The information security community is excited about the upcoming ISO/IEC 27552* –Privacy Information Management, which is an extension to ISO/IEC 27001 and 27002. Personally, while I am certified in GDPR, I have worked with the new California Consumer Privacy Act, and am familiar with South Africa’s’ Protection of Personal Information Act (POPIA, Asia Pacific Data Protection and Cyber Security Regulation, as well as many other acts and standards), I still feel that all these standards are lacking in different areas. This new ISO standard provides guidance on the areas that are needed for the implementation of a robust privacy program and fills in the gaps that are missing in so many acts and standards pertaining to Personally Identifiable Information (PII)/ Personal Data.
The GDPR for instance, does require security and does list controls as seen in Article 32: “Security of processing data”, but it does not give detailed guidance. ISO/IEC 27001 is a great standard for Information Security Management System (ISMS). Annex A of this standard provides 114 controls for implementation to help protect the organization and the confidentiality, integrity and the availability of data. ISO/IEC 27002 provides the implementation guidance for ISO/IEC 27001 and is a code of practice for information security management. Now, by also implementing the upcoming ISO/IEC 27552, these standards can help you be compliant with many data privacy regimes, requirements and acts.
Much Needed Annexes
Fortunately, Annex C of ISO/IEC 27552 – Information Privacy Management System (IPMS) is a mapping of the ISO/IEC 27552 and articles 5 to 49, except article 43 of the GDPR. The other Annexes are helpful as well:
- Annex A contains PIMS-specific reference control objectives and controls (PII Controllers).
- Annex B covers specific reference control objectives and controls (PII Processors).
- Annex D of ISO/IEC 27552 provides a mapping to ISO/IEC 29100 Information technology — Security techniques — Privacy framework. The PECB whitepaper on ISO/IEC 29100 defines its use as “intended to be used by persons and organizations involved in designing, developing, procuring, architecting, testing, maintaining, and operating information and communication technology systems where privacy controls are required for the functioning of PII.”
- Annex E maps ISO/IEC 27552 to both ISO/IEC 27018, which is a code of practice that focuses on protection of personal data in the cloud and ISO/ IEC 29151, which establishes control objectives, and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).
- Annex F includes a common terminology and alternative terms to help with documents that have similar or identical meanings as those used in the standard.
- Annex G contains information on how to apply ISO/IEC 27552 to both ISO/IEC 27001 Information Technology Security techniques and ISO/ IEC 27002 Information technology – Security techniques – Code of practice for information security controls.
Privacy and Security Management Systems
I utilize ISO/IEC 27001 so often in consulting and audit projects that I feel I have it memorized. I also teach PECB ISO 27001 Lead Implementer and Lead Auditor courses. However, as much as I am a fan of ISO/IEC 27001 and ISO/IEC 27002, they address Information Security implementation and maintenance, and not so much privacy and Personally Identifiable Information. Therefore, other addendums, like the ISO/IEC 27552 are indeed needed to address compliance with Personal Data Requirements. PECB will launch an ISO/IEC 27552 training course soon. In terms of meeting the challenges of maintaining information security and implementing the measures to protect the data, ISO/IEC 27001 is excellent standard, but it does not go into depth in all areas of PII/Personal Data requirements. It is a good management standard providing a general framework that helps to protect information relating to privacy. There are many standards in the 27000 family and ISO 27001 by itself cannot meet the demands that are required for privacy. This is evident by the number of ISO standards that are included within the annexes of ISO/IEC 27552 as outlined above. The IPMS requirements related to ISO/IEC 27001 and ISO/IEC 27002 are well organized in the standard.
- Requirements related to ISO/IEC 27001 are outlined in clause 5.
- Requirements related to ISO/IEC 27002 are outlined in clause 6.
The guidance provided for Controllers and Processors is very useful and detailed:
- PII Controllers guidance is outlined in clause 7.
- PII Processors guidance is outlined in clause 8.
Compliance with Multiple Standards
This standard will be of great help to organizations in developing privacy regimes that will comply with multiple requirements from the GDPR to support European Citizens to the US privacy requirements of the California Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA), as well as others that are forming to put controls in place to give better rights to individuals and to better manage privacy. Through taking the best of each of the existing privacy standards and amalgamating them with ISO/IEC 27552, this standard reduces the burden of managing different privacy standards into a cohesive standard that includes mapping to many other standards. The approach of ISO/IEC 27552 will help organizations establish, implement, maintain, and continuously improve their privacy programs. This will certainly help PII controllers and PII processors. Having a standard that is accepted worldwide will help in doing business internationally, and help protect PII information uniformly around the world. A critical requirement of PII is transparency and communicating compliance with stakeholders. Clients, customers and other stakeholders want to know that an organization they are entrusting with their PII, is doing all it can to be compliant. Companies which will be compliant with ISO/IEC 27552 – Information Privacy Management will stand out as having a strong commitment to meeting and maintaining privacy standards and while providing more certainty to their stakeholders.
Is ISO/IEC 27552 the Answer to Meeting Privacy Needs?
In my opinion, ISO/IEC 27552 as an extension to ISO/IEC 27001 and ISO/IEC 27002 is a good tool in the quest to keep ahead of breaches and to stay compliant with all of the worldwide requirements, some of which are mentioned in the opening paragraph. My perceived challenge in using ISO/IEC 27552 is the need to continuously refer to ISO 27001 and ISO 27002 as the reader is directed to specific clauses in these two standards. That being said, the standard does give a lot of additional guidance related to privacy not found within ISO/IEC 27001 and ISO/IEC 27002, making the effort worthwhile.
ISO/IEC 27552 can be easily fit into the Information Security Management System (ISMS) defined in ISO/IEC 27001. ISO/IEC 27552 defines additional requirements and provides guidance for protection of privacy and when coupled with ISO/IEC 27001, they constitute a Privacy Information Management System (ISMS), which closes a lot of gaps in the attempt to have a functional Information Security Management System in place, and at the same time comply with data privacy regimes, such as the GDPR.
*UPDATE: Please note that the name of ISO/IEC 27552 has now changed to ISO/IEC 27701.