PRIVACY MATTERS: Managing Personal Information with ISO/IEC 27552
BSI have recently published a whitepaper introducing ISO 27552.
'This new international standard that is currently in development is officially called ISO/IEC 27552 (Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines).
As many organizations have implemented an Information Security Management System (ISMS) based on ISO/IEC 27001 and using the guidance from ISO/IEC 27002, it’s a natural step to provide guidance for the protection of privacy that builds on this strong foundation. ISO/IEC 27552 is a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 and provides additional guidance for the protection of privacy, which is potentially affected by the collection and processing of personal information. The design goal is to enhance the existing ISMS with additional requirements in order to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS). The draft standard outlines a framework for personally identifiable information (PII) controllers and PII processors to manage privacy controls so that risk to individual privacy rights is reduced. These additional requirements and guidance are written in such a way that they are practical and usable by organizations of all sizes and cultural environments.
Current BS 10012:2017 is a published standard specific to the UK. It provides a best practice framework for a personal information management system that is aligned to the principles of the European Union (EU) GDPR. One of the key distinctions between ISO/IEC 27552 and BS 10012 is that ISO/IEC 27552 is structured so that the PIMS can be considered an extension to ISMS requirements and controls. ISO/IEC 27552 can be used by PII controllers (including those who are joint PII controllers) and PII processors (including those using subcontracted PII processors). An organization complying with the requirements in ISO/IEC 27552 will generate documented evidence of how it handles the processing of personal information. This evidence may be used to facilitate agreements with business partners where the processing of personal information is mutually relevant. This might also assist in relationships with other stakeholders. The use of ISO/IEC 27552 in conjunction with ISO/IEC 27001 can, if desired, provide independent verification of this evidence, although compliance with these documents cannot be taken as compliance with laws and regulations.' *
Final Standard is expected to be published in January 2020. Currently, you can read draft and submit your comments to BSI by 25th February 2019. Alternatively, you can purchase the draft for £20+VAT from the BSI shop.
If you have any questions in regards to ISO 27552, please contact us.