ISO/IEC 27552 — Information technology — Security techniques — Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy management — Requirements and guidelines [draft]
Although there is substantial overlap between information security and privacy management, both fields are broader. This standard will explain how to ‘enhance’ (adapt and extend) an ISO/IEC 27001 Information Security Management System and the associated ISO/IEC 27002 controls to manage privacy as well as information security.
Scope of the standard
The standard will specify a Privacy Information Management System (PIMS) based on ISO/IEC 27001, 27002 and 29100 (privacy framework). It will apply to both controllers and processors of Personally Identifiable Information (PII).
Content of the standard
In the style of a ‘sector specific’ application, the standard will identify any PIMS-related differences to (generally interpretations and elaborations on) the ISO27k standards clause-by-clause.
Currently at CD stage. May be published towards the end of 2018 or in 2019.
Someone familiar with ISO27k should have little difficulty applying the information risk management principles to personal information. By elaborating on the requirements, even others ought to be able to have a good go at it.