This website uses cookies. View our cookie policy
Close
United Kingdom
Select regional store:

ISO 27552

The international standard for privacy information management

What is ISO 27552?

ISO 27552 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system) based on the requirements, control objectives and controls in the information security management standard ISO 27001, and extended by a set of privacy-specific requirements, control objectives and controls.

ISO 27001 sets out the requirements for an ISMS (information security management system), a risk-based approach that encompasses people, processes and technology. Independently accredited certification to ISO 27001 provides stakeholders with assurance that data is being appropriately secured.

Organisations that have implemented ISO 27001 will be able to use ISO 27552 to extend their security efforts to cover privacy management – including their processing of personal data/PII (personally identifiable information) – which will help them demonstrate compliance with data protection laws such as the GDPR.

Organisations without an ISMS can also implement ISO 27001 and ISO 27552 together as a single implementation project. Because ISO 27552 simply expands on the requirements and guidance provided by ISO 27001 and its code of practice, ISO 27002, there is no need to blend two separate management systems or implementation projects.


Who should implement ISO 27522?

ISO 27522 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.


What’s the difference between a privacy information management system and a personal information management system?

Whereas ISO 27552 sets out the requirements for a privacy information management system, BS 10012 is the British standard for a personal information management system.

There is little material difference between the two terms – both are management systems designed to secure personal information – and for the sake of day-to-day activities you can assume the acronym ‘PIMS’ to refer to either. Hwoever, there are some notable differences between the two approaches, which are considered below.

There are also some differences in terminology between the GDPR and the draft of ISO 27552:

GDPR

ISO 27552

Personal data

PII

Data controller

PII controller

Data processor

PII processor

Data subject

PII principal

Data protection by design

Privacy by design

Data protection by default

Privacy by default


Should I implement ISO 27522 or BS 10012?

Both standards have much to recommend them. However, they differ in certain aspects.

BS 10012 is a British standard that is aligned with the GDPR and DPA 2018, whereas ISO 27552 avoids aligning itself with any specific data protection regime. This grants it wider application, allowing conformant organisations to comply with several privacy regimes.

If your organisation needs to conform only to the GDPR and DPA 2018, you might find BS 10012 suits your requirements.

Therefore, organisations that are in the process of implementing or have already implemented ISO 27001 should find it relatively easy to implement ISO 27552.

IT Governance can help you determine which standard is better suited to your needs, and provide all the implementation support you require.


ISO 27522 control mappings

As well as providing privacy-specific requirements, controls and control objectives for controllers and processors, ISO 27552 includes annexes that map them to:

  • ISO 29100 (Information technology – Security techniques – Privacy framework);
  • ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
  • ISO 27018 (Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).

It also contains an annex that maps its requirements and controls to the GDPR’s requirements, so ISO 27552 can be used as a GDPR compliance guide by data controllers and processors.

For instance, data controllers’ obligations for meeting data subjects’ rights under the GDPR are covered by ISO 27552’s controls covering obligations to PII principals.

Guidance is provided for implementing each control.


Demonstrate GDPR compliance with ISO 27552 and ISO 27001

Implementing ISO 27552 and ISO 27001 will enable you to meet the privacy and information security requirements of the GDPR and other data protection regimes, and demonstrate that you have management arrangements in place for “appropriate technical and organisational measures” to protect the personal data you process and uphold data subjects’ rights, in line with the Regulation’s accountability principle (Article 5(2)).

Article 42 of the GDPR discusses data protection certification mechanisms and data protection seals and marks. No such mechanisms yet exist. However, it is possible to achieve independently accredited certification to ISO 27001 – and by extension ISO 27552 if you implement its controls – which will demonstrate to stakeholders and regulators that your organisation is following international best practice when it comes to securing personal data/PII.

Find out more about ISO 27001 certification >>


GDPR compliance standard

The EU GDPR (General Data Protection Regulation) and UK DPA (Data Protection Act) 2018 require controllers and processors of personal data to implement “appropriate technical and organisational measures to secure it, as well as measures to ensure the privacy of personal data.

However, they provide little guidance on what form those measures should take.

ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) are developing a new addition to the ISO 27000 family of information security standards to provide that guidance.

ISO/IEC 27552 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines, or ISO 27552, is currently in draft stage and is expected to be published late 2019. The information on this page is based on that draft.