ISO/IEC 27557

ISO/IEC 27557 — Information technology — Organizational privacy risk management [Draft]

Introduction

In this standard, organizations will receive guidance on managing privacy risks (risks related to or increasing privacy compliance with data protection laws) that could impact their organization and/or individuals (data subjects) as an integral part of their overall risk management strategy. In addition to supporting management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), it will support risk management standards such as ISO 31000, ISO/IEC 29134 and ISO/IEC 27005.

As a result of the standard, information risks (possible harm to the organization directly) will be distinguished from privacy risks (possible harm to individuals directly and to the organization indirectly), emphasizing the distinction between the risk management activities for each type.

Despite this, there are clear overlaps:

– ‘Personal information’ simply refers to a type and category of information that is threatened just like any other type of information;
– Numerous vulnerabilities could result in privacy incidents as well as information security issues;
– Many privacy-related controls are also security-related – identifying and authenticating customers, implementing access controls, managing incidents, enforcing compliance, assuring accountability;
The impact of serious privacy breaches can be material, harming the organization’s brand and reputation, damaging business relationships and prospects, while also raising costs in investigation and response activities, non-compliance penalties, and improvements to controls and prevention;
– When serious information security incidents occur, personal information may be compromised inadvertently, and/or other business processes may be adversely affected (for example, if an organization’s IT network goes down because of ransomware or a natural disaster, the business and personal information within the organization cannot be processed: a hospital might suffer severe consequences in such a case).

The scope of the standard

To be determined.

The content

To be determined.

Status

As of 2019, the project has begun.

Currently, it is in the Working Draft stage.

Commentary

A privacy risk management program also protects the interests of the organization (or should). The result is that in effect it is acting on behalf of the individuals, in contrast to the company-centric view of managing information risk.