Topic-specific policies
ISO/IEC 27557

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition)



    “This document provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. This document provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: organizational consequences of adverse privacy impacts on individuals; and organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. This document assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization.”
[Source: ISO/IEC 27557:2022]


This standard advises on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organisation and/or individuals (data subjects) as an integral part of the organisation’s overall risk management. It supports the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards - particularly ISO 31000 of course plus ISO/IEC 29134 and ISO/IEC 27005.

The standard distinguishes information risks (with the potential to harm the organisation directly) from privacy risks (with the potential to harm individuals directly and the organisation indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps:

  • ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information;
  • Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities;
  • Many privacy-related controls are information security controls e.g. identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability;
  • Serious privacy breaches can materially harm the organisation’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence;
  • Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organisation may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital).


Scope of the standard

The standard advises using ISO 31000 to manage privacy risks, aiding the integration of privacy risks into the organisation’s overall risk management.


Content of the standard

Main sections:

  1. Principles of organizational privacy risk management - extending ISO 31000’s organisational risk perspective to include individuals’ concerns about and rights over their own privacy.
  2. Framework - slightly extending the ISO 31000 approach in this area.
  3. Risk management process - ditto.
  4. Annexes - including examples of privacy incident types and impact scales.



The standard was first published in 2022.


Personal notes

When an organisation manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf in a custodianship role ... which differs from the usual solely corporate perspective of information risk management.

There is an ethical dimension that goes beyond the organisation’s self preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The draft standard does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights