IEC 29190-2015 pdf free download – Information technology — Security techniques — Privacy capability assessment model.
This International Standard provides organizations with high-level guidance about how to assess theircapability to manage privacy-related processes.
In particular, it
-specifies steps in assessing processes to determine privacy capability,- specifies a set of levels for privacy capability assessment,
– provides guidance on the key process areas against which privacy capability can be assessed,-provides guidance for those implementing process assessment, and
provides guidance on how to integrate the privacy capability assessment into organizationsoperations.
2Normative references
The following documents, in whole or in part, are normatively referenced in this document and areindispensable for its application. For dated references,only the edition cited applies.For undatedreferences, the latest edition of the referenced document(including any amendments) applies.
ISO/IEC 29100, Information technology —Security techniques — Privacy framework
ISo/IEC 33001:2015, Information technology —Process assessment —Concepts and terminology
ISO/IEC 33020:2015,Information technology —Process assessment — Process measurement frameworkfor assessment of process capability
3Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 29100 and ISO/IEC33001and apply.
4Methodology
4.1 Introduction
In the current global environment, there is a tendency towards collection, use, disclosure and retentionof more and more personally identifiable information (PII),for purposes ranging from supportfor business operations to national security and law enforcement.As is evident from the regularnotification of privacy breaches, much more work is required on the part of organizations to adequatelyprotect the Pll that they are collecting, using, disclosing and retaining,as required by relevant nationalregulatory laws.
One way to develop and refine an organization’s processes is to begin with an assessment of their existing capabilities in this area. To perform a process assessment in the privacy domain, typically involves the following activities:
— Define a privacy capability assessment model (see 4.2);
— Define a capability scale (see 4.3);
— Rate the process’s current capability vs. target capability (see 4.4);
— Determine sub optimal processes (see 4.5);
— Identify proposals for changing processes (see 4.6);
— Modify processes (see 4.7);
— Identify the privacy activities and target capability (see 5.1);
— Identify the privacy-related processes (see 5.4);
— Prepare criteria for information collection (see 5.5);
— Collect and analyse information from privacy-related processes (5.6).
An optional additional subsequent action is to map the capability determination (i.e. the target capability level) to a scale taken from a process assessment model to assist in goal setting, comparative analysis (i.e. to measure current capability and use as a baseline for assessing an incremental process improvement target), and continual improvement strategies (i.e. develop a context or business function improvement strategy to use in planning for a process improvement project).
This International Standard as a whole guides organizations towards the production of several different kinds of output:
— an over-all “score” against a simple capability assessment such as the example of the six-level model described in 4.3;
— a set of metrics indicating assessment against key performance indicators in areas such as those described in the second example in 5.1;
— the detailed outputs from audit and management disciplines in specific areas of privacy management (for example, assessment against data protection criteria and data custody best practice).
4.2Define a privacy capability assessment model
ISO/IEC 3300x is a suite of International Standards that has been developed by the ISO/IEC JTC1/SC 7 Software and system engineering committee. It provides information on the concepts of processassessment and its use in process improvement and process capability determination. ISo/IEC 29190uses the concepts of ISO/IEC 3300x for the assessment of privacy capability.BS ISO-IEC 29190 pdf download.