ISO 27799:2016给出了组织信息安全标准和信息安全管理实践的指南，包括考虑到组织信息安全风险环境的控制措施的选择、实施和管理。 它定义了支持ISO/IEC 27002在健康信息学中的解释和实施的指南，并且是该国际标准的配套标准。 ISO 27799:2016为ISO/IEC 27002中描述的控制提供了实施指南，并在必要时对其进行了补充，以便能够有效地用于管理健康信息安全。通过实施ISO 27799:2016，医疗保健组织和其他健康信息保管人将能够确保符合其组织情况的最低必要安全级别，并保持其护理中个人健康信息的机密性、完整性和可用性。 它适用于健康信息的所有方面，无论信息采用何种形式（文字和数字、录音、绘图、视频和医学图像），使用何种方式存储（打印或书写在纸上或电子存储），以及使用何种方式传输（手动、传真、计算机网络或邮寄），由于信息始终处于安全状态，因此必须对其进行适当的保护。 ISO 27799:2016和ISO/IEC 27002共同定义了医疗保健信息安全方面的要求，但并未定义如何满足这些要求。也就是说，ISO 27799:2016在最大程度上是技术中立的。在实现技术方面保持中立是一个重要特征。安全技术仍在快速发展，这种变化的速度现在是以月而不是以年来衡量的。相比之下，虽然国际标准需要定期审查，但总体而言，国际标准的有效期预计将持续多年。 同样重要的是，技术中立性使供应商和服务提供商可以自由建议满足ISO 27799:2016所述必要要求的新技术或开发技术。 如引言所述，熟悉ISO/IEC 27002对于理解ISO 27799:2016是必不可少的。 以下信息安全领域不在ISO 27799:2016的范围内: a） 有效匿名个人健康信息的方法和统计测试； b） 个人健康信息的化名方法（有关专门涉及该主题的技术规范的简要说明，请参见参考书目）； c） 网络服务质量和用于健康信息学的网络可用性测量方法； d） 数据质量（与数据完整性不同）。

ISO 27799:2016 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that International Standard. ISO 27799:2016 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity and availability of personal health information in their care. It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information is always be appropriately protected. ISO 27799:2016 and ISO/IEC 27002 taken together define what is required in terms of information security in healthcare, they do not define how these requirements are to be met. That is to say, to the fullest extent possible, ISO 27799:2016 is technology-neutral. Neutrality with respect to implementing technologies is an important feature. Security technology is still undergoing rapid development and the pace of that change is now measured in months rather than years. By contrast, while subject to periodic review, International Standards are expected on the whole to remain valid for years. Just as importantly, technological neutrality leaves vendors and service providers free to suggest new or developing technologies that meet the necessary requirements that ISO 27799:2016 describes. As noted in the introduction, familiarity with ISO/IEC 27002 is indispensable to an understanding of ISO 27799:2016. The following areas of information security are outside the scope of ISO 27799:2016: a) methodologies and statistical tests for effective anonymization of personal health information; b) methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic); c) network quality of service and methods for measuring availability of networks used for health informatics; d) data quality (as distinct from data integrity).