ISO INTERNATIONAL STANDARD 27799 Secondedition 2016-07-01 Health informatics Information security management in health using IS0/IEC 27002 Informatique de sante-Management de la sécuritedeI'information relative ala santé en utilisant I'IS0/IEC27002 Reference number ISO 27799:2016(E) ISO Intemational Organization for Standardization @IS02016 itted without license from IHS IS027799:2016(E) COPYRIGHTPROTECTEDDOCUMENT ISO:2016,Published inSwitzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISOcopyrightoffice Ch. de Blandonnet 8. CP 401 CH-1214 Vernier,Geneva, Switzerland Tel.+41 22 749 0111 Fax +41 22 749 09 47 [email protected] www.iso.org Intematinaibr PrganizationfoStandardization No reproduction orr networking permited without license from IHS IS0 27799:2016(E) Contents Page Foreword ..vii Introduction.. ..vii 1 Scope 2 Normative references ... 3 Terms and definitions 4 Structure of this International Standard 5 Informationsecuritypolicies. 5.1 Management direction for information security .4 5.1.1 Policies for information security. 5.1.2 Reviewof thepoliciesforinformation security .5 6 Organization of information security .6 6.1 Internal organization. 6.1.1 Information security roles and responsibilities .6 6.1.2 Segregation of duties.. 6.1.3 Contact withauthorities. .7 6.1.4 Contact with special interest groups 6.1.5 Informationsecurityinprojectmanagement .8 6.2 Mobile devices and teleworking .8 6.2.1 Mobile device policy. .8 6.2.2 Teleworking. .9 7 Human resource security. .9 7.1 Priortoemployment. .9 7.1.1 Screening 9 7.1.2 Terms and conditions of employment .10 7.2 During employment.. ..11 7.2.1 Management responsibilities. ..1 7.2.2 Information security awareness, education and training ..11 7.2.3 Disciplinary process. ..11 7.3 Termination and change of employment. ..12 7.3.1 Termination or change of employment responsibilities ..12 8 Asset management .12 8.1 Responsibilityfor assets .12 8.1.1 Inventoryofassets ..12 8.1.2 Ownership of assets ..13 8.1.3 Acceptable useofassets .13 8.1.4 Return of assets ..13 8.2 Information classification .14 8.2.1 Classification of information ..14 8.2.2 Labelling of information. ..15 8.2.3 Handling of assets. ..15 8.3 Media handling ..16 8.3.1 Management of removable media .16 8.3.2 Disposal of media. ..16 8.3.3 Physical media transfer .17 9 Accesscontrol .17 9.1 Business requirements of access control ..17 9.1.1 Access control policy .17 9.1.2 Accesstonetworksandnetworkservices ..18 9.2 User access management. ..18 9.2.1 Userregistration and de-registration ..18 9.2.2 User access provisioning. ..19 ntemational oganzation@sS26-All rights reserved iii No reproduction or networking perm ithout license from IHS