BS ISO IEC 29190-2015 pdf free download – Information technology — Security techniques — Privacy capability assessment model
A capability assessment model typically involves the following aspects:
a)Capability Levels: a layered framework providing a progression to the discipline needed to engage
in continuous improvement. lt is important to note that an organization needs to develop the abilityto assess the impact of a new practice, technology or tool on their business activities.Hence it is nota matter of adopting these rather it is a matter of determining how innovative efforts influenceexisting practices.
This empowers projects, teams, and organizations by giving them the foundation to supportreasoned choice.
b) Key Process Areas: this identifies a cluster of related activities which, when performed collectively,
achieve a set of goals considered important.
c) Goals: the goals of a key process area summarize the states that need to exist for each key process
area to have been implemented in an effective and lasting way.The extent to which the goals havebeen accomplished is an indicator how well the organization has established that capability level.The goals signify the scope, boundaries and intent of each key process area.
d) Common Features: common features include practices that implement and institutionalize a key
process area.
Common features are frequently defined as: Commitment to Perform; Ability to Perform; ActivitiesPerformed, Measurement and Analysis,and Verifying Implementation.
e) Key Practices: the key practices describe the elements of infrastructure and practice that contribute
most effectively to the implementation and institutionalization of the key process areas.
The objective of this International Standard is to provide guidance to organizations on assessinghow mature they are with respect to compliance with privacy and data protection legislation andrelevant good practice. This international Standard focusses on assessing those activities thatorganizations should carry out in order to demonstrate such compliance.
4.3Capability scale
A process assessment is a disciplined evaluation of an organizational unit’s processes against a processassessment model. A processes assessment aims to determine how well the processes in the currentpractice are performing relative to their goals and to locate areas of weakness.
A capability assessment model needs to be a structured collection of elements that describe thecharacteristics of effective processes. In the form documented by IS0 33020, the model allows anorganization to rate its processes on the following capability scale:
Level 0: Incomplete process
– The process is not implemented, or fails to achieve its process purpose.At this level there is little or
no evidence of any systematic achievement of the process purpose.
Level 1: Performed process
– The implemented process achieves its process purpose.Level 2: Managed process
The performed process is implemented in a managed fashion (planned, monitored and adjusted)and its work products are appropriately established, controlled and maintained.
This capability scale provides a layered framework to advance the disciplines needed to engage in continuous improvement. This empowers projects, teams, and organizations by giving them the foundation to support reasoned choice. With profiling, the model can be used to assess an organization’s capability with respect to, for instance, protecting PII as required by relevant national regulatory laws. A capability model can also be used as a benchmark for comparing different organizations once there is a common model that can be used as a basis for comparison. For the purposes of this International Standard, the basis for comparison is the organizations’ processes for handling PII in a manner compliant with national regulatory laws and relevant good practice. There is benefit in including this capability scale, as it is of more use (to the corporate executive responsible) than some of the more detailed analysis and audit results which one could expect from assessment at the “key performance indicator” level (see Annex A).BS ISO IEC 29190 pdf download.