oSIST prEN ISO 27789:2026

SLOVENSKI STANDARD
01-maj-2026
Zdravstvena informatika - Revizijske sledi za elektronske zdravstvene zapise
(ISO/DIS 27789:2026)
Health informatics - Audit trails for electronic health records (ISO/DIS 27789:2026)
Medizinische Informatik - Audit-Trails für elektronische Gesundheitsakten (ISO/DIS
27789:2026)
Informatique de santé - Historique d'expertise des dossiers de santé informatisés
(ISO/DIS 27789:2026)
Ta slovenski standard je istoveten z: prEN ISO 27789
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/DIS 27789
ISO/TC 215
Health informatics — Audit trails
Secretariat: ANSI
for electronic health records
Voting begins on:
Informatique de santé — Historique d'expertise des dossiers de
2026-03-13
santé informatisés
Voting terminates on:
ICS: 35.240.80 2026-06-05
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
ISO/DIS 27789:2026(en)
DRAFT
ISO/DIS 27789:2026(en)
International
Standard
ISO/DIS 27789
ISO/TC 215
Health informatics — Audit trails
Secretariat: ANSI
for electronic health records
Voting begins on:
Informatique de santé — Historique d'expertise des dossiers de
santé informatisés
Voting terminates on:
ICS: 35.240.80
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO 2026
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/DIS 27789:2026(en)
ii
ISO/DIS 27789:2026(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 5
5 Requirements and uses of audit data. 5
5.1 Ethical and formal requirements .5
5.1.1 General .5
5.1.2 Access policy .5
5.1.3 Unambiguous identification of information system users.5
5.1.4 User roles .5
5.1.5 Secure audit records .6
5.2 Uses of audit data .6
5.2.1 Governance and supervision .6
5.2.2 Subjects of care exercising their rights .6
5.2.3 Evidence and retention requirements .6
6 Trigger events . 7
6.1 General .7
6.2 Details of the event types and their contents .7
6.2.1 Access events to the personal health information .7
6.2.2 Query events to the personal health information .8
7 Audit record details . 8
7.1 The general record format .8
7.2 Trigger event identification . . .10
7.2.1 Event ID .10
7.2.2 Event action code .11
7.2.3 Event date and time .11
7.2.4 Event outcome indicator .11
7.2.5 Event type code . 12
7.3 User identification . 12
7.3.1 User ID . 12
7.3.2 Alternative user ID . 12
7.3.3 User name . 13
7.3.4 User is requestor . 13
7.3.5 Role ID code . 13
7.3.6 Purpose of use .14
7.4 Access point identification . 15
7.4.1 Network access point type code . 15
7.4.2 Network access point ID .16
7.5 Audit source identification .16
7.5.1 Overview .16
7.5.2 Audit enterprise site ID .17
7.5.3 Audit source ID . . .17
7.5.4 Audit source type code .17
7.6 Participant object identification .18
7.6.1 Overview .18
7.6.2 Participant object type code .19
7.6.3 Participant object type code role .19
7.6.4 Participant object data life cycle and record entry lifecycle events . 20
7.6.5 Participant object ID type code . 22
7.6.6 Participant object Permission PolicySet . 23

iii
ISO/DIS 27789:2026(en)
7.6.7 Participant object sensitivity . 23
7.6.8 Participant object ID . 23
7.6.9 Participant object name . 23
7.6.10 Participant object query . 23
7.6.11 Participant object detail, Participant object description .24
8 Audit records for individual events .24
8.1 Access events .24
8.2 Query events . 26
9 Secure management of audit data .27
9.1 Security considerations .27
9.2 Securing the availability of the audit system . 28
9.3 Retention requirements . 28
9.4 Securing the confidentiality and integrity of audit trails . 28
9.5 Access to audit data . 28
Annex A (informative) Audit scenarios .29
Annex B (informative) Audit log services .35
Bibliography .43

iv
ISO/DIS 27789:2026(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent
rights identified during the development of the document will be in the Introduction and/or on the ISO list of
patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 215, Health informatics, in collaboration with
the European Committee for Standardization (CEN) Technical Committee CEN/TC 251, Health informatics, in
accordance with the Agreement on technical cooperation between ISO and CEN (Vienna Agreement).
This third edition cancels and replaces the second edition (ISO 27789: 2021), which has been technically
revised.
The main changes are as follows:
— harmonization between ISO 27789 audit record format and DICOM format;
— bibliography update.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
ISO/DIS 27789:2026(en)
Introduction
0.1  General
Personal health information is regarded by many as among the most confidential of all types of personal
information and protecting its confidentiality is essential to maintain the privacy of subjects of care. In
order to protect the consistency of health information, it is also important that its entire life cycle be fully
auditable. Health records should be created, processed and managed in ways that guarantee the integrity
and confidentiality of their contents and that support legitimate control by subjects of care in how the
records are created, used and maintained.
Trust in electronic health records requires physical and technical security elements along with data integrity
elements. Among the most important of all security requirements to protect personal health information
and the integrity of records are those relating to audit and logging. These help to ensure accountability
for subjects of care who entrust their information to electronic health record (EHR) systems. They also
help to protect record integrity, as they provide a strong incentive to users of such systems to adopt to
organizational policies on the use of these systems.
Effective audit and logging can help to uncover misuse of EHR systems or EHR data and can help organisations
and subjects of care obtain redress against users abusing their access privileges. For auditing to be effective,
it is necessary that audit trails contain sufficient information to address a wide variety of circumstances
(see Annex A).
Audit logs are complementary to access controls. The audit logs provide a means to assess conformity with
organizational access policy and can contribute to improving and refining the policy itself. But as such a
policy needs to anticipate the occurrence of unforeseen or emergency cases, analysis of the audit logs
becomes the primary means of ensuring access control for those cases.
This document is strictly limited in scope to logging of events. Changes to data values in fields of an EHR
are presumed to be recorded in the EHR database system itself and not in the audit log. It is presumed that
the EHR system itself contains both the previous and updated values of every field. This is consistent with
contemporary point-in-time database architectures. The audit log itself is presumed to contain no personal
health information other than identifiers and links to the record.
Electronic health records on an individual person can reside in many different information systems within
and across organisational or even jurisdictional boundaries. To keep track of all actions that involve records
on a particular subject of care, a common framework is a prerequisite. This document provides such a
framework. To support audit trails across distinct domains, it is essential to include references in this
framework to the policies that specify the requirements within the domain, such as access control rules and
retention periods. Domain policies may be referenced implicitly by identification of the audit log source.
0.2 Benefits of using this document
Standardization of audit trails on access to electronic health records aims at two goals:
— ensuring that information captured in an audit log is sufficient to clearly reconstruct a detailed chronology
of the events that have shaped the content of an electronic health record;
— ensuring that an audit trail of actions relating to a subject of care ’s record can be reliably followed, even
across organizational domains.
This document is intended for those responsible for overseeing health information security or privacy and
for healthcare organizations and other custodians of health information seeking guidance on audit trails,
together with their security advisors, consultants, auditors, vendors and third-party service providers.
0.3  Related standards on electronic health record audit trails
[1]
This document builds upon, and is consistent with, the work begun in IETF RFC 3881 with respect to
access to the EHR. This document also builds upon and is consistent with the content in ISO/TS 21089:2018.

vi
DRAFT International Standard ISO/DIS 27789:2026(en)
Health informatics — Audit trails for electronic health
records
1 Scope
This document specifies a common framework for audit trails for electronic health records (EHR), in terms
of audit trigger events and audit data, to keep the complete set of personal health information auditable
across information systems and domains.
It is applicable to systems processing personal health information that create a secure audit record each
time a user reads, creates, updates, or archives personal health information via the system.
NOTE Such audit records at a minimum uniquely identify the user, uniquely identify the subject of care, identify
the function performed by the user (record creation, read, update, etc.), and record the date and time at which the
function was performed.
This document covers only actions performed on the EHR, which are governed by the access policy for the
domain where the electronic health record resides. It does not deal with any personal health information
from the electronic health record, other than identifiers, the audit record only containing links to EHR
segments as defined by the governing access policy.
It does not cover the specification and use of audit logs for system management and system security
purposes, such as the detection of performance problems, application flaw, or support for a reconstruction
[2]
of data, which are dealt with by general computer security standards such as ISO/IEC 15408 all parts.
Annex A gives examples of audit scenarios. Annex B gives an overview of audit log services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
FprEN ISO 27799, Health informatics - Information security controls in health based on ISO/IEC 27002
(ISO/FDIS 27799:2025)
ISO 8601-1, Date and time — Representations for information interchange — Part 1: Basic rules
ISO/TS 21089:2018, Health informatics — Trusted end-to-end information flows
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/TS 21089:2018 and the following
terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/

ISO/DIS 27789:2026(en)
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements
[3]
[SOURCE: ISO/IEC 27000:2018 , 3.1]
3.2
access policy
definition of the obligations for authorizing access to a resource
3.3
accountability
obligation of an individual or organization to account for its activities, for completion of a deliverable or task,
accept responsibility for those activities, deliverables or tasks, and to disclose the results in a transparent
manner
[SOURCE: ISO/TS 21089:2018, 3.3.1]
3.4
agent
entity that takes programmed actions, such as software or a device
[SOURCE: ISO/TS 21089:2018, 3.6.4]
3.5
alert
what is sent when the monitor service notices that a series of events matches a pattern
3.6
audit
independent review and examination of records and activities to assess the adequacy of system controls,
to ensure compliance with established policies and operational procedures, and to recommend necessary
changes in controls, policies or procedures
[SOURCE: ISO/TS 21089:2018, 3.20]
3.7
audit archive
archival collection of one or more audit logs (3.9)
3.8
audit data
data obtained from one or more audit (3.6) records
3.9
audit log
chronological sequence of audit (3.6) records, each of which contains data about a specific event
3.10
audit record
record of a single specific event in the life cycle of an electronic health record (3.17)
3.11
audit system
information processing system that maintains one or more audit (3.6) logs

ISO/DIS 27789:2026(en)
3.12
audit trail
chronological record of system activities that is sufficient to enable the reconstruction, reviewing and
examination of the sequence of environments and activities surrounding or leading to an operation, a
procedure, or an event in a transaction from its inception to final results
[SOURCE: GCST ISO/TS 21089:2018]
3.13
authentication
provision of assurance that a claimed characteristic of an entity is correct
[3]
[SOURCE: ISO/IEC 27000:2018 , 3.5]
3.14
authorization
granting of rights, which includes the granting of access based on access rights
[4]
[SOURCE: ISO/IEC 2382:2015 , 2126256, modified — Notes to entry deleted.]
3.15
availability
property of being accessible and useable upon demand by an authorized entity
[3]
[SOURCE: ISO/IEC 27000:2018 , 3.7]
3.16
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes
[3]
[SOURCE: ISO/IEC 27000:2018 , 3.10]
3.17
electronic health record
EHR
repository of (organized sets of) information regarding the health status of a subject of care (3.28), in
computer processable form
[5]
[SOURCE: ISO/TR 20514:2005 , 2.11, modified — Text in parenthesis added.]
3.18
electronic health record segment
EHR segment
part of an electronic health record (3.17) that constitutes a distinct resource for the access policy (3.2)
3.19
identification
process of recognizing the attributes that identify the object
[6]
[SOURCE: ISO 16678:2014 , 2.1.7]
3.20
identifier
one or more characters used to identify or name a data element and possibly to indicate certain properties
of that data element
[4]
[SOURCE: ISO/IEC 2382:2015 , 2121623]

ISO/DIS 27789:2026(en)
3.21
integrity
property of accuracy and completeness
[3]
[SOURCE: ISO/IEC 27000:2018 , 3.36]
3.22
object identifier
OID
globally unique identifier (3.20) for an information object
Note 1 to entry: The object identifiers used in this document refer to code systems. These code systems can be defined
in a standard or locally defined per implementation. The object identifier (3.22) is specified using the Abstract Syntax
[7] [8]
Notation One (ASN.1) defined in ISO/IEC 8824-1 and ISO/IEC 8824-2 .
3.23
policy
set of rules related to a particular purpose
Note 1 to entry: A rule can be expressed as an obligation, an authorization (3.14), a permission or a prohibition.
[9]
[SOURCE: ISO 19101-2:2018 , modified — Note 1 to entry added]
3.24
privilege
capacity assigned to an entity by an authority
3.25
records management
field of management responsible for control of creation, receipt, maintenance, use and disposition of records,
including processes for capturing and maintaining evidence of and information about business activities
and transactions in the form of records
[10]
[SOURCE: ISO 15489-1:2016 , 3.15, modified — Some adjectives removed]
3.26
role
set of competences and/or performances associated with a task
3.27
sensitivity
measure of the potential or perceived potential to abuse or misuse data about subjects or to harm them
3.28
subject of care
person or defined groups of persons receiving or registered as eligible to receive healthcare services or
having received healthcare services
EXAMPLE Patient, client, customer, or health plan member.
[11]
[SOURCE: ISO/TS 17975:2022 , 3.27, modified — Examples added.]
3.29
user
person or other entity authorized by a provider to use some or all of the services provided by the provider
Note 1 to entry: Also, human being using the system to issue requests to objects in order to get them to perform
functions in the system on his or her behalf.

ISO/DIS 27789:2026(en)
4 Abbreviated terms
HL7 ® Health Level Seven
EV Enumerated Value
5 Requirements and uses of audit data
5.1 Ethical and formal requirements
5.1.1 General
Healthcare providers have their professional ethical responsibilities to meet. Among these are protecting
the privacy of subjects of care and documenting the findings and activities of care. Restricting access to
health records and ensuring their appropriate use are both essential requirements in healthcare and in
many jurisdictions, these requirements are set down in law.
Secure audit trails of access to electronic health records can support conformity with professional ethics,
organizational policies and legislation, but they are not sufficient in themselves to assess completeness of an
electronic health record.
5.1.2 Access policy
Access to the audit trail shall be governed by an access policy. This policy should be determined by the
organization responsible for maintaining the audit log.
The access policy shall be in accordance with FprEN ISO 27799, 5.1.
NOTE 1 The access policy is presumed to define an EHR segment structure.
NOTE 2 In the audit record the access policy is identified by the audit log source.
[12]
Guidance on specifying and implementing access policies can be found in ISO 22600 all parts. A field
“Participant object Permission Policy Set” is defined in 7.6.6 to support referencing the actual policies in the
audit record.
5.1.3 Unambiguous identification of information system users
The audit trails shall provide sufficient data to unambiguously identify all authorized health information
system users. Users of the information system can be persons, but also other entities.
The audit trails shall provide sufficient data to determine which authorized users and external systems have
accessed or been sent health record data from the system.
5.1.4 User roles
The audit trail shall show the role of the user while performing the recorded action on personal health
information.
Information systems processing personal health information should support role -based access control
capable of mapping each user to one or more roles, and each role to one or more system functions, as
recommended in FprEN ISO 27799, 8.2.
[13]
Functional and structural roles are documented in ISO 21298 . Additional guidance on privilege
[12]
management in health is given by ISO 22600 (all parts).

ISO/DIS 27789:2026(en)
5.1.5 Secure audit records
Secure audit records, in accordance with FprEN ISO 27799, 8.15, shall be created each time personal health
information is read, created, updated, or archived. The audit records shall be maintained by secure records
management.
5.2 Uses of audit data
5.2.1 Governance and supervision
The audit trails shall provide data to enable responsible authorities to assess conformity with the
organization’s policy and to evaluate its effectiveness.
This implies
— detecting unauthorized access to health records,
— evaluating emergency access, and
— detecting abuse of privileges.
and support for:
— documenting access across domains, and
— evaluation of access policies.
NOTE Full assessment of conformity with the organization’s policy can require additional data that is not
contained in the audit record, such as user information, permission tables or records on physical entry to secured
rooms. See Annex B for audit log services.
The audit trails shall provide sufficient data to determine all access within a defined time period to the
records of subjects of care, by a specified user.
The audit trails shall provide sufficient data to determine all access within a defined time period to the
records of subjects of care, that are marked to be at elevated risk of privacy breaches.
5.2.2 Subjects of care exercising their rights
The audit trails shall provide sufficient data to subjects of care to enable
— assessing which authorized user(s) have accessed his/her health record and when,
— assessing accountability for the content of the record,
— determination of conformity with the subject of care's consent directives on access to or disclosure of the
subject of care's data, and
— determination of emergency access (if any) granted by a user to the subject of care's record, including the
identification of the user, time of access and location where accessed from.
5.2.3 Evidence and retention requirements
The audit trails shall hold data [(that care providers can use as documentary evidence)] to determine which
actions were taken (create, look-up, read, correct, update, extract, output, archive, etc.) in relation to the
information as well as when and by whom.
Audit records shall be retained in accordance with the retention policy as specified in 9.3.
The following documents provides guidance and further information:
— ISO/TS 21089:2018;
ISO/DIS 27789:2026(en)
[14]
— ISO/HL7 10781.
6 Trigger events
6.1 General
The audit events (trigger events) that cause the audit system to generate audit records are defined according
to each health information system’s scale, purpose, and the contents of privacy and security policies. As the
scope of this document is limited to personal health information, only trigger events relating to access and
query of such information are specified here.
In order to generate the audit records that satisfy the requirement derived from Clause 5, i.e. “when”, “who”,
“whose”, audit records shall be generated for the following two events:
— Access events to personal health information;
— Query events about personal health information.
Examples of out-of-scope events are:
a) Start and stop events of the application program;
b) Authentication events involving authentication of users;
c) Input and output events from/to the external environment;
d) Access events to information other than personal health information;
e) Security alert events related to the application programs;
f) Access events to the audit log preserved in the application programs;
g) Events generated by the operating system, middleware and so on;
h) Access events generated by using system utilities;
i) Physical connection/disconnection events of equipment to the network;
j) Start/stop events of the protection systems such as anti-virus protection systems;
k) Software update events involving software modification or patch programs.
6.2 Details of the event types and their contents
6.2.1 Access events to the personal health information
In this document, the access to the personal health information is regarded as an audit event. Here “Access”
means the creation, reading, update, deletion of data. The contents of the audit log provide the information
about the access “when”, “who” and “access to whose” data to be protected. Table 1 describes the contents in
access events.
Table 1 — Access events
Event Contents
When,
Access events to the personal health information Who,
Access to whose
ISO/DIS 27789:2026(en)
6.2.2 Query events to the personal health information
Querying an EHR database in order to obtain personal health information is regarded as an auditable event.
The query event is the query action itself, the reference to the personal health information resulting from
the query is regarded as the access event. The contents of the audit record provide the information about the
query “when”, “who” and “what condition for querying”. Table 2 describes the contents in query events.
Table 2 — Query events
Event Contents
When,
Query events to the personal health information Who,
What condition for querying
7 Audit record details
7.1 The general record format
Table 3 describes the general format of the audit records. Regarding to the record contents of each event, see
[1] [15]
Clause 8. The record format is defined after RFC 3881 IETF RFC 3881 and ISO 12052 (DICOM PS3.15)
with addition of the optional fields PurposeOfUse and ParticipantObjectPolicySet.
Table 3 — General format of the audit records
Type Field name Option Description Additional info.
Event related EventID M ID for the audited event
(1)
Type of action performed
EventActionCode M
during the audited event
Date/time of the audited
EventDateTime M See 7.2
event occurrence
Success or failure of the
EventOutcomeIndicator U
event
EventTypeCode U The category of the event
Multiplicity:
a
: Only 1 exists
(0.1): 0 or 1 exists
(1.2): 1 or 2 exist(s)
(0.N): 0 to N exist(s)
Optionality:
M: Mandatory
MC: Conditional Mandatory
U: Optional
M/U: Mandatory or Optional related to events

ISO/DIS 27789:2026(en)
TTabablele 3 3 ((ccoonnttiinnueuedd))
Type Field name Option Description Additional info.
user related ID for the person or pro-
UserID M
cess
(1.2)
Alternative ID for
AlternateUserID U
user or process
UserName U Name of user or process
Indicator that the user is
See 7.3
UserIsRequestor U
or is not the requestor
Specification of the role
RoleIDCode U the user plays when per-
forming the event
Code for the purpose of
PurposeOfUse U
use of the data accessed
Type of
NetworkAccessPointTypeCode U
network access point
See 7.4
ID for network
NetworkAccessPointID U
access point
audit system Site ID of
AuditEnterpriseSiteID U
related
audit enterprise
(1)
Unique ID See 7.5
AuditSourceID M
of audit source
AuditSourceTypeCode U Type code of audit source
Participant Code for the participant
object object type
ParticipantObjectTypeCode M
related
(0.N)
ParticipantObjectTypeCodeRole M Object type code of role
identifier for the data
ParticipantObjectDataLifeCycle U life-cycle stage for the
participant object
Type code of Participant
ParticipantObjectIDTypeCode M
Object ID
Permission PolicySet for
ParticipantObjectPolicySet U
ParticipantObjectID
sensitivity defined by the
ParticipantObjectSensitivity U policy for ParticipantOb-
jectID
Identifies a specific in-
ParticipantObjectID M stance of the participant See 7.6
object
Multiplicity:
a
: Only 1 exists
(0.1): 0 or 1 exists
(1.2): 1 or 2 exist(s)
(0.N): 0 to N exist(s)
Optionality:
M: Mandatory
MC: Conditional Mandatory
U: Optional
M/U: Mandatory or Optional related to events

ISO/DIS 27789:2026(en)
TTabablele 3 3 ((ccoonnttiinnueuedd))
Type Field name Option Description Additional info.
Object name
of participant, such as a
ParticipantObjectName MC person’s name
Required if ParticipantO-
bjectQuery is not present.
Contents of query for
the participant object
ParticipantObjectQuery MC
Required if ParticipantO-
bjectName is not present.
Detail of
ParticipantObjectDetail U
participant object
Description of
ParticipantObjectDescription U
participant object
Multiplicity:
a
: Only 1 exists
(0.1): 0 or 1 exists
(1.2): 1 or 2 exist(s)
(0.N): 0 to N exist(s)
Optionality:
M: Mandatory
MC: Conditional Mandatory
U: Optional
M/U: Mandatory or Optional related to events
7.2 Trigger event identification
7.2.1 Event ID
Description: Unique identifier for a specific audited event, e.g. a menu item, program, rule, policy, function
code, application name, or URL. It identifies the performed function.
Optionality: Mandatory
Format/Values: Coded value, either defined by the system implementers or as a reference to a standard
vocabulary. The “code” attribute shall be unambiguous and unique, at least within audit Source ID (see 7.5).
Examples of Event IDs are program name, meth
...