis of details, and an appropriate management
plan for management to select. A sizable budget for cost and time are needed for the risk assessment,
including securing necessary human resources.
c) Combined approach
This approach combines the baseline approach with the detailed risk analysis and it has the advantages
of each.
d) Informal approach
This approach implements risk analysis by exploiting the knowledge and the experience of the staff
of the organization. It is difficult for a third party to evaluate the resulting risk analysis because the
method is not structured.
The RMS is related to the healthcare organization and the RSC, so the risk analysis should be what both
can agree upon. In this document, the typical use case is modelled, and the risk assessment concerning
this model is carried out. Risk analysis by baseline approach a) and the combined approach of c) is
enabled by using this risk assessment result. See Table A.1 for the result of the risk assessment. Table A.1
contains the selection of appropriate control purpose and management plan in ISO/IEC 27001 from the
result of risk analysis in ISO/TS 11633-1. Table A.1 conforms to ISO/IEC 27001, and is composed of 14
management fields and 114 management plans.
The measures prescribed here specify the procedures which should be observed, at least in performing
RMS. The healthcare organization, which is also the administrator of personal information, should
evaluate whether the RSC conforms to this document, and should request that appropriate measures be
taken if it does not. Moreover, if the healthcare organization's security level is below the level specified
in this document, appropriate measures should be put in place. Each RMS provider is expected to
implement appropriate measures in order to achieve the requirements described in ISO/TS 11633-1.
4.5 Risks to be managed
This subclause explains some examples from the viewpoint of personal information protection to avoid
risks, which should be especially noted in an RMS. It is important to implement sufficient measures
4 © ISO 2021 – All rights reserved

against these risks. The risk discussed here is a mere example; the management of other risks is also
important.
a) When the RSC handling personal information is managed by the healthcare organization.
In this case, the point that needs particular attention is a leak of information by the third party.
Consideration needs to be given to information displayed on computer screens in the work environment
and information printed out on paper, as well as to the threat of hacking into the system. The main risks
are as follows:
— viewing of screens by persons other than persons concerned in RSC;
— leakage in third party trust;
— leakage from logs generated when data is analysed, from printed paper or cache memory, etc.;
— leakage in the network.
b) When the RSC accesses equipment of the healthcare organization for maintenance by the
administrative authority.
In this case, the points that need particular attention are operator error and inappropriate access to the
computer (submit operations that are permitted). The main risks are as follows:
— destruction of data in target device due to an operator mistake;
— destruction of data in target device due to malicious or subversive activities;
— leakage and destruction of more important information due to inside intrusion via the
maintenance device.
c) When the RSC updates the software.
In this case, care is required not to install malicious software and computer viruses, etc., into the target
devices. The main risks are as follows:
— leakage and destruction of data in target device due to malicious software;
— leakage and destruction of important information via internal intrusion due to a computer virus.
4.6 Identification of risks that are not described in this document
In this document, risk assessment is performed in accordance with the typical model, so the other use
cases are outside its scope. If a business model is different from the model that this document assumes,
the risk assessment results of this document can be misappropriated. There is also a possibility that not
all cases can be covered. When coverage of all cases is not possible, a detailed risk analysis should be
conducted using the combined risk assessment approach, not described by this document.
The risk assessment method in the detailed risk analysis is explained in ISO/TS 11633-1. By adopting
the methods of ISO/TS 11633-1, the results of a risk assessment guided by a different business model
can be easily integrated with the results of a risk assessment guided by this document.
4.7 Treating risks
Risk treatment is defined as treatment of the assumed risk in accordance with the results of risk
assessment. Risk treatment choices are shown in Table 1. These choices are combined and implemented
where necessary.
In the usual risk management process, a combination of these measures is selected by making an overall
judgment of the severity of the risk or the ease of implementing the measures. It is especially important
to adopt the risk control(s) specified by information privacy protection law and regulations. In this
case, the risk should be controlled because risk retention or transfer are not typically adequate to meet
these privacy protection laws, otherwise it would be to adopt risk avoidance, which prevent any data
that falls in scope of privacy protection law and regulations.
In this document, it is recommended that risk control be performed positively based on the ISMS.
Concrete measures are explained in detail in Annex A.
Table 1 — Risk treatment
Risk control: Risk transfer:
Measures are adopted (management plan) to positively Measures to transfer to third parties by contract, etc.
reduce damage.
— Risk prevention — measures to reduce threats and — Insurance — utilizes damage insurance and other
vulnerabilities are implemented. types of insurance so that the risk is transferred.
— Minimization of damage — measures to reduce — Outsourcing — information assets and
the damage when the risk is generated are information security measures are entrusted to
implemented. an outside party.
Risk retention: Risk avoidance:
Approach that accepts risk as belonging to the organization. Approach when appropriate measures cannot be found.
— Financing — this corresponds to accumulating a — Abolition of business — the business is stopped.
reserve, etc.
— Destruction of information assets — the
— Nothing is done. management object is lost.
5 Security management measures for remote maintenance services
The possibility of leakage of personal information such as patient information from the RMS requires
the healthcare organization to obtain the help of the RSC to achieve RMS security.
In order to take appropriate security measures for the actualization of the safety of the RMS, the
healthcare organization and the RSC should select controls based upon the result of the risk assessment.
Regardless of whether or not the RSC is supervised by the healthcare organization, the RSC should
ensure the RMS meets security requirements.
Annex A illustrates concretely how to proceed with the safety management measures during RMS
for the healthcare organization and the RSC. It is expected that referring to Table 1 will reduce risk
assessment time when preparing the RMS.
Even if the RMS is already operational, auditing using Table 1 is recommended to make sure that the
risk assessment is adequate.
6 Approving residual risks
Residual risk means the following among the risks identified by risk assessment.
— Risk that intentionally does not take sufficient measures.
— Risk that is difficult to identify.
— Risk whose cost is too expensive for complete measures.
When risks remain, even if the HCF performs risk control, risk retention or risk transfer, management
should judge whether or not these residual risks are approved from a management point of view.
When the HCF management approves these residual risks, it means that the HCF accepts the RMS as
constituted by risk assessment based on the ISMS.
The HCF approves the residual risks in the whole contract of the RMS, and the RSC operates the RMS
while paying attention to residual risks. According to the result of the risk analysis in the RMS illustrated
in Annex A, particularly in the RSC, there still is the possibility of leakage of personal information such
6 © ISO 2021 – All rights reserved

as PHI. The HCF should recognize these dangers, take into account guidelines issued by government,
and audit appropriate security measures that are taken in the actual RMS.
7 Security audit
7.1 Security audit of remote maintenance services
The purpose of the security audit is to confirm whether the risk management related to security is
effectively implemented and to confirm whether an appropriate control based on the risk assessment
is done. The security audit comprehensively assesses the conformity of the information security
management standard, but it is also possible to focus on auditing the RMS itself. In the security audit
of the RMS, the auditor verifies and evaluates, if appropriate, whether controls based on the risk
assessment are maintained and operated.
Moreover, it is an effective measure for both the HCF and RSC to evaluate the safety standards of the
security by means of the security audit because the result of such audits become an effective evaluative
material to improve the solidity of the RMS.
7.2 Recommendation of security audit by third parties
There are the following problems to conduct information security audits as internal audits:
— it is hard to notice that the risks to be assessed are missing;
— objectivity and independence will not be satisfied;
— it takes time to train auditors because specialized knowledge is required;
— it is difficult to make an audit report for the purpose of disclosure.
As mentioned above, the HCF should be audited by an external organization and by an auditor with a
high degree of technical knowledge, in order to objectively evaluate the RMS. Performing an external
audit based on an appropriate audit procedure facilitates information security certification such as the
ISMS. Finally, the HCF can enhance its societal reputation. It is also recommended to adopt external
audit to reduce any gap in reliability of the security audit reports of the HCF and RSC.
Annex A
(informative)
Example of risk assessment in remote maintenance services
This annex provides an example of risk assessment of remote maintenance services. The example is
shown in Table A.1. The order of the rows in Table A.1 is the same as the relevant clause of ISO/IEC 27001.
Notes for the interpretation of Table A.1 are found in Table A.2 to Table A.7.
8 © ISO 2021 – All rights reserved

Table A.1 — Example of risk assessment of remote maintenance services
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.5 Information A.5.1 Manage- To provide manage- A set of policies for information
security policies ment direction ment direction and security should be defined, ap-
for information support for informa- proved by management, pub-
- - - - - - - -
security tion security in ac- lished and communicated to
cordance with busi- employees and relevant exter-
ness requirements nal parties.
and relevant laws and
The policies for information
regulations.
security should be reviewed at
planned intervals or if signif-
- - - - - - - -
icant changes occur to ensure
their continuing suitability,
adequacy and effectiveness.
A.6 Organiza- A.6.1 Internal To establish a manage- All information security respon-
tion of infor- organization ment framework to in- sibilities should be defined and - - - - - - - -
mation security itiate and control the allocated.
implementation and
Conflicting duties and areas of
operation of informa-
responsibility should be segre-
tion security within
gated to reduce opportunities
the organization.
for unauthorized or uninten-
tional modification or misuse
of the organization's assets.
Appropriate contacts with
relevant authorities should be - - - - - - - -
maintained.
Appropriate contacts with spe-
cial interest groups or other
specialist security forums - - - - - - - -
and professional associations
should be maintained.
Information security should be
addressed in project manage-
- - - - - - - -
ment, regardless of the type of
the project.
A.6.2 Mobile de- To ensure the security A policy and supporting security
vices and tele- of teleworking and use measures should be adopted to
- - - - - - - -
working of mobile devices. manage the risks introduced by
using mobile devices.
A policy and supporting secu-
rity measures should be imple-
mented to protect information - - - - - - - -
accessed, processed or stored
at teleworking sites.
10 © ISO 2021 – All rights reserved
Table A.1 (continued)
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.7 Human A.7.1 Prior to To ensure that em- Background verification checks
resource employment ployees and contrac- on all candidates for employ-
security tors understand their ment should be carried out
responsibilities and in accordance with relevant
are suitable for the laws, regulations and ethics
- - - - - - - -
roles for which they and should be proportional
are considered. to the business requirements,
the classification of the infor-
mation to be accessed and the
perceived risks.
The contractual agreements Unauthorized use "C" by Internal audits of the
with employees and contrac- RSC service personnel of records can detect un-
tors should state their and the PHI information in onsite authorized use by RSC
organization's responsibilities RSC equipment leads to service personnel. In ad-
for information security. exposure of information. dition, unauthorized use
by RSC service personnel
can also be detected as it
restricts illegal operation.
Confidentiality and back-
ground checks (confirma-
1-1 A1 a 3>2 3 1 9>6
tion of qualification) can
restrict unauthorized use
by RSC service personnel
by preventing irregular
practices by operators.
Keeping records (of the
person requesting an
event, type, date, etc.) in
combination with "inter-
nal audits".
Table A.1 (continued)
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.7 Human A.7.1 Prior to To ensure that em- The contractual agreements Unauthorized use "C" of Internal audits of the
resource employment ployees and contrac- with employees and contrac- PHI information in RSC records can detect un-
security tors understand their tors should state their and the equipment by RSC service authorized use by RSC
responsibilities and organization's responsibilities personnel from an inside service personnel. In ad-
are suitable for the for information security. source leads to exposure dition, unauthorized use
roles for which they of the information. by RSC service personnel
are considered. can also be detected as it
restricts illegal operation.
Confidentiality and back-
ground checks (confirma-
1-2 A1 a 3>2 3 1 9>6
tion of qualification) can
restrict unauthorized use
by RSC service personnel
by preventing irregular
practices by operators.
Keeping records (of the
person requesting an
event, type, date, etc.) in
combination with "inter-
nal audits".
1-9 A1 h Bribery "C" leads to ex- Confidentiality and back-
posure "C" of PHI infor- ground checks can re-
2-8 B1
mation. strict unauthorized use
due to bribery by con- 3>2 3 1 9>6
2-8 B2
o
taining and preventing
irregular practices by
4-8 D1
operators.
12 © ISO 2021 – All rights reserved
Table A.1 (continued)
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.7 Human A.7.1 Prior to To ensure that em- The contractual agreements Unauthorized use "C" of Internal audits of the
resource employment ployees and contrac- with employees and contrac- PHI information in equip- records can detect un-
security tors understand their tors should state their and the ment subject to onsite authorized use by pri-
responsibilities and organization's responsibilities maintenance by primary mary service personnel.
are suitable for the for information security. service personnel leads In addition, unauthor-
roles for which they to exposure "C" of the ized use by primar y
are considered. information. service personnel can
also be detected as it re-
stricts illegal operation.
Confidentiality and back-
ground checks (confir-
3>2 3 1 9>6
mation of qualification)
can restrict unauthor-
ized use by primar y
service personnel by
preventing irregular
practices by operators.
Keeping records (of the
person requesting an
event, type, date, etc.) in
combination with "inter-
5-1 E1 a nal audits."
Replacement "I" of PHI Privilege manage -
information in equip- ment (access con -
ment subject to onsite trol) in combination
maintenance by primary with Access Control.
service personnel leads Access control (write pro- 3 3 1 9
to concoction "I" of the tection and file erasure
information. prohibition) can prevent
primary service person-
nel from replacing files.
Table A.1 (continued)
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.7 Human A.7.1 Prior to To ensure that em- The contractual agreements Unauthorized use "C" Internal audits of the
resource employment ployees and contrac- with employees and contrac- of PHI information in records can detect un-
security tors understand their tors should state their and the the equipment subject authorized use by RSC
responsibilities and organization's responsibilities to maintenance by RSC service personnel. In ad-
are suitable for the for information security. service personnel from dition, unauthorized use
roles for which they an external source leads by RSC service personnel
are considered. to exposure "C" of the can also be detected as it
information. restricts illegal operation.
Confidentiality and back-
ground checks (confirma-
3>2 3 1 9>6
tion of qualification) can
restrict unauthorized use
by RSC service personnel
by preventing irregular
practices by operators.
Keeping records (of the
person requesting an
event, type, date, etc.) in
combination with "inter-
5-2 E1 a nal audits."
Replacement "I" of PHI Privilege manage -
information in equipment ment (access con -
subject to maintenance by trol) in combination
RSC service personnel, with Access Control.
from an external path, Access control (write pro- 3>2 3 1 9>6
leads to concoction "I". tection and file erasure
prohibition) can prevent
RSC service personnel
from replacing files.
Removing "C" or replace- Confidentiality can re-
ment "I" onsite by a phy- strict unauthorized use
sician leads to exposure by containing and pre-
5-3 E1 c 3 3 1 9
"C" or concoction of PHI venting irregular prac-
information. tices, however it has little
effect in itself.
14 © ISO 2021 – All rights reserved
Table A.1 (continued)
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.7 Human A.7.1 Prior to To ensure that em- The contractual agreements Bribery "C" leads to PHI Confidentiality and back-
resource employment ployees and contrac- with employees and contrac- information exposure. ground checks can re-
security tors understand their tors should state their and the strict unauthorized use
responsibilities and organization's responsibilities 5-9 E1 h due to bribery by con- 3>2 3 1 9>6
are suitable for the for information security. taining and preventing
roles for which they irregular practices by
are considered. operators.
A.7.2 During To ensure that employ- Management should require all
employment ees and contractors employees and contractors to
are aware of and ful- apply information security in
- - - - - - - -
fil their information accordance with the established
security responsibil- policies and procedures of the
ities. organization.
All employees of the organ- Incorrect input "I" and Training and skill stand-
ization and, where relevant, accidental deletion "A" ards can prevent service
contractors should receive ap- lead to service trouble trouble due to incorrect
propriate awareness education "A" of the remote service. input and accidental de-
1-9 A1 h 3>2 3 2 18>12
and training and regular up- letion by maintaining and
dates in organizational policies improving the qualifica-
and procedures, as relevant for tions of operators.
their job function.
There should be a formal and 2-8 B1 Bribery "C" leads to ex- Confidentiality and back-
communicated disciplinary posure "C" of PHI infor- ground checks can re-
process in place to take action mation. strict unauthorized use
against employees who have o due to bribery by con- 3>2 3 2 18>12
4-8 D1
committed an information taining and preventing
security breach. irregular practices by
operators.
Incorrect input "I" and Training and skill stand-
accidental deletion "A" ards can prevent service
lead to service trouble trouble due to incorrect
5-9 E1 h "A" of the remote service. input and accidental de- 3>2 3 2 18>12
letion by maintaining and
improving the qualifica-
tions of operators.
Table A.1 (continued)
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.7 Human A.7.3 Termination To protect the organ- Information security respon- Unauthorized use "C" of Internal audits of the
resource and change of ization's interests as sibilities and duties that re- PHI information in equip- records can detect un-
security employment part of the process of main valid after termination or ment subject to onsite authorized use by pri-
changing or terminat- change of employment should maintenance by primary mary service personnel.
ing employment. be defined, communicated to service personnel leads In addition, unauthor-
the employee or contractor to exposure "C" of the ized use by primar y
and enforced. information. service personnel can
also be detected as it re-
stricts illegal operation.
Confidentiality and back-
ground checks (confir-
5-1 E1 a 3>2 3 1 9>6
mation of qualification)
can restrict unauthor-
ized use by primar y
service personnel by
preventing irregular
practices by operators.
Keeping records (of the
person requesting an
event, type, date, etc.) in
combination with "inter-
nal audits."
A.8 Asset A.8.1 Responsi- To identify organi- Assets associated with informa-
management bility for assets zational assets and tion and information processing
define appropriate facilities should be identified
- - - - - - - -
protection responsi- and an inventory of these as-
bilities. sets should be drawn up and
maintained.
Assets maintained in the inven-
- - - - - - - -
tory should be owned.
Rules for the acceptable use
of information and of assets
associated with information
- - - - - - - -
and information processing
facilities should be identified,
documented and implemented.
All employees and external
party users should return all
of the organizational assets
- - - - - - - -
in their possession upon ter-
mination of their employment,
contract or agreement.
16 © ISO 2021 – All rights reserved
Table A.1 (continued)
Example of Threat
(C: Confidentiality, Example of Control
Clause Subclause Control objectives Controls No Site Asset V I L E
I: Integrity, Measures
A: Availability)
A.8 Asset A.8.2 To ensure that infor- Information should be classified
management Information mation receives an ap- in terms of legal requirements,
classification propriate level of pro- value, criticality and sensitivity - - - - - - - -
tection in accorda
...