Topic-specific policies
ISO/IEC 27557

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27557 — Information technology — Information security, cybersecurity and privacy protection - Application of ISO 31000:2018 for organizational privacy risk management [DRAFT]





This standard will guide organisations on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organisation and/or  individuals (data subjects) as an integral part of the organisation’s overall risk management. It will support the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards such as ISO 31000, ISO/IEC 29134 and ISO/IEC 27005.

The standard will distinguish information risks (with the potential to harm the organisation directly) from privacy risks (with the potential to harm individuals directly and the organisation indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps:

  • ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information;
  • Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities;
  • Many privacy-related controls are information security controls - such as identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability;
  • Serious privacy breaches can materially harm the organisation’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence;
  • Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organisation may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital).


Scope of the standard

The standard will guide organizations on using ISO 31000 to manage privacy risks.

It will distinguish privacy impacts on the individuals whose personal information is directly affected by incidents, from organisational impacts such as reputational damage, and will provide guidance on incorporating personal impacts into the organisation’s risk management activities.

It will support the implementation of a risk-based privacy program including the requirement for risk management specified in management systems such as ISO/IEC 27701.

It will aide the integration of privacy risks into the organization’s overall risk management.


Content of the standard

Main sections:

  1. Principles of organizational privacy risk management - extending ISO 31000’s organisational risk perspective to include individuals’ concerns about and rights over their own privacy.
  2. Framework - slightly extending the ISO 31000 approach in this area.
  3. Risk management process - ditto.
  4. Annexes - including examples of privacy incident types and impact scales.



The project started in 2019.

Status updated June It is currently at Final Draft International Standard stage. ISO 31000 may feature in the title as shown above (wait and see!).


Personal notes

When an organisation manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf ... which differs from the usual solely-corporate perspective of information risk management.

There is an ethical dimension that goes beyond the organisation’s self preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The draft does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.