The information security community is excited about the upcoming ISO/IEC 27552* –Privacy Information Management, which is an extension to ISO/IEC 27001 and 27002. Personally, while I am certified in GDPR, I have worked with the new California Consumer Privacy Act, and am familiar with South Africa’s’ Protection of Personal Information Act (POPIA, Asia Pacific Data Protection and Cyber Security Regulation, as well as many other acts and standards), I still feel that all these standards are lacking in different areas. This new ISO standard provides guidance on the areas that are needed for the implementation of a robust privacy program and fills in the gaps that are missing in so many acts and standards pertaining to Personally Identifiable Information (PII)/ Personal Data.
The GDPR for instance, does require security and does list controls as seen in Article 32: “Security of processing data”, but it does not give detailed guidance. ISO/IEC 27001 is a great standard for Information Security Management System (ISMS). Annex A of this standard provides 114 controls for implementation to help protect the organization and the confidentiality, integrity and the availability of data. ISO/IEC 27002 provides the implementation guidance for ISO/IEC 27001 and is a code of practice for information security management. Now, by also implementing the upcoming ISO/IEC 27552, these standards can help you be compliant with many data privacy regimes, requirements and acts.