The risks arising from our increasingly digital and connected worlds need to be balanced between the need to maintain privacy and the requirement for robust cybersecurity. Achieving this balance is not easy, especially with attacks against business almost doubling over the last few years (according to the World Economic Forum Global Risks 2018 report).
According to Clare Naden (of ISO) many laws and regulations have, or are being put in place, to try to reduce these risks and, at the same time, protect the digital privacy of consumers. The challenge is for organizations understand these requirements and also to protect themselves at the same time. Protection is with both cyberattacks and avoiding fines.
With privacy related litigation, data from IBM (“Cost of Data Breach Study”) finds that the typical cost of a data breach is $3.6 million. This is often in relation to government-initiated regulation, like the European Union’s General Data Protection Regulation (GDPR) and the privacy act in California,
The new International Standard has been developed to help organizations manage privacy information and meet regulatory requirements.
The new standard has the reference ISO/IEC 27701, and it carries the lengthy title of “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, specifies the requirements for establishing, implementing, maintaining and continually improving a privacy-specific information security management system. In other words, a management system for protecting personal data (PIMS).”
The standard covers areas like information security policies; the organization of information security; access control and cryptography.
According to Dr Andreas Wolf, Chair of the ISO/IEC technical committee which formulated the standard, every organization processes personally identifiable information (PII), and protecting this goes beyond simply being a legal requirement; it is also a societal need.
With this, Dr. Wolf states: “ISO/IEC 27701 defines processes and provides guidance for protecting PII on an ongoing, ever evolving basis. Because being a management system, it defines processes for continuous improvement on data protection, particularly important in a world where technology doesn’t stand still.”
The new standard connects with an existing standard: ISO/IEC 27001, which is titled “Information Technology – Security techniques – Information security management systems – Requirements, providing the necessary extra requirements when it comes to privacy.”
