Connect with us

Hi, what are you looking for?

Governance

ISO/IEC 27557

ISO/IEC 27557 — Information technology — Organizational privacy risk management [Draft]

Introduction

In this standard, organizations will receive guidance on managing privacy risks (risks related to or increasing privacy compliance with data protection laws) that could impact their organization and/or individuals (data subjects) as an integral part of their overall risk management strategy. In addition to supporting management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), it will support risk management standards such as ISO 31000, ISO/IEC 29134 and ISO/IEC 27005.

As a result of the standard, information risks (possible harm to the organization directly) will be distinguished from privacy risks (possible harm to individuals directly and to the organization indirectly), emphasizing the distinction between the risk management activities for each type.

Despite this, there are clear overlaps:

– ‘Personal information’ simply refers to a type and category of information that is threatened just like any other type of information;
– Numerous vulnerabilities could result in privacy incidents as well as information security issues;
– Many privacy-related controls are also security-related – identifying and authenticating customers, implementing access controls, managing incidents, enforcing compliance, assuring accountability;
The impact of serious privacy breaches can be material, harming the organization’s brand and reputation, damaging business relationships and prospects, while also raising costs in investigation and response activities, non-compliance penalties, and improvements to controls and prevention;
– When serious information security incidents occur, personal information may be compromised inadvertently, and/or other business processes may be adversely affected (for example, if an organization’s IT network goes down because of ransomware or a natural disaster, the business and personal information within the organization cannot be processed: a hospital might suffer severe consequences in such a case).

The scope of the standard

To be determined.

The content

To be determined.

Status

As of 2019, the project has begun.

Currently, it is in the Working Draft stage.

Commentary

A privacy risk management program also protects the interests of the organization (or should). The result is that in effect it is acting on behalf of the individuals, in contrast to the company-centric view of managing information risk.

 

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like

Compliance

The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...

Cyber Security

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions Introduction As a Technical Specification, the standard (an architecture...

Cyber Security

ISO/IEC 27551 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication [Draft] Introduction Attribute-Based Unlinkable Entity Authentication permits formal...

Information Privacy

ISO/IEC TS 27560 — Privacy technologies — Consent record information structure [Draft] Introduction For recording PII Principals’ (data subjects’) consent to data processing, this...