1、BS EN ISO 27799:2016Health informatics Information securitymanagement in health usingISO/IEC 27002 (ISO 27799:2016)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO 27799:2016 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of
2、EN ISO27799:2016. It supersedes BS EN ISO 27799:2008 which iswithdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not pur
3、port to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2016.Published by BSI Standards Limited 2016ISBN 978 0 580 87253 2ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligation
4、s.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 August 2016.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dEUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO 27799 August 2016 ICS 35.240.80 Supersedes EN I
5、SO 27799:2008English Version Health informatics - Information security management in health using ISO/IEC 27002 (ISO 27799:2016) Informatique de sant - Management de la scurit de linformation relative la sant en utilisant lISO/IEC 27002 (ISO 27799:2016) Medizinische Informatik - Informationsmanageme
6、nt im Gesundheitswesen bei Verwendung der ISO/IEC 27002 (ISO 27799:2016) This European Standard was approved by CEN on 18 June 2016. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national sta
7、ndard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A version in
8、any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Re
9、public, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPE
10、AN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN ISO 27799:2016 EBS
11、 EN ISO 27799:2016EN ISO 27799:2016 (E) 3 European foreword This document (EN ISO 27799:2016) has been prepared by Technical Committee ISO/TC 215 “Health informatics” in collaboration with Technical Committee CEN/TC 251 “Health informatics” the secretariat of which is held by NEN. This European Stan
12、dard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elements o
13、f this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. This document supersedes EN ISO 27799:2008. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following co
14、untries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
15、Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO 27799:2016 has been approved by CEN as EN ISO 27799:2016 without any modification. BS EN ISO 27799:2016ISO 27799:2016(E)Foreword viiIntroduction viii1 Scope .
16、12 Normative references 23 Terms and definitions . 24 Structure of this International Standard . 35 Information security policies 45.1 Management direction for information security . 45.1.1 Policies for information security 45.1.2 Review of the policies for information security 56 Organization of in
17、formation security . 66.1 Internal organization . 66.1.1 Information security roles and responsibilities . 66.1.2 Segregation of duties 76.1.3 Contact with authorities 76.1.4 Contact with special interest groups 76.1.5 Information security in project management . 86.2 Mobile devices and teleworking
18、86.2.1 Mobile device policy . 86.2.2 Teleworking 97 Human resource security 97.1 Prior to employment 97.1.1 Screening 97.1.2 Terms and conditions of employment 107.2 During employment . 117.2.1 Management responsibilities . 117.2.2 Information security awareness, education and training .117.2.3 Disc
19、iplinary process .117.3 Termination and change of employment 127.3.1 Termination or change of employment responsibilities 128 Asset management 128.1 Responsibility for assets 128.1.1 Inventory of assets 128.1.2 Ownership of assets .138.1.3 Acceptable use of assets . 138.1.4 Return of assets .138.2 I
20、nformation classification . 148.2.1 Classification of information 148.2.2 Labelling of information . 158.2.3 Handling of assets 158.3 Media handling 168.3.1 Management of removable media 168.3.2 Disposal of media .168.3.3 Physical media transfer . 179 Access control .179.1 Business requirements of a
21、ccess control 179.1.1 Access control policy .179.1.2 Access to networks and network services 189.2 User access management 189.2.1 User registration and de-registration .189.2.2 User access provisioning 19 ISO 2016 All rights reserved iiiContents PageBS EN ISO 27799:2016ISO 27799:2016(E)9.2.3 Managem
22、ent of privileged access rights 199.2.4 Management of secret authentication information of users .209.2.5 Review of user access rights . 209.2.6 Removal or adjustment of access rights .219.3 User responsibilities . 219.3.1 Use of secret authentication information 219.4 System and application access
23、control 229.4.1 Information access restriction 229.4.2 Secure log-on procedures . 229.4.3 Password management system 229.4.4 Use of privileged utility programs .239.4.5 Access control to program source code 2310 Cryptography .2310.1 Cryptographic controls . 2310.1.1 Policy on the use of cryptographi
24、c controls 2310.1.2 Key management 2411 Physical and environmental security .2411.1 Secure areas 2411.1.1 Physical security perimeter . 2411.1.2 Physical entry controls 2511.1.3 Securing offices, rooms and facilities 2511.1.4 Protecting against external and environmental threats .2511.1.5 Working in
25、 secure areas . 2511.1.6 Delivery and loading areas . 2511.2 Equipment 2611.2.1 Equipment siting and protection 2611.2.2 Supporting utilities .2611.2.3 Cabling security .2711.2.4 Equipment maintenance 2711.2.5 Removal of assets .2711.2.6 Security of equipment and assets off-premises .2711.2.7 Secure
26、 disposal or reuse of equipment .2811.2.8 Unattended user equipment . 2811.2.9 Clear desk and clear screen policy 2812 Operations security 2912.1 Operational procedures and responsibilities 2912.1.1 Documented operating procedures 2912.1.2 Change management .2912.1.3 Capacity management 3012.1.4 Sep
27、aration of development, testing and operational environments 3012.2 Protection from malware 3012.2.1 Controls against malware 3012.3 Backup . 3112.3.1 Information backup 3112.4 Logging and monitoring . 3112.4.1 Event logging 3112.4.2 Protection of log information . 3212.4.3 Administrator and operato
28、r logs 3312.4.4 Clock synchronisation 3412.5 Control of operational software 3412.5.1 Installation of software on operational systems .3412.6 Technical vulnerability management . 3412.6.1 Management of technical vulnerabilities.3412.6.2 Restrictions on software installation 3512.7 Information system
29、s audit considerations 3512.7.1 Information systems audit controls . 35iv ISO 2016 All rights reservedBS EN ISO 27799:2016ISO 27799:2016(E)13 Communications security 3513.1 Network security management . 3513.1.1 Network controls 3513.1.2 Security of network services 3613.1.3 Segregation in networks
30、3613.2 Information transfer . 3613.2.1 Information transfer policies and procedures 3613.2.2 Agreements on information transfer 3713.2.3 Electronic messaging 3713.2.4 Confidentiality or non-disclosure agreements .3814 System acquisition, development and maintenance 3814.1 Security requirements of in
31、formation systems . 3814.1.1 Information security requirements analysis and specification 3814.1.2 Securing application services on public networks 4014.1.3 Protecting application services transactions .4014.2 Security in development and support processes .4014.2.1 Secure development policy 4014.2.2
32、 System change control procedures . 4114.2.3 Technical review of applications after operating platform changes 4114.2.4 Restrictions on changes to software packages .4114.2.5 Secure system engineering principles4214.2.6 Secure development environment 4214.2.7 Outsourced development 4214.2.8 System s
33、ecurity testing .4214.2.9 System acceptance testing 4314.3 Test data . 4314.3.1 Protection of test data 4315 Supplier relationships .4315.1 Information security in supplier relationships 4315.1.1 Information security policy for supplier relationships .4315.1.2 Addressing security within supplier agr
34、eements 4415.1.3 Information and communication technology supply chain .4415.2 Supplier service delivery management 4415.2.1 Monitoring and review of supplier services .4515.2.2 Managing changes to supplier services .4516 Information security incident management 4516.1 Management of information secu
35、rity incidents and improvements .4516.1.1 Responsibilities and procedures . 4516.1.2 Reporting information security events .4516.1.3 Reporting information security weaknesses 4616.1.4 Assessment of and decision on information security events .4716.1.5 Response to information security incidents .4716
36、.1.6 Learning from information security incidents 4716.1.7 Collection of evidence .4717 Information security aspects of business continuity management .4817.1 Information security continuity 4817.1.1 Planning information security continuity .4817.1.2 Implementing information security continuity .491
37、7.1.3 Verify, review and evaluate information security continuity .4917.2 Redundancies 4917.2.1 Availability of information processing facilities 4918 Compliance 5018.1 Compliance with legal and contractual requirements .5018.1.1 Identification of applicable legislation and contractual requirements
38、5018.1.2 Intellectual property rights . 5018.1.3 Protection of records .50 ISO 2016 All rights reserved vBS EN ISO 27799:2016ISO 27799:2016(E)18.1.4 Privacy and protection of personally identifiable information 5118.1.5 Regulation of cryptographic controls .5218.2 Information security reviews 5218.2
39、.1 Independent review of information security .5218.2.2 Compliance with security policies and standards .5218.2.3 Technical compliance review . 53Annex A (informative) Threats to health information security.54Annex B (informative) Practical action plan for implementing ISO/IEC 27002 in healthcare .5
40、9Annex C (informative) Checklist for conformance to ISO 27799 72Bibliography .98vi ISO 2016 All rights reservedBS EN ISO 27799:2016ISO 27799:2016(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of
41、 preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental
42、, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in the ISO
43、/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibilit
44、y that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of pate
45、nt declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as inform
46、ation about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 215, Health informatics.This second edition cancels and replaces the first edition (ISO 27799:200
47、8), which has been technically revised. ISO 2016 All rights reserved viiBS EN ISO 27799:2016ISO 27799:2016(E)IntroductionThis International Standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity
48、 and availability of such information. It is based upon and extends the general guidance provided by ISO/IEC 27002:2013 and addresses the special information security management needs of the health sector and its unique operating environments. While the protection and security of personal informatio
49、n is important to all individuals, corporations, institutions and governments, there are special requirements in the health sector that need to be met to ensure the confidentiality, integrity, auditability and availability of personal health information. This type of information is regarded by many as being among the most confidential of all types of personal information. Protecting this confidentiality is essential if the privacy of subjects of care is to be maintained. The integrity of health information is to be protected to ensure patient safety, and