ISO Standards Reference — EMR Audit & Compliance
This page lists the ISO standards, audit controls, and regulatory frameworks that CCMS documentation practices support. Use it as a quick reference when authoring content that references compliance requirements.
EMR Audit & Compliance Standards (by relevance)
Tier 1 — Core (directly applicable to CCMS documentation)
1. ISO 27789:2021 — Audit Trails for EHR
Full title: Health Informatics — Audit Trails for Electronic Health Records.
What it requires: Audit trail entries cannot be deleted, altered, or overwritten. Every action must record user ID, timestamp, action type, reason, and original content — supporting medicolegal defence, regulatory compliance, accountability, and quality improvement.
CCMS alignment: ISO 27789 — the "cannot be deleted or modified" audit trail in Mark In Error, Document Error States, and the Audit Trail page.
Used in: mark-in-error, audit-trail, document-error-states, deleted-items
2. ISO 27001:2022 — Information Security (Controls 8.2, 9.4.5)
Full title: Information Security Management System.
Relevant controls:
- 8.2 (Access control): Role-based access to patient data — users see only what their role requires.
- 9.4.5 (Logging and monitoring): Audit logs must be protected from tampering and unauthorised deletion.
CCMS alignment: ISO 27001 9.4.5 / 12.4 — every view and action logged by user ID and timestamp; role-based access governs inter-unit visibility.
Used in: audit-trail, data-visibility, mark-in-error, deleted-items, document-error-states, standardization-iso-audit
3. ISO 18308:2011 — EHR Architecture Requirements
Full title: Health Informatics — Requirements for an Electronic Health Record Architecture.
What it requires: EHR records must satisfy completeness, accuracy, timeliness, clarity, and authenticity — the five documentation principles.
CCMS alignment: ISO 18308 — the Documentation Principles page (Accuracy, Completeness, Timeliness, Clarity, Relevance) directly maps to its record characteristic clauses.
Used in: principles, document-error-states, audit-trail, standardization-iso-audit
4. ISO 9001:2015 — Quality Management (Clause 10.2)
Full title: Quality Management Systems.
Relevant clauses:
- 7.5 (Documented information): Standardised templates, documentation control.
- 10.2 (Non-conformity and corrective action): Structured error identification, categorisation, and correction workflow.
- 9.2 (Internal audit): Regular supervision, feedback, and audit review cycles.
CCMS alignment: ISO 9001 ISO 9001 10.2 — the three-category non-conformity model (Administrative, Clinical, Procedural) and the error correction workflow.
Used in: document-error-states, standardization-iso-audit
Tier 2 — Supporting (healthcare-specific frameworks)
1. DKICT-V5 — KKM ICT Security Policy
Full title: Dasar Keselamatan ICT KKM Versi 5.0.
What it requires: CIA triad (Confidentiality, Integrity, Availability) for health information assets. Covers access control, audit logging, user accountability, and data integrity — aligned with ISO 27001 principles adapted for KKM.
CCMS alignment: DKICT-V5 — role-based access, "use your own login", "never share passwords", audit log access control, Sealed state for sensitive records.
Used in: data-visibility, mark-in-error, deleted-items, principles, audit-trail, standardization-iso-audit
2. PDPA 2010 (Akta 709)
Full title: Personal Data Protection Act 2010, Malaysia.
What it requires: Personal data must be protected from misuse; data subjects have rights over their information. Organisations must audit access and changes to personal data.
CCMS alignment: Lines 114/131 of audit-trail — requires auditing of personal data access and changes. Patient data privacy, access only what is needed for role.
Used in: audit-trail
3. ISO 13606-1:2019 — EHR Communication Reference Model
Full title: Health Informatics — Electronic Health Record Communication — Part 1: Reference Model.
What it requires: Standardised structure for EHR document sections — enabling interoperability and consistent clinical document formatting.
CCMS alignment: ISO 13606-1 — the HEAP structure (History, Exam, Assessment, Plan) aligns with the reference model's document section organisation.
Used in: principles
4. MMC Guideline 003/2006 — Medical Records
Full title: Malaysian Medical Council — Guideline 003/2006: Medical Records.
What it requires: Professional standards for medical record keeping — entries must be accurate, contemporaneous, legible, and attributable. Corrections must preserve the original entry.
CCMS alignment: Line 115 of audit-trail — professional standards for record keeping. Mark In Error workflow preserves original entries while showing corrections.
Used in: audit-trail
Tier 3 — Operational resilience & service management
1. ISO 22301:2019 — Business Continuity Management
Full title: Security & Resilience — Business Continuity Management Systems.
What it requires: Plan for, respond to, and recover from disruption — including restoring all manually captured data after an outage.
CCMS alignment: ISO 22301 — the downtime → manual fallback → recovery → data re-entry lifecycle and mandatory post-downtime reconciliation.
Used in: business-continuity (overview + downtime documentation), clinic-hub BCP
2. ISO 27799:2016 — Information Security in Health
Full title: Health Informatics — Information Security Management in Health using ISO/IEC 27002.
What it requires: Adapts general ISMS controls to health data — patient confidentiality, role-based access, and audit of health records.
CCMS alignment: ISO 27799 — the health-sector layer over ISO 27001 controls in Access Control and User Responsibilities.
Used in: access-control
3. ISO/IEC 20000-1:2018 — IT Service Management
Full title: Information Technology — Service Management System Requirements.
What it requires: Structured service desk, incident, problem, and change management with logging and reporting.
CCMS alignment: ISO 20000 — the helpdesk model (unique ticket IDs, status tracking, incident reporting) in the clinic support workflow.
Used in: clinic-hub helpdesk & support
Quick Reference Table
| Standard | Focus Area | Key Clause/Control | Priority |
|---|---|---|---|
| ISO 27789:2021 | EHR audit trails | Full standard | ★ Core |
| ISO 27001:2022 | Information security | 8.2 (Access control), 9.4.5 (Logging) | ★ Core |
| ISO 18308:2011 | EHR architecture | Record completeness, accuracy, timeliness | ★ Core |
| ISO 9001:2015 | Quality management | 7.5, 10.2 (Non-conformity), 9.2 (Audit) | ★ Core |
| DKICT-V5 | KKM security policy | CIA triad, access governance | ◆ Supporting |
| PDPA 2010 (Akta 709) | Data protection | Data access auditing | ◆ Supporting |
| ISO 13606-1:2019 | EHR communication | Reference model, document structure | ◇ Supplemental |
| MMC Guideline 003/2006 | Medical records | Professional record-keeping standards | ◇ Supplemental |
| ISO 22301:2019 | Business continuity | Downtime, recovery, data re-entry | ◆ Supporting |
| ISO 27799:2016 | Health-sector infosec | 27002 controls for health data | ◆ Supporting |
| ISO/IEC 20000-1:2018 | IT service management | Incident, ticketing, reporting | ◇ Supplemental |
Related Pages
- ISO 27789 — Mark In Error
- ISO 18308 — Documentation Principles
- ISO 9001 10.2 ISO 27001 9.4.5 / 12.4 — Document Error States
- ISO 27789 ISO 27001 9.4.5 / 12.4 DKICT-V5 — Audit Trail
- ISO 27001 9.4.5 / 12.4 ISO 27789 DKICT-V5 — Data Visibility
- ISO 9001 ISO 27001 ISO 27789 ISO 18308 DKICT-V5 — Standardization & ISO Audit