Connect with us

Hi, what are you looking for?


ISO/IEC 27557

ISO/IEC 27557 — Information technology — Organizational privacy risk management [Draft]


In this standard, organizations will receive guidance on managing privacy risks (risks related to or increasing privacy compliance with data protection laws) that could impact their organization and/or individuals (data subjects) as an integral part of their overall risk management strategy. In addition to supporting management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), it will support risk management standards such as ISO 31000, ISO/IEC 29134 and ISO/IEC 27005.

As a result of the standard, information risks (possible harm to the organization directly) will be distinguished from privacy risks (possible harm to individuals directly and to the organization indirectly), emphasizing the distinction between the risk management activities for each type.

Despite this, there are clear overlaps:

– ‘Personal information’ simply refers to a type and category of information that is threatened just like any other type of information;
– Numerous vulnerabilities could result in privacy incidents as well as information security issues;
– Many privacy-related controls are also security-related – identifying and authenticating customers, implementing access controls, managing incidents, enforcing compliance, assuring accountability;
The impact of serious privacy breaches can be material, harming the organization’s brand and reputation, damaging business relationships and prospects, while also raising costs in investigation and response activities, non-compliance penalties, and improvements to controls and prevention;
– When serious information security incidents occur, personal information may be compromised inadvertently, and/or other business processes may be adversely affected (for example, if an organization’s IT network goes down because of ransomware or a natural disaster, the business and personal information within the organization cannot be processed: a hospital might suffer severe consequences in such a case).

The scope of the standard

To be determined.

The content

To be determined.


As of 2019, the project has begun.

Currently, it is in the Working Draft stage.


A privacy risk management program also protects the interests of the organization (or should). The result is that in effect it is acting on behalf of the individuals, in contrast to the company-centric view of managing information risk.


You May Also Like

Information Security

ISO 27001 Clause 6.1.3 Information security risk treatment Required activity The organization defines and applies a risk treatment process for information security. Guidelines for...


ISO/IEC 27034:2011+ – Information technology – Security techniques – Application security (all published except part 4) Introduction Business and IT managers, developers and auditors,...


5. 1 Management direction for information security ISO 27001 Annex : A.5 Information Security Policies – Its objective is to provide management guidance and...

Cyber Security

ISO/IEC 27551 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication [Draft] Introduction Attribute-Based Unlinkable Entity Authentication permits formal...