Abstract
The objective of this thesis is to examine how the information security is managed surrounding a District Health Information System, version 2 (DHIS2) in the health service of an anonymous developing country. The developing country had prior to this project collaborated with the Health Information Systems Programme (HISP) to improve their information security and continues to express interest for the topic. Through conducting in-country fieldwork, the information security management was compared to the best practice outlined in ISO/IEC 27001. The results were fed into a five-day regional security bootcamp where participants focused on discussing the issues and developing solutions. The thesis outlines enabling and constraining variables for the information security environment is with realistic recommendations on how to mitigate some of these. Additionally, the willingness of participants to accept information security as a continuous process is examined, where risk management is at the center.