Medical Organization Information Security Management Based on ISO27001 Information Security Standard

Most of the information security events in medical organizations are due to improper management. This is a clear indication that the security of information is an issue related to information and communication technology and a management issue as well. In a review of literature, most research on information security has focused on information and communication technology issues, such as network security and access control; rarely addressing issues at the management-level. The main purpose of this study is to construct a mechanism for the management of information with regard to security as it applies to medical organizations. This mechanism is based on the eleven control items and one hundred thirty-three control objectives of the ISO27001 information security management standard. This study analyzes and identifies the most common events related to information security in medical organizations and categorizes these events as highrisk, transferable-risk, and controlled-risk to facilitate the management of such risk.