Reading time: ~ 3 min.
ISO/IEC 27557:2022 the information security, cybersecurity and privacy protection standard
The ISO/IEC 27557:2022 standard on «information security, cybersecurity and privacy protection– application of ISO 31000:2018 for organizationl privacy risk management» provides a framework for assessing organizational privacy risk.
It is important to note that this framework takes into consideration the privacy impact as a component of the overall organizational risk and particularly in the way that follows:
- the organizational consequences of adverse privacy impacts on individuals;
- the organizational consequences of privacy events that damage the organization itself (e.g. by harming its reputation) without causing any kind of privacy impacts to individuals.
The relationship between the ISO/IEC 27557:2022 and ISO 31000:2018 standards
The relationship between the ISO/IEC 27557:2022 and ISO 31000:2018 standards
It is useful to remember that ISO/IEC 27557:2002 standard is based on the «ISO 31000:2018 – Risk Management – Guidelines».
This standard includes some specific considerations for organizational privacy risk and to support the organizations on the implementation of a Privacy Information Management System (PIMS), according to the «ISO/IEC 27701:2019 Security techniques– Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines» standard.
The ISO/IEC 27557 standard therefore can be used for integrating risk management and compliance between the privacy requirements set by the EU GPDR and the Swiss FADP (known as LDP and DSG).
It sounds quite interesting but it is a little bit confusing to figure out just considering our brief recap? Let's try to look at things from a different perspective with the help of our steady infographic.
ISO/IEC 27557 standard: the «bridge» to integrate risk management and compliance under EU and Swiss privacy regulations
