ISO/IEC 27557 — Organizational privacy risk management [DRAFT]
This standard will guide organizations on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organization and/or individuals (data subjects) as an integral part of the organization’s overall risk management. It will support the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards such as ISO 31000, ISO/IEC 29134 and ISO/IEC 27005.
The standard will distinguish information risks (with the potential to harm the organization directly) from privacy risks (with the potential to harm individuals directly and the organization indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps:
- ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information;
- Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities;
- Many privacy-related controls are information security controls - such as identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability;
- Serious privacy breaches can materially harm the organization’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence;
- Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organization may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital).
Scope of the standard
Content of the standard
The project started in 2019.
It is currently at 1st Working Draft stage.
When an organization manages privacy risks, it is (or at least it should be!) protecting both its own interests and those of data subjects, in effect acting on their behalf ... which differs from the usual solely-corporate perspective of information risk management.
< Previous standard ^ Up a level ^ Next standard >