FAQ about the RDPs

What are these, and where do they come from?

"Recommended Data Practices" (RDP) are a template for data security policies and procedures, based on the International Organization for Standardization / International Electrotechnical Commission standards 27001 and 27002 (2005 revision, formerly known as ISO/IEC 17799).

Are these intended as organizational policies?

No.  RDP are an educational resource, listing recommended practices.  RDP can be used as a guide to the core components of information security, and thus provide one possible framework for organizations that are creating (or updating) their data security policies and procedues.

RDP should be regarded only as a starting point.  Where statutes, regulations, certifications or internal stakeholders require more stringent data security practices, those imperatives should control. 

Are these a guide to personal data security practices?

No. RDPs are intended as policy/procedure frameworks for organizations.  If you would like information on personal data security do/s and don't/s, the topics in the Learn About section are more suitable.

What are the conditions of use?

RDP content may be reused for non-commercial, education purposes with appropriate credit to the source.  That must include the ISO/IEC. 

What if I have questions?

Comments and questions about this version of the RDP should be directed the RDP Project Manager.  For questions about Medical Information Technology's information security resources and services, contact the Information Security group.

For more information about ISO/IEC standards, see the ISO 17799/27001 Community Portal (portal for the 27001/27002 user group) and the ISO 27001 and ISO 27002 Directory (tracks progress of the 27000 standards).