< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27557 — Information technology — Information security, cybersecurity and privacy protection - Organizational privacy risk management [DRAFT]
“This document provides guidelines for organizational privacy risk management. It is designed to provide guidance to organizations for integrating risks related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program. It also assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019).”
[Source: SC27 Standing Document 11 (2021)]
The standard will provide
“a framework for assessing organizational privacy risk, with consideration of privacy impact to individuals as a component of overall organizational risk ... based on ISO 31000:2018 – Risk Management – Guidelines extended and developed to include specific considerations for organizational privacy risk”.
This standard will guide organizations on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organization and/or individuals (data subjects) as an integral part of the organization’s overall risk management. It will support the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards such as ISO 31000, ISO/IEC 29134 and ISO/IEC 27005.
The standard will distinguish information risks (with the potential to harm the organization directly) from privacy risks (with the potential to harm individuals directly and the organization indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps:
- ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information;
- Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities;
- Many privacy-related controls are information security controls - such as identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability;
- Serious privacy breaches can materially harm the organization’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence;
- Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organization may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital).
Scope of the standard
The standard will distinguish privacy impacts on individuals from organizational impacts such as reputational damage, and will provide guidance on incorporating personal impacts into the organization’s risk management activities.
It will support the implementation of a risk-based privacy program including the requirement for risk management specified in management systems such as ISO/IEC 27701.
Content of the standard
- Organizational privacy risk management principles - extending ISO 31000’s organizational risk perspective to include individuals’ concerns about and rights over their own privacy.
- Framework - slightly extending the ISO 31000 approach in this area.
- Risk management process - ditto.
Annexes - including examples of privacy incident types and impact scales.
The project started in 2019.
It is currently at Draft International Standard stage.
When an organization manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf ... which differs from the usual solely-corporate perspective of information risk management.
There is an ethical dimension that goes beyond the organization’s self preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The CD does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact.
The present CD title does not reflect the committee’s full name: this may change before publication, or not - we’ll see how it turns out.
Also the CD includes editorial notes/drafting comments that would normally have been addressed and removed by this stage, a minor quibble.
< Previous standard ^ Up a level ^ Next standard >