1、BSI Standards Publication BS ISO/IEC 29190:2015 Information technology Security techniques Privacy capability assessment modelBS ISO/IEC 29190:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 29190:2015. The UK participation in its preparation was ent
2、rusted to Technical Committee IST/33, IT - Security techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct applicatio
3、n. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 70448 2 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committe
4、e on 31 August 2015. Amendments issued since publication Date Text affectedBS ISO/IEC 29190:2015 Information technology Security techniques Privacy capability assessment model Technologies de linformation Techniques de scurit Modle dvaluation de laptitude la confidentialit INTERNATIONAL STANDARD ISO
5、/IEC 29190 Reference number ISO/IEC 29190:2015(E) First edition 2015-08-15 ISO/IEC 2015 BS ISO/IEC 29190:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be rep
6、roduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the request
7、er. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 29190:2015(E)BS ISO/IEC 29190:2015ISO/IEC 29190:2015(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and
8、 definitions . 1 4 Methodology . 1 4.1 Introduction 1 4.2 Define a privacy capability assessment model 2 4.3 Capability scale . 4 4.4 Rate the processs current capability vs. target capability 5 4.5 Determine sub-optimal processes . 6 4.6 Identify proposals for changing processes . 6 4.7 Modify proc
9、esses . 7 5 Capability assessment process 7 5.1 Introduction 7 5.2 Plan the assessment . 7 5.3 Identify privacy activities and target capabilities . 8 5.4 Identify privacy-related processes. 9 5.5 Prepare criteria for information collection 9 5.6 Collect and analyse information .10 5.7 Present resul
10、ts 11 6 Example of a business function approach .11 Bibliography .15 ISO/IEC 2015 All rights reserved iii Contents PageBS ISO/IEC 29190:2015ISO/IEC 29190:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the special
11、ized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical comm
12、ittees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedu
13、res used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules
14、 of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights
15、 identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an expla
16、nation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information. The committee responsible for this docu
17、ment is ISO/IEC JTC 1, Information technology, SC 27, Security techniques.iv ISO/IEC 2015 All rights reservedBS ISO/IEC 29190:2015ISO/IEC 29190:2015(E) Introduction The aim of this International Standard is to provide organizations with high-level guidance about how to assess the level of their abil
18、ity (capability) to manage privacy-related processes. This International Standard focuses on an approach for assessing the efficiency and effectiveness of privacy-related processes used by organizations. Guidance on the issue of privacy management needs is multi-faceted as follows: The decision supp
19、ort information useful to a senior executive in formulating and executing a privacy strategy is different from the decision support useful to operational and line-of-business staff even though their various activities might all ultimately be directed towards the same goal; There are likely to be mul
20、tiple “privacy stakeholders” (that is, parties who have an interest in the way the organization manages privacy). Those stakeholders might impose very different requirements, for example, driven by legal and regulatory compliance requirements, but also by inter-related “good practice” provisions sti
21、pulated, for example, by policies, codes-of-conduct, business risk assessments, audit findings, reputational, and/or financial imperatives and/or personal privacy preferences. A broader, good practice context is important because it is possible for an organization to meet its legal and regulatory co
22、mpliance obligations and still suffer significant damage if it fails to address the requirements of the other stakeholders. An assessment of the organizations capabilities in this area will need to meet the following principal sets of criteria: It needs to provide the organization with information w
23、hich is useful to the appropriate level or levels of management; It needs to cater for the fact that “capability” needs to be assessed in many different domains (legal compliance, risk management, reputation, and so on). This International Standard is aimed at those individuals responsible for direc
24、ting, managing, and operating an organizations privacy management capabilities, or those responsible for advising the relevant stakeholder group. Thus, the capability model will consider multiple kinds of privacy stakeholder requirements and will result in guidance to multiple levels of stakeholders
25、, from enterprise strategists to operational and line-of-business managers. This International Standard provides guidance for how to set up a capability assessment program within an organization. It is expected that the management of the organization will need to apply an iterative and incremental p
26、rocess of improvement using the criteria defined for assessing their privacy capability. Once a baseline assessment has been identified and a set of targets for improvement of the organizations capability has been agreed, then the assessment will need to be periodically repeated in order to move the
27、 organization, over increments, towards the targeted level of capability desired by the organization. This International Standard guides organizations towards the production of several different kinds of output: an overall “score” against a simple capability assessment model; a set of metrics indica
28、ting assessment against key performance indicators; the detailed outputs from privacy process management audits and management practices (for example, assessment against data protection criteria and data custody best practice) for input into improving capability in these specific areas. ISO/IEC 2015
29、 All rights reserved vBS ISO/IEC 29190:2015BS ISO/IEC 29190:2015Information technology Security techniques Privacy capability assessment model 1 Scope This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.
30、 In particular, it specifies steps in assessing processes to determine privacy capability, specifies a set of levels for privacy capability assessment, provides guidance on the key process areas against which privacy capability can be assessed, provides guidance for those implementing process assess
31、ment, and provides guidance on how to integrate the privacy capability assessment into organizations operations. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the
32、edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 29100, Information technology Security techniques Privacy framework ISO/IEC 33001:2015, Information technology Process assessment Concepts and terminology ISO/IEC
33、33020:2015, Information technology Process assessment Process measurement framework for assessment of process capability 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 29100 and ISO/IEC 33001 and apply. 4 Methodology 4.1 Introduction In the c
34、urrent global environment, there is a tendency towards collection, use, disclosure and retention of more and more personally identifiable information (PII), for purposes ranging from support for business operations to national security and law enforcement. As is evident from the regular notification
35、 of privacy breaches, much more work is required on the part of organizations to adequately protect the PII that they are collecting, using, disclosing and retaining, as required by relevant national regulatory laws. INTERNATIONAL ST ANDARD ISO/IEC 29190:2015(E) ISO/IEC 2015 All rights reserved 1BS
36、ISO/IEC 29190:2015ISO/IEC 29190:2015(E) One way to develop and refine an organizations processes is to begin with an assessment of their existing capabilities in this area. To perform a process assessment in the privacy domain, typically involves the following activities: Define a privacy capability
37、 assessment model (see 4.2); Define a capability scale (see 4.3); Rate the processs current capability vs. target capability (see 4.4); Determine sub optimal processes (see 4.5); Identify proposals for changing processes (see 4.6); Modify processes (see 4.7); Identify the privacy activities and targ
38、et capability (see 5.1); Identify the privacy-related processes (see 5.4); Prepare criteria for information collection (see 5.5); Collect and analyse information from privacy-related processes (5.6). An optional additional subsequent action is to map the capability determination (i.e. the target cap
39、ability level) to a scale taken from a process assessment model to assist in goal setting, comparative analysis (i.e. to measure current capability and use as a baseline for assessing an incremental process improvement target), and continual improvement strategies (i.e. develop a context or business
40、 function improvement strategy to use in planning for a process improvement project). This International Standard as a whole guides organizations towards the production of several different kinds of output: an over-all “score” against a simple capability assessment such as the example of the six-lev
41、el model described in 4.3; a set of metrics indicating assessment against key performance indicators in areas such as those described in the second example in 5.1; the detailed outputs from audit and management disciplines in specific areas of privacy management (for example, assessment against data
42、 protection criteria and data custody best practice). 4.2 Define a pri v acy capability assessment mo del ISO/IEC 3300x is a suite of International Standards that has been developed by the ISO/IEC JTC 1/SC 7 Software and system engineering committee. It provides information on the concepts of proces
43、s assessment and its use in process improvement and process capability determination. ISO/IEC 29190 uses the concepts of ISO/IEC 3300x for the assessment of privacy capability. For the purposes of this International Standard, a process assessment model is related to one or more process reference mod
44、els. It forms the basis for the collection of evidence and rating of a process quality characteristic. The relationships within the process assessment model is shown in Figure 1. The information collected during assessments should be referenced against this model in order to determine a relative cap
45、ability.2 ISO/IEC 2015 All rights reservedBS ISO/IEC 29190:2015ISO/IEC 29190:2015(E) Figure 1 Process assessment model relationships Privacy capability assessment assumes a cycle of continuous improvement, as shown in Figure 2. Figure 2 Lifecycle of privacy capability assessment With some refinement
46、, a capability assessment model can be used to assess how competent an organization is with respect to, for instance, protecting PII as required by relevant national regulatory ISO/IEC 2015 All rights reserved 3BS ISO/IEC 29190:2015ISO/IEC 29190:2015(E) laws. A capability assessment model can also b
47、e used as a benchmark for comparing different organizations where there is something that can be used as a basis for comparison. For the purposes of this International Standard, the basis for comparison should be the organizations processes for handling PII in a manner compliant with national regula
48、tory laws and relevant good practice. A capability assessment model typically involves the following aspects: a) Capability Levels: a layered framework providing a progression to the discipline needed to engage in continuous improvement. It is important to note that an organization needs to develop
49、the ability to assess the impact of a new practice, technology or tool on their business activities. Hence it is not a matter of adopting these rather it is a matter of determining how innovative efforts influence existing practices. This empowers projects, teams, and organizations by giving them the foundation to support reasoned choice. b) Key Process Areas: this identifies a cluster of related activities which, when
