ISO/IEC 27557:2022 信息安全、网络安全和隐私保护 ISO 31000：2018在组织隐私风险管理中的应用

标准编号：ISO/IEC 27557:2022

中文名称：信息安全、网络安全和隐私保护 ISO 31000：2018在组织隐私风险管理中的应用

英文名称：Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management

发布日期：2022-11

标准范围

ISO/IEC 27557:2022本文件提供了组织隐私风险管理指南，扩展自ISO 31000:2018。本文件为组织将与处理个人身份信息（PII）相关的风险整合为组织隐私风险管理计划的一部分提供了指导。它区分了处理PII可能对个人产生的影响和对组织产生的后果（例如声誉损害）。它还为将以下内容纳入总体组织风险评估提供了指导:-个人隐私受到不利影响的组织后果；和-损害组织（例如通过损害其声誉）的隐私事件的组织后果，而不会对个人造成任何不利的隐私影响。本文件有助于实施基于风险的隐私计划，该计划可以集成到组织的整体风险管理中。本文件适用于处理PII或开发可用于处理PII的产品和服务的所有类型和规模的组织，包括公共和私营公司、政府实体和非营利组织。

ISO/IEC 27557:2022 This document provides guidelines for organizational privacy risk management, extended from ISO 31000:2018.
This document provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment:
- organizational consequences of adverse privacy impacts on individuals; and
- organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals.
This document assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization.
This document is applicable to all types and sizes of organizations processing PII or developing products and services that can be used to process PII, including public and private companies, government entities, and non-profit organizations.

标准预览图