文件名称:
BS ISO IEC 29134-2017
开发工具:
文件大小: 5mb
下载次数: 0
上传时间: 2019-03-04
详细说明:ISO29134 个人信息保护标准,是ISO个人信息保护系列标准之一。BS ISO/IEC 29134: 2017
INTERNATIONAL ISO/IEC
STANDARD
29134
First editic
2017-06
Information technology- Security
techniques
Guidelines for privacy
Impact assessment
Technologies de l'information- Techniques de securite- Lignes
directrices pour l'evaluation impacts sur la vie privee
Reference number
SolEC
IS0/EC29134:2017(E
C ISO/IEC 2017
BS ISO/IEC 29134: 2017
Iso/EC29134:2017(E)
△
COPYRIGHT PROTECTED DOCUMENT
C)ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any mears, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either iso at the address below or ISo's member body in the country of
the requester.
Iso copyright office
Ch de blandonnet 8. CP 401
CH-1214 Vernier Geneva Switzerland
Tel,+41227490111
Fax+41227490947
copyrightisa. org
www.isc.org
C ISO/IEC 2017
ghts reserved
BS ISO/EC29134:2017
Iso/EC29134:2017(E
Contents
Foreword
Introduction…
Scope
12345
Normative references
Terms and definitions
Abbreviated terms.…
Preparing the grounds for PIA
11344
5.1 Benefits of carrying out a PIa
5.2 Objectives of PlA reporting
5.3 Accountability to conduct a PIa
5.4 Scale of a pla
6
Guidance on the process for conducting a PIA
6.1 General
6.2 Determine whether a Pla is necessary (threshold analysis)
6.3 Preparation of the pia
……7
6.3.1 Set up the pia team and provide it with direction
6.3.2 Prepare a Pia plan and determine the necessary resources for conducting
the pla
9
6.3.3 Describe what is being assessed
10
6.3.4 Stakeholder engagement
6.4 Perform the pia
13
6. 4.1 Identify information flows of Pll
13
6.4.2 Analyse the implications of the use case
14
6.4.3 Determine the relevant privacy safeguarding requirements15
6.4.4 Assess privacy risk
16
6.4.5 Prepare for treating privacy risks
6.5 Follow up the PlA
23
6.5.1 Prepare the report
23
6.5.2 Publication
24
6.5.3 Implement privacy risk treatment plans
24
6.5.4 Review and/or audit of the PIA
垂的乐分
25
6.5.5 Reflect changes to the process
26
7
PIA report,…,…
26
7.1 General
26
7.2 Report structure
7.3 Scope of Pla
如和面正面“
27
7.3.1 Process under evaluation
27
7.3.2 Risk criteria
29
7.3.3 Resources and people involved
29
7. 3 4 Stakeholder consultation
29
7.4 Privacy requirements
29
1.5 Risk assessment
E主a
29
7.5.1 Risk sources
29
7.5.2 Threats and their likelihood
29
7.5.3 Consequences and their level of impact
30
7.5.4 Risk evaluation
30
7.5.5 Compliance analysis
30
76 Risk treatment plan……11130
7. 7 Conclusion and decisions
30
7.8 PIA publi
lic summary
30
Annex A [informative) Scale criteria on the level of impact and on the likelihood
32
O ISO/IEC 2017-All rights reserved
BSISO/EC29134:2017
Iso/EC29134:2017(E)
Annex B (informative) Generic threats
34
Annex C (informative) Guidance on the understanding of terms used
38
Annex D (informative)Illustrated examples supporting the PlA process
40
Bibliography
42
C ISO/IEC 2017-AI
ghts reserved
BS ISO/EC29134:2017
Iso/EC29134:2017(E
Foreword
ISo (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of Iso or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work In the field of information technology, Iso and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISo/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of iso documents should be noted This document was drafted in accordance with the
editorialrulesoftheISO/IECDirectives,Part2(seewww.iso.org/directives)
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/ or
ontheIsolistofpatentdeclarationsreceived(seewww.iso.org/patents
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement
For an explanation on the voluntary nature of standards, the meaning of ISo specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade(TBt)see the following
Url:www.iso.org/iso/foreword.html
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
O ISO/IEC 2017-All rights reserved
BSISO/EC29134:2017
Iso/EC29134:2017(E)
Introduction
A privacy impact assessment (PIA)is an instrument for assessing the potential impacts on privacy of a
process, information system, programme, software module, device or other initiative which processes
personally identifiable information(PIl) and, in consultation with stakeholders, for taking actions as
necessary in order to treat privacy risk. A PIA report may include documentation about measures taken
for risk treatment, for example, measures arising from the use of the information security management
system (ISMS)in ISO/IEC 27001. A PlA is more than a tool: it is a process that begins at the earliest
possible stages of an initiative, when there are still opportunities to influence its outcome and thereby
ensure privacy by design. It is a process that continues until, and even after, the project has been
deployed
Initiatives vary substantially in scale and impact. Objectives falling under the heading of "privacy
will depend on culture, societal expectations and jurisdiction This document is intended to provide
scalable guidance that can be applied to all initiatives Since guidance specitic to all circumstances
cannot be prescriptive, the guidance in this document should be interpreted with respect to individual
circumstance
A Pll controller may have a responsibility to conduct a Pla and may request a Pll processor to assist in
doing this, acting on the Pll controller's behalf. a Pll processor or a supplier may also wish to conduct
their own pla
A supplier's Pla information is especially relevant when digitally connected devices are part of the
information system, application or process being assessed. It may be necessary for suppliers of such
devices to provide privacy-relevant design information to those undertaking the PIA. When the
provider of digital devices is unskilled in and not resourced for PlAs, for example:
a small retailer or
a small and medium-sized enterprise ( Sme) using digitally connected devices in the course of its
normal business operations
hen, in order to enable it to undertake minimal PIA activity, the device supplier may be called upon to
provide a great deal of privacy information and undertake its own Pia with respect to the expected pil
principal/SME context for the equipment they supply
A PIA is typically conducted by an organization that takes its responsibility seriously and treats PIl
principals adequately. In some jurisdictions, a Pla may be necessary to meet legal and regulatory
requirements
This document is intended to be used when the privacy impact on Pll principals includes consideration
of processes, information systems or programmes, where
he responsibility for the implementation and or delivery of the process, information system or
programme is shared with other organizations and it should be ensured that each organization
operly addresses the identified risks;
an organization is performing privacy risk management as part of its overall risk management effort
while preparing for the implementation or improvement of its iSMS (established in accordance with
ISO/IEC 27001 or equivalent management system); or an organization is performing privacy risk
management as an independent function;
an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership
programme) in which the future Pll controller organization is not known yet, with the result that
the treatment plan could not get implemented directly and, therefore, this treatment plan should
become part of corresponding legislation, regulation or the contract instead
the organization wants to act responsible towards the Pll principals
C ISO/IEC 2017-AI
ghts reserved
BS ISO/EC29134:2017
Iso/EC29134:2017(E
Controls deemed necessary to treat the risks identified during the privacy impact analysis process
may be derived from multiple sets of controls, including iso/iec 27002 (for security controls) and
ISO/EC 29151(for Pll protection controls or comparable national standards, or they may be defined
by the person responsible for conducting the PIA, independently of any other control set
O ISO/IEC 2017-All rights reserved
BSISO/EC29134:2017
(系统自动生成,下载前可以参看下载内容)
下载文件列表
相关说明
- 本站资源为会员上传分享交流与学习,如有侵犯您的权益,请联系我们删除.
- 本站是交换下载平台,提供交流渠道,下载内容来自于网络,除下载问题外,其它问题请自行百度。
- 本站已设置防盗链,请勿用迅雷、QQ旋风等多线程下载软件下载资源,下载后用WinRAR最新版进行解压.
- 如果您发现内容无法下载,请稍后再次尝试;或者到消费记录里找到下载记录反馈给我们.
- 下载后发现下载的内容跟说明不相乎,请到消费记录里找到下载记录反馈给我们,经确认后退回积分.
- 如下载前有疑问,可以通过点击"提供者"的名字,查看对方的联系方式,联系对方咨询.