ISO/IEC 27000 family
The ISO/IEC 27000 family is a set of international security standards that provide a blueprint for an Information Security Management System that can be applied in practice by an organisation.
Information Security Management System
The notion ‘Information Security Management System’ (‘ISMS’) should be understood as a set of activities related to information risk management. This includes legal, physical and technical controls that seek to ensure that information risks are identified, analysed and subsequently addressed. Using an ISMS could ensure the confidentiality, integrity and availability of information an organisation possesses. Given the high level of sensitive information being handled within the health sector, using an ISMS could provide added value and ensure that information risks are prevented. By using an ISMS, an organisation could be supported in the application of important regulations, such as the GDPR and the NIS Directive. In this way, patient safety and the effectiveness of healthcare can be guaranteed.
Relevant standards for healthcare organisations
The ISO/IEC 27000 family of standards focusses on a variety of information risk topics and try to focus on more specific details in different industries. For example, ISO 27799 offers an ISMS specific to the healthcare sector that builds on ISO/IEC 27002 (Security techniques – Code of practice for information security controls). Like most of these ISO standards, ISO 27799 is also technology-neutral, meaning that it can be implemented without any need for drastic adaptations to upcoming technology. Combining ISO 27799 and ISO/IEC 27002 can give organisations in the health sector a clearer view upon what is required in terms of information security. Instead of defining each specificity, these standards only describe the framework of what is important to prevent information risks (e.g. regarding privacy) and leave the organisation room to take more specific steps. In other words, the ISO standards offer the health organisation a more structured roadmap.
You can find an overview of the ISO/IEC 27000 standards here.
HINSON, G. (2019). The ISO27k Standards. Retrieved from https://www.iso27001security.com/ISO27k_Standards_listing.docx.
International Organization for Standardization. (n.d.). The ISO27799: Health informatics – Information security management in health using ISO/IEC 27002. Retrieved from https://www.iso.org/standard/62777.html.