Maturity assessment of the ISO 27001 information security management system in social welfare and healthcare organisations

Many social welfare and healthcare delivery organisations have created an information security management system compliant with the ISO/IEC 27001 standard, or are planning to do so. This was also noted during the National Emergency Supply Agency's project on cyber security in healthcare (Kyber-Terveys). The project gathered good practices related to the application of ISO/IEC 27001 from the perspective of healthcare organisations in particular and included them as a part of the other results of the project.

The Kyber-Terveys project drew up the instructions below to make it easier to create an information security management system. The instructions are written from the perspective of organisations providing healthcare services in particular, but they can also be used by other organisations.

An important preliminary step in the smooth creation of an information security management system is to assess the differences between the organisation’s current status of information security management and the goal state required by the standard. Every organisation has practices that work well. They should be identified and maintained while creating new practices.

Free to use – under a few conditions

The Kyber-Terveys project published these instructions under a Creative Commons Attribution 4.0 license (CC BY 4.0) (External link). This means that you can use the instructions for whatever purposes you wish, edit it as you wish and distribute it as you wish under the following conditions:

  • Attribution – You must give appropriate credit, provide a link to the licence and indicate if you made changes to the content. You may do the aforementioned things in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
  • No additional restrictions – You may not apply legal terms or technological measures that legally restrict others from doing anything that is permitted by the licence.

Comments, proposals and requests concerning the instructions

Contact us at