This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
Tämän julkaisun valmistelusta Suomessa vastaa SFS Suomen Standardit, puh. 09 149 9331.
Sisällysluettelo
Foreword
Introduction
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
4 General
4.1 Structure of this document
4.2 Application of ISO/IEC 27001:2013 requirements
4.3 Application of ISO/IEC 27002:2013 guidelines
4.4 Customer
5 PIMS-specific requirements related to ISO/IEC 27001
5.1 General
5.2 Context of the organization
5.3 Leadership
5.4 Planning
5.5 Support
5.6 Operation
5.7 Performance evaluation
5.8 Improvement
6 PIMS-specific guidance related to ISO/IEC 27002
6.1 General
6.2 Information security policies
6.3 Organization of information security
6.4 Human resource security
6.5 Asset management
6.6 Access control
6.7 Cryptography
6.8 Physical and environmental security
6.9 Operations security
6.10 Communications security
6.11 Systems acquisition, development and maintenance
6.12 Supplier relationships
6.13 Information security incident management
6.14 Information security aspects of business continuity management
6.15 Compliance
7 Additional ISO/IEC 27002 guidance for PII controllers
7.1 General
7.2 Conditions for collection and processing
7.3 Obligations to PII principals
7.4 Privacy by design and privacy by default
7.5 PII sharing, transfer, and disclosure
8 Additional ISO/IEC 27002 guidance for PII processors
8.1 General
8.2 Conditions for collection and processing
8.3 Obligations to PII principals
8.4 Privacy by design and privacy by default
8.5 PII sharing, transfer, and disclosure
Annex A PIMS-specific reference control objectives and controls (PII Controllers) (normative)
Annex B PIMS-specific reference control objectives and controls (PII Processors) (normative)
Annex C Mapping to ISO/IEC 29100 (informative)
Annex D Mapping to the General Data Protection Regulation (informative)
Annex E Mapping to ISO/IEC 27018 and ISO/IEC 29151 (informative)
Annex F How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002 (informative)
ISO/IEC 27000 Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 27000 Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 29100 Information technology — Security techniques — Privacy framework