BS ISO IEC 29134-2017ISO29134 个人信息保护标准，是ISO个人信息保护系

文件名称: BS ISO IEC 29134-2017

所属分类: 咨询

开发工具:

文件大小: 5mb

下载次数: 0

上传时间: 2019-03-04

提供者: weixin_********

下载 (5mb)

不能下载？报告错误

详细说明：ISO29134 个人信息保护标准，是ISO个人信息保护系列标准之一。BS ISO/IEC 29134: 2017 INTERNATIONAL ISO/IEC STANDARD 29134 First editic 2017-06 Information technology- Security techniques Guidelines for privacy Impact assessment Technologies de l'information- Techniques de securite- Lignes directrices pour l'evaluation impacts sur la vie privee Reference number SolEC IS0/EC29134:2017(E C ISO/IEC 2017 BS ISO/IEC 29134: 2017 Iso/EC29134:2017(E) △ COPYRIGHT PROTECTED DOCUMENT C)ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any mears, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either iso at the address below or ISo's member body in the country of the requester. Iso copyright office Ch de blandonnet 8. CP 401 CH-1214 Vernier Geneva Switzerland Tel,+41227490111 Fax+41227490947 copyrightisa. org www.isc.org C ISO/IEC 2017 ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Contents Foreword Introduction… Scope 12345 Normative references Terms and definitions Abbreviated terms.… Preparing the grounds for PIA 11344 5.1 Benefits of carrying out a PIa 5.2 Objectives of PlA reporting 5.3 Accountability to conduct a PIa 5.4 Scale of a pla 6 Guidance on the process for conducting a PIA 6.1 General 6.2 Determine whether a Pla is necessary (threshold analysis) 6.3 Preparation of the pia ……7 6.3.1 Set up the pia team and provide it with direction 6.3.2 Prepare a Pia plan and determine the necessary resources for conducting the pla 9 6.3.3 Describe what is being assessed 10 6.3.4 Stakeholder engagement 6.4 Perform the pia 13 6. 4.1 Identify information flows of Pll 13 6.4.2 Analyse the implications of the use case 14 6.4.3 Determine the relevant privacy safeguarding requirements15 6.4.4 Assess privacy risk 16 6.4.5 Prepare for treating privacy risks 6.5 Follow up the PlA 23 6.5.1 Prepare the report 23 6.5.2 Publication 24 6.5.3 Implement privacy risk treatment plans 24 6.5.4 Review and/or audit of the PIA 垂的乐分 25 6.5.5 Reflect changes to the process 26 7 PIA report,…,… 26 7.1 General 26 7.2 Report structure 7.3 Scope of Pla 如和面正面“ 27 7.3.1 Process under evaluation 27 7.3.2 Risk criteria 29 7.3.3 Resources and people involved 29 7. 3 4 Stakeholder consultation 29 7.4 Privacy requirements 29 1.5 Risk assessment E主a 29 7.5.1 Risk sources 29 7.5.2 Threats and their likelihood 29 7.5.3 Consequences and their level of impact 30 7.5.4 Risk evaluation 30 7.5.5 Compliance analysis 30 76 Risk treatment plan……11130 7. 7 Conclusion and decisions 30 7.8 PIA publi lic summary 30 Annex A [informative) Scale criteria on the level of impact and on the likelihood 32 O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 Iso/EC29134:2017(E) Annex B (informative) Generic threats 34 Annex C (informative) Guidance on the understanding of terms used 38 Annex D (informative)Illustrated examples supporting the PlA process 40 Bibliography 42 C ISO/IEC 2017-AI ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Foreword ISo (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of Iso or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work In the field of information technology, Iso and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISo/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of iso documents should be noted This document was drafted in accordance with the editorialrulesoftheISO/IECDirectives,Part2(seewww.iso.org/directives) Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/ or ontheIsolistofpatentdeclarationsreceived(seewww.iso.org/patents Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement For an explanation on the voluntary nature of standards, the meaning of ISo specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade(TBt)see the following Url:www.iso.org/iso/foreword.html This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017 Iso/EC29134:2017(E) Introduction A privacy impact assessment (PIA)is an instrument for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information(PIl) and, in consultation with stakeholders, for taking actions as necessary in order to treat privacy risk. A PIA report may include documentation about measures taken for risk treatment, for example, measures arising from the use of the information security management system (ISMS)in ISO/IEC 27001. A PlA is more than a tool: it is a process that begins at the earliest possible stages of an initiative, when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that continues until, and even after, the project has been deployed Initiatives vary substantially in scale and impact. Objectives falling under the heading of "privacy will depend on culture, societal expectations and jurisdiction This document is intended to provide scalable guidance that can be applied to all initiatives Since guidance specitic to all circumstances cannot be prescriptive, the guidance in this document should be interpreted with respect to individual circumstance A Pll controller may have a responsibility to conduct a Pla and may request a Pll processor to assist in doing this, acting on the Pll controller's behalf. a Pll processor or a supplier may also wish to conduct their own pla A supplier's Pla information is especially relevant when digitally connected devices are part of the information system, application or process being assessed. It may be necessary for suppliers of such devices to provide privacy-relevant design information to those undertaking the PIA. When the provider of digital devices is unskilled in and not resourced for PlAs, for example: a small retailer or a small and medium-sized enterprise ( Sme) using digitally connected devices in the course of its normal business operations hen, in order to enable it to undertake minimal PIA activity, the device supplier may be called upon to provide a great deal of privacy information and undertake its own Pia with respect to the expected pil principal/SME context for the equipment they supply A PIA is typically conducted by an organization that takes its responsibility seriously and treats PIl principals adequately. In some jurisdictions, a Pla may be necessary to meet legal and regulatory requirements This document is intended to be used when the privacy impact on Pll principals includes consideration of processes, information systems or programmes, where he responsibility for the implementation and or delivery of the process, information system or programme is shared with other organizations and it should be ensured that each organization operly addresses the identified risks; an organization is performing privacy risk management as part of its overall risk management effort while preparing for the implementation or improvement of its iSMS (established in accordance with ISO/IEC 27001 or equivalent management system); or an organization is performing privacy risk management as an independent function; an organization (e.g. government) is undertaking an initiative (e.g. a public-private-partnership programme) in which the future Pll controller organization is not known yet, with the result that the treatment plan could not get implemented directly and, therefore, this treatment plan should become part of corresponding legislation, regulation or the contract instead the organization wants to act responsible towards the Pll principals C ISO/IEC 2017-AI ghts reserved BS ISO/EC29134:2017 Iso/EC29134:2017(E Controls deemed necessary to treat the risks identified during the privacy impact analysis process may be derived from multiple sets of controls, including iso/iec 27002 (for security controls) and ISO/EC 29151(for Pll protection controls or comparable national standards, or they may be defined by the person responsible for conducting the PIA, independently of any other control set O ISO/IEC 2017-All rights reserved BSISO/EC29134:2017

(系统自动生成,下载前可以参看下载内容)