Topic-specific policies
ISO/IEC 27557

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27557 — Information technology — Information security, cybersecurity and privacy protection - organisational privacy risk management [DRAFT]



“This document provides guidelines for organisational privacy risk management. It is designed to provide guidance to organisations for integrating risks related to the processing of PII, including the privacy impact to individuals, as part of an organisational privacy risk management program. It also assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organisation, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019).”
[Source: SC 27 Standing Document 11 (2021)]


The standard will provide

“a framework for assessing organisational privacy risk, with consideration of privacy impact to individuals as a component of overall organisational risk ... based on ISO 31000:2018 – Risk Management – Guidelines extended and developed to include specific considerations for organisational privacy risk”.

This standard will guide organisations on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organisation and/or  individuals (data subjects) as an integral part of the organisation’s overall risk management. It will support the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards such as ISO 31000, ISO/IEC 29134 and ISO/IEC 27005.

The standard will distinguish information risks (with the potential to harm the organisation directly) from privacy risks (with the potential to harm individuals directly and the organisation indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps:

  • ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information;
  • Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities;
  • Many privacy-related controls are information security controls - such as identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability;
  • Serious privacy breaches can materially harm the organisation’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence;
  • Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organisation may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital).


Scope of the standard

The standard will distinguish privacy impacts on individuals from organisational impacts such as reputational damage, and will provide guidance on incorporating personal impacts into the organisation’s risk management activities.

It will support the implementation of a risk-based privacy program including the requirement for risk management specified in management systems such as ISO/IEC 27701.


Content of the standard

Main sections:

  1. organisational privacy risk management principles - extending ISO 31000’s organisational risk perspective to include individuals’ concerns about and rights over their own privacy.
  2. Framework - slightly extending the ISO 31000 approach in this area.
  3. Risk management process - ditto.
  4. Annexes - including examples of privacy incident types and impact scales.



The project started in 2019.

It is currently at Draft International Standard stage.


Personal notes

When an organisation manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf ... which differs from the usual solely-corporate perspective of information risk management.

There is an ethical dimension that goes beyond the organisation’s self preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The draft does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.