SecurityWorldMarket

16/08/2019

New worldwide ISO standard for digital security

Geneva, Switzerland

Unsurprisingly, laws and regulations are rapidly being put in place to reduce risks and protect our digital privacy. Organisations can now keep on top of these requirements and protect themselves at the same time, with the world’s first International Standard to help organisations manage privacy information and meet regulatory requirements.

Protecting our digital privacy is a significant business concern. According to IBM the average cost of a data breach is USD 3.6 million, and legal obligations are increasingly stringent. As we get more connected, governments all over the world are introducing various privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR), which organisations must adhere to. The new ISO standards will help businesses meet such requirements, whatever jurisdiction they work in.

The newly published ISO/IEC 27701, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, specifies the requirements for establishing, implementing, maintaining and continually improving a privacy-specific information security management system. In other words, a management system for protecting personal data (PIMS).

Formerly referred to as ISO/IEC 27552 during its development, it builds on ISO/IEC 27001, Information Technology – Security techniques – Information security management systems – Requirements, providing the necessary extra requirements when it comes to privacy.

Dr Andreas Wolf, Chair of the ISO technical committee that developed the standard, said almost every organisation processes personally identifiable information (PII), and protecting it is not only a legal requirement but a societal need. “ISO/IEC 27701 defines processes and provides guidance for protecting PII on an ongoing, ever evolving basis. Because being a management system, it defines processes for continuous improvement on data protection, particularly important in a world where technology doesn’t stand still.”

Microsoft is an active participant in the committee. Julie Brill, Corporate Vice President and Deputy General Counsel of Privacy and Regulatory Affairs at Microsoft said: “We applaud the ISO technical committee for developing this groundbreaking standard for privacy so that organisations of all sizes, jurisdictions, and industries can effectively protect and control the personal data they handle. As the next chapter of Microsoft’s commitment to extend the rights provided in the European Union’s General Data Protection Regulation to our customers globally, Microsoft Azure and Office 365 will implement the PIMS standard and will assist our customers and partners in adopting this interoperable model.”

ISO/IEC 27701 was developed by working group 5 of ISO technical committee ISO/IEC JTC1/SC 27, Information security, cybersecurity and privacy protection, which is made up of experts from all over the world from data protection authorities, security agencies, academia and industry.

Matthieu Grall of the Commission Nationale de l’Informatique et des Libertés, the French independent watchdog for the protection of personal data, was an active participant of SC 27 and a contributor to the development of the standard. With increasingly stringent data protection requirements and laws, he said there is a real need for this standard. “Despite the risks of not complying to these regulations, we know that many organisations are simply not ready and need guidance. With the number of complaints and fines related to privacy and data protection on the rise, the need for this standard is now obvious.

Moreover, organisations need to bring trust to their authorities, partners, customers and employers. Such a standard will contribute strongly to this trust.”


Tags

Product Suppliers
Back to top