ISO IEC TR 27550:2019 pdf free
ISO IEC TR 27550:2019 pdf free.Information technology一Security techniques
System and software enginering practice relies on conformance with a selected life cycle model and its associated processes. Privacy engineering practice extends system and software engineering practice through the integration of privacy concerns into the life cycle processes. It therefore has an impact on the description of the life cycle processes.
ISO/IEC/IEEE 15288 describes thirty processes structured into four categories:
– agreement processes which focus on activities related to supplier agreements;
– organizational project-enabling processes which focus on activities related to improvement of the organization’s business or undertaking;
– technical management processes which focus on managing the resources and assets allocated to the engineering of a system; and
– technical processes which focus on technical actions throughout the life cycle.
This document, in particular Clause 6, focuses on the ISO/IEC/IEEE 15288 processes where the need for privacy engineering guidance has been identified.
The rationale for covering the above processes is as follows:
– acquisition and supply processes: guidelines on the relationships between stakeholders in the supply chain are needed to ensure that all relevant privacy requirements have been identified and documented and that they are provided to all sub-system suppliers as appropriate. This includes the relations between PII controllers and Pll processors as well as the relationships between Pll controllers/processors and suppliers;
– human resources management process: guidelines on privacy engineering human resource management are needed to ensure that relevant competency is available and becomes an integral part of an organization’s culture and core values;
– knowledge management process: guidelines on how to carry out continuous improvement in privacy engineering are needed to ensure that best practices are updated within an organization;
– risk management process: guidelines on how to carry out a risk management process are needed to ensure that relevant privacy risk sources, as well as relevant impacts, are properly assessed.Risk sources stem from problematic PII processing as well as threats to and vulnerabilities of the system. The resulting impact may be on PII principals’ privacy as well as organizations’ operations and business;
– stakeholders needs and requirements process: guidelines on how to address stakeholders’ privacy expectations are needed;
– system requirements definition process: guidelines on the transformation of privacy principles into a set of operational requirements is needed to ensure that these principles are taken into account from the start of the system life cycle;
– architecture definition process: guidelines on the definition of a system architecture are needed to ensure that privacy principles are taken into account. For instance, data minimization considerations can have an influence on the location of data storage; and
– design definition process: guidelines on the design of the system are needed to ensure that appropriate privacy controls are integrated.ISO IEC TR 27550 pdf download.