ISO/IEC 27799:2016 · Health Information Security · Evidence & Implementation Kit
Secure personal health information to the health-sector standard, without mapping ISO 27002 to healthcare yourself.
Every ISO 27002 control interpreted for health, plus the health-specific controls for care-relationship access, break-glass, unique patient identification and health-record retention, each as an adopt-ready control with the evidence an auditor examines.
Health-record ready in a weekend, not a quarter.
Here is the honest situation. ISO 27799 is how health organisations apply information security: it takes ISO 27002 and layers on what healthcare actually needs, need-to-know access tied to the care relationship, break-glass for emergencies, unique identification of the subject of care, consent enforcement and long health-record retention. The controls are right, but interpreting each one for your clinical systems and evidencing it is weeks of work, and a gap in access control or audit logging is exactly what a health-data auditor looks for.
This Kit removes that interpretation. It is the ISO 27002 control set plus the health-sector specifics, written as adopt-ready controls you personalize in a weekend.
What you get, the moment you buy
40
Controls made specific to health. Every ISO 27002 control interpreted for health information, plus the health-sector specifics: care-relationship access, break-glass, unique patient identification, consent and health-record retention.
40
Evidence-they-examine checklists. For each control, exactly what a health-data auditor examines, plus the finding they most often raise, so you close it before the assessment.
1
Health Security Control Matrix, pre-built. Every control in a working spreadsheet, ready to record in-place status and evidence location across your clinical estate.
1
Gap & Readiness Assessment. Score each control and the workbook returns your readiness as a single percentage, and exactly what to fix next.
Grounded in ISO 27799:2016, the health-sector application of ISO/IEC 27002, with the care-relationship, break-glass and health-record controls called out. Editable Word and Excel files.
The same work gets you ISO 27001
ISO 27799 applies the ISO 27002 control set to health. The evidence this Kit assembles is the same evidence an ISO 27001 certification audit examines, so protecting patient data and getting certifiable are one project, not two.
What one control looks like
This is the information security policy control, interpreted for health information. All 40 are built to this depth.
5.1 Information security policies for health information ORGANIZATIONAL
Adopt this control
[Health organization] shall define, approve, and publish a topic-level information security policy set that names personal health information as the highest-sensitivity asset, is endorsed by clinical and executive leadership, is communicated to all workforce members and relevant contractors, and is reviewed at planned intervals or after significant clinical, regulatory, or system change so that protection of subject-of-care data stays current.
Health-sector note.
ISO 27799 expects the policy set to treat personal health information as the defining asset, not just one data type among many.
Evidence your auditor examines
- The approved information security policy set with version history and management sign-off
- Evidence the policy names personal health information as a distinct asset class
- Records of policy communication to clinical and non-clinical staff
- The scheduled policy review log showing the last review date
Common finding they raise: Policies exist as generic IT documents that never single out personal health information or gain clinical leadership endorsement.
Why this is not another template pack
- The evidence is the point. A control you cannot evidence is theory. This tells you exactly what a health-data auditor examines and the finding they raise, for every control.
- Health-specific, not generic. Break-glass, care-relationship access, unique patient identification and health-record retention are written in, the things generic ISO 27002 guidance leaves out.
- Built on a mapped compliance corpus, not one person's opinion, from a graph of thousands of controls across standards.
- It compounds. ISO 27799 is ISO 27002 for health, so this work maps straight onto ISO 27001 and your wider privacy obligations.
Who buys this
Hospitals, clinics, health-tech and any organisation handling personal health information, the security and privacy leads who own it, and consultants securing clinical systems. Whether it is a first assessment or a renewal, you save weeks and walk in with the controls and evidence ready.
By the end of the weekend you will have
✓ An adopt-ready control for all 40 items
✓ A completed health security control matrix
✓ The evidence a health-data auditor examines
✓ Break-glass and care-relationship access defined
✓ A readiness percentage and a fix list
✓ The common findings closed before assessment
Common questions
Is it really editable? Yes. Word and Excel files you own and adapt. No portal, no subscription.
How does it relate to ISO 27001? ISO 27799 applies the ISO 27002 control set to health. The evidence overlaps with ISO 27001 certification, so the Kit sets you up for both.
Does it cover break-glass and consent? Yes. The health-sector specifics include break-glass emergency access, care-relationship need-to-know, consent enforcement and health-record retention.
Is it current? Grounded in ISO 27799:2016 with the ISO 27002 control themes. Updates included.
What if it is not for me? A 30-day money-back guarantee.
Do not map ISO 27002 to healthcare from scratch.
The health-specific control set is fast to adopt with the Kit. It is instant, and it is guaranteed.
Add it to your cart and protect patient data this weekend.
Instant digital download · 30-day money-back guarantee · The Art of Service Pty Ltd, GPO Box 2673, Brisbane QLD 4001 · support@theartofservice.com