Privacy Information Management System (PIMS)

Help is almost here with the General Data Protection Regulation (GDPR), and other information privacy acts, implementation and confirmation. ISO/IEC DIS 27552 designed to enhance the existing Information Security Management System (ISMS, see ISO/IEC 27000 series) with additional requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). ISO/IEC 27552 provides a framework for Personally Identifiable Information (PII) Controllers[i] and  PII Processors[ii] to manage privacy controls reducing risks to individuals’ privacy rights. It acts as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, requirements and guidelines.

The ISO/IEC 27552 augments the existing ISMS with privacy-specific controls and creates PIMS to enable effective organization’s privacy management. A well thought out PIMS implementation can bring about many potential benefits for PII Controllers and Processors.

First, managing compliance with various privacy regulations and policies from numerous jurisdictions can be burdensome especially when no one organized the laws in a manner to optimize the application of PII controllers and processors. Annex C demonstrates that one single control can account for multiple requirements from the General Data Protection Regulation (GDPR). Using the standard can significantly reduce the complexity in meeting regulations.

Second, the requirement for Data Protection Officers will help provide evidence to senior management and organization board members on their progress in regulatory privacy compliance. Compliance evidence based on PIMS and, potentially, its certification can provide the necessary assurance to senior management and board members that the organization implementation meets the applicable privacy requirements.

Third, PIMS certification can be valuable in demonstrating an organization’s privacy compliance to customers, partners, and authorities. PII controllers generally demand evidence from PII processors that the processors’ privacy management system adheres to required privacy requirements. A consistent evidence framework based on the international standard can greatly simplify such proof of compliance transparency, especially when the evidence needs validation by an accredited third-party auditor. A well implemented and reviewed ISO/IEC 27552 is a necessity for the all-important compliance transparency so critical for an organization’s strategic business decisions such as mergers and acquisitions. It will play a significant role also where multiple organizations develop and implement scenarios involving data sharing agreement. Lastly, certifying an organization’s PIMS can potentially serve to signal trustworthiness to the public.

The standard segregates the requirements into the four following groups:

  • Clause 5 outlines PIMS requirements related to ISO/IEC 27001.
  • Clause 6 outlines PIMS requirements related to ISO/IEC 27002.
  • Clause 7 outlines PIMS guidance for PII Controllers.
  • Clause 8 describes PIMS guidance for PII Processors.

Further, ISO/IEC 27552 includes the following informative Annexes:

  • Annex A lists all appropriate controls for PII Controllers.
  • Annex B lists all suitable controls for PII Processors.
  • Annex C charts ISO/IEC 27552 controls against GDPR.
  • Annex D charts ISO/IEC 27552 controls against ISO/IEC 29100.
  • Annex E charts ISO/IEC 27552 controls against ISO/IEC 27018.
  • Annex F charts ISO/IEC 27552 controls against ISO/IEC 29151.

ISO/IEC 29100:2011 – Privacy Framework specifies a common privacy terminology; defines the actors and their roles in processing PII; describes privacy safeguarding considerations, and provides references to known privacy principles for information technology. You can download a copy of ISO/IEC 29100:2011.

ISO/IEC 27018 presents commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in line with ISO/IEC 29100’s privacy principles in cyberspace (the public cloud computing environment).

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII.

[i] PII controller (or data controller in some jurisdictions) is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. or might be directly or indirectly linked to a PII principal.

[ii] A public cloud service provider is a ‘PII processor’ when it processes PII for and according to the instructions of a cloud service customer. … NOTE Where the public cloud PII processor is processing cloud service customer account data, it might be acting as a PII controller for this purpose.