文章分类
使用ISO/IEC 27701管理个人信息
自2016年以来,在相对较短的时间内,世界上许多国家都通过了现代数据保护立法。最值得注意的是欧盟的《一般数据保护条例》(GDPR),它形成了组织在处理个人数据时确保数据主体权利的要求。这项立法制定的相对速度使一些组织无法作出充分回应,并且发生了广为宣传的违规行为。
尽管GDPR的推出标志性很好,但它并没有提供具体的指导,说明应采取哪些措施来确保符合其要求。此外,在大多数情况下,现有标准没有足够强大的条款或控制,无法确保通过实施管理系统全面解决数据隐私问题。
国际标准化组织(ISO)和国际电工委员会(IEC)制定了ISO 27701,为企业有效解决数据隐私问题提供必要的指导,并确保有效弥合现有管理体系要求和全球隐私数据立法之间的差距。
GDPR——立法概述
2016年4月,欧盟通过了GDPR,取代了欧盟数据保护指令95/46/EC。这项新立法已对任何负有数据处理责任的组织规定了义务,也适用于欧盟以外的组织。它协调了整个欧洲经济区的隐私立法。
任何向位于欧盟的个人提供货物或服务的非欧盟实体也受GDPR要求的约束。具有大量个人数据处理需求的企业和组织
受到独特影响,确保符合法规至关重要。
组织必须具有处理个人数据的合法基础,并且只能出于特定目的处理个人数据。个人有权要求获得其持有的所有数据的副本,包括如何使用这些数据以及第三方是否可以访问的解释。
个人可以要求将其数据配置文件传递给另一个数据处理器;此外,个人也有权撤回处理同意书,并有权要求删除不再需要的数据。
现在要求处理个人数据的组织和个人采取适当的安全控制措施,以确保其持有或处理的数据的机密性。个人数据可以转移到欧盟以外的国家,但只能转移到那些被认为拥有足够法律保护欧盟数据主体权利的国家。
数据泄露通知必须提交给监管机构;对于英国,这是信息专员办公室(ICO),在发现违规行为后72小时内。ICO是英国的独立权威机构,旨在维护公共利益的信息权,促进公共机构的公开性和个人的数据隐私。
可通过2018年《英国政府数据保护法》页面找到更多指导。
什么是ISO 27701?为什么需要它?
与世界各地的许多隐私立法一样,很少有关于如何实施符合GDPR的流程的指导。ISO 27701:2019是国际信息安全管理标准ISO 27001(ISO 27701安全技术-隐私信息管理的ISO 27001和ISO 27002扩展-要求和指南)的隐私扩展。
ISO 27701详细说明了隐私信息管理系统(PIMS)的建立、实施、维护和改进要求,并提供了必要的指导。该标准基于ISO 27001标准的要求、控制目标和控制,包括一套隐私要求、控制和控制目标。
信息安全的概念对于已经拥有可操作信息安全管理系统(ISMS)的组织来说是熟悉的。新的PIMS将确保组织拥有全面且普遍适用的数据管理,直接符合其管辖区的立法要求。
该标准是根据来自世界各地的专家和数据保护机构(包括欧洲数据保护委员会)的意见起草的。各大洲的数据保护立法都得到了考虑。它靠近GDPR,每个子句都映射到相应的GDPR文章。
但ISO 27701不是特定于GDPR的;这是一个全球标准。它代表了隐私保护方面的最新技术。实施该计划的组织将展示一种积极主动的个人数据保护方法。
栓连接至ISO 27001
ISO 27701略有不同,因为该标准要求附加现有的管理体系。并非每个条款和控制都适用于所有情况。
本标准的要求分为以下四组:
- 第5条概述了与ISO 27001相关的PIMS要求
- 第6条概述了与ISO 27002相关的PIMS要求
- 第7条概述了个人身份信息(PII)控制器的PIMS指南
- 第8条概述了PII处理者的PIMS指南
此外,标准正文附件中概述了适用的控制措施。
以下内容可用作相关性指南:
- 附录A列出了PII控制器的所有适用控制。
- 附录B列出了PII处理器的所有适用控制措施。
- 附录C映射了ISO 27701与ISO 29100的规定。
- 附录D根据GDPR映射了ISO 27701的规定。
- 附录E根据ISO 27018和ISO 29151映射了ISO 27701的规定
- 附录F提供了将ISO 27701应用于ISO 27001和ISO 27002的指南。
在大多数情况下,具有ISO 27001现有认证的组织应从附录F开始,了解PIMS的应用如何符合其现有ISO 27001 ISMS。本附录引用了三个应用本标准的实例:
- 按现状应用安全标准
- 安全标准的补充
- 完善安全标准
PIMS中的第5至8条扩展了ISO 27001的要求,以纳入PII考虑。第5条提供了关于ISO 27001中信息安全要求的PIMS特定指南,适用于充当PII控制器或处理器的组织。组织应实施PIMS适用性声明(SoA),该声明受其是控制者还是处理者(或两者)的影响。
组织可以创建一个综合ISMS-PIMS,并扩展其ISMS SoA,以包括PIMS控制。
- 附录A+第6条=37项强化控制
- 附录A+第7条=31控制器的新控制
- 附录A-第8条=18个处理器的新控制
其他注意事项
下面详细介绍了ISO 27701标准第5条中的其他注意事项,这些事项可能是现有ISMS要求之外的额外事项:
| 5.1 | The requirements of ISO 27001 must be extended to the protection of privacy as potentially affected by the processing of PII. A glance at Annex F provides a table which gives visual indication of how this will look. |
| 5.2.1 | An additional requirement to ISO 27001 clause 4.1 is to outline that an organisation will determine its role as a PII Controller and/or processer. Additionally external and internal factors that are relevant to context and affect the ability to achieve outcomes of its PIMS require indication. This includes any relevant legislation adherence already in place as a consideration within the existing ISMS or contractual requirements which hitherto had been identified in differing clauses or Annex controls within ISO 27001. |
如果一个组织同时确定了PII控制者和PII处理者角色,则必须确定单独的角色,每个角色都将受到单独的控制集的约束。
| 5.2.2 | A consideration extra to ISO 27001 clause 4.2 is the requirement to include interested parties with responsibilities associated with the processing of PII. This can include customers, which again is not something which may have previously been considered in an ISO 27001 ISMS. Additionally requirements which are relevant to the processing of PII can be determined by legal requirements, contractual obligations or self-identified objectives. |
| 5.2.3 | The scope of the ISMS is required by ISO 27001 clause 4.3. Additional PIMS factors for scope include an organisation including processing of PII. PIMS scope determination, therefore, can require a revision of the ISMS because of the extension to interpretation of what constitutes information security in ISO 27701 clause 5.1. |
| 5.2.4 | Further to ISO 27001 clause 4.4 an organisation is required within the new standard to establish, implement, maintain and continually improve a PIMS in accordance with the requirements of ISO 27001:2013 Clauses 4 to 10, extended by the requirements in Clause 5. |
| 5.3 | Within ISO 27001, organisations are required to demonstrate commitment to the ISMS through leadership initiatives and the creation of policies, roles & responsibilities and guidance. Likewise, the PIMS requires a similar input from the top management along with relevant PIMS specific interpretations as indicated at 5.1 to ISO 27701 which covers all mirrored aspects of clause 5 of the ISMS. |
| 5.4.1 |
The requirements of ISO 27001 to address risks and opportunities require augmentation with the considerations of clause 5.1 in ISO 27701. Furthermore, Information Security risk assessments identified within ISO 27001 are applicable with the following additional requirements: 1. The organisation shall apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability, within the scope of the PIMS. 2. The organisation shall apply privacy risk assessment process to identify risks related to the processing of PII, within the scope of the PIMS. 3. The organisation shall ensure throughout the risk assessment processes that the relationship between information security and PII protection is appropriately managed. This can be an integrated risk assessment process or parallel processes which are controlled separately; this depends entirely on the organisation to determine. Additionally, ISO 27001 clause 6.1.2.d is refined to include an assessment for potential consequences for both the organisation and PII principals that would result if the risks identified during the 6.1.2.c (ISO 27001) were to materialise. Further considerations are given to the Statement of Applicability which would have been generated by the organisation when implementing the ISO 27001 ISMS. As an organisation would have encountered an “opt out and justify” approach to produce the SoA in the first instance, likewise for the PIMS, not all control objectives and controls listed within Annex areas need to be included during PIMS implementation. Justification for exclusion where controls are not deemed necessary can be identified. |
| 5.4.2 | Information security objectives from the organisations ISMS from clause 6.2 augmented by the interpretation of ISO 27701 clause 5.1 must be considered. |
| 5.5 | Support considerations from ISO 27001 at clause 7 are applicable along with the additional interpretation specified within ISO 27701 clause 5.1. |
| 5.6 | Operational consideration from ISO 27001 at clause 8 including risk treatment planning are similarly required by ISO 27701 along with additional information which is identified through addressing clause 5.1 to the latter standard. |
| 5.7/5.8 | Similarly; the Monitoring/Measuring & Improvement considerations which are live within an existing ISMS require further augmentation from the considerations given to clause 5.1 to ISO 27701. |
上述过程表明,新标准中的第5.1条是实施PIMS的关键。处理PII的隐私保护扩展是实现的关键要素。它指导了在解决ISO 27701的其他条款领域时要考虑的问题。
下表简单概述了上一页的信息:
| ISO 27001 Clause | ISO 27701 Extension |
|---|---|
| 5.1 5.2 5.3 7.1 7.4 |
Top Level Commitment for Privacy Policy and integration of PIMS to the ISMS including: 1. Resourcing/Establishment of Roles 2. Communication (Internal/External) 3. Anticipated outcome 4. Control and Guidance 5. Continual Improvement of PIMS |
| 6.2 | PIMS/Privacy Objectives |
| 7.2 | Competency profiles of individuals assigned to privacy roles |
| 7.3 | Awareness of the PIMS policy and how personnel contribute to the establishment and improvement of the system |
| 7.5 | Documentation for PIMS with additional considerations on information and documentation non-organic to the organisation. |
| 8.1 | PIMS Risk Treatment activation |
| 8.2 | PIMS Risk Assessment process |
| 8.3 | PIMS Risk Treatment Plan including amendments to existing risk registers |
| 9.1 9.2 9.3 |
PIMS Performance and analysis of PIMS effectiveness including: 1. Internal Audit 2. Management Review |
| 10 | PIMS Continuous Improvement considerations |
本文:
- 登录 发表评论