Public consultation process launched for new international privacy information management standard

The public consultation process for the draft international privacy information management standard ISO/IEC 27552 is now open until 25 February. As the UK’s national standards body, the British Standards Institution (BSI) is seeking to consult with interested parties from the tech industry, data protection practitioners, information security specialists and individuals.

Digitalisation, globalisation and the personalisation of services to the public have led to greater collection and processing of personal information. Therefore, the need for guidance on how organisations should manage and process data to reduce the risk to personal information being compromised in some way is also growing globally. This is particularly important now as many countries already have – or are in the process of enacting – data protection and privacy legislation.

The aim of ISO/IEC 27552 Security Techniques – Extensions to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management – Requirements and Guidelines is to help organisations establish, implement, maintain and continually improve upon a Privacy Information Management System.

This new international standard for privacy information management will help organisations by providing Best Practice guidance, transparency between PII controllers, an effective way in which to manage PII processes and reassurance to customers that PII is effectively managed.

This standard is a privacy extension to ISO/IEC 27001 Information Security Management Systems and ISO/IEC 27002 Security Controls, and intends to provide guidance on the protection of privacy, including how organisations should manage personal information. It also aims to assist in demonstrating compliance with privacy regulations around the world.

Anne Hayes, head of governance and resilience at the BSI, said: “Given the dynamic environment in which we operate, the need for guidance on how organisations should manage and process data to reduce the risk to personal data is becoming more important. This is why we’re encouraging everyone to engage and share their feedback on this draft privacy information management standard.”

*Experts can register their comments online at:

Connected automotive ecosystem: new recommendations

Howard Kerr: CEO at the BSI

Howard Kerr: CEO at the BSI

BSI has also published PAS 11281:2018 Connected Automotive Ecosystems – Impact of Security on Safety – Code of Practice to provide recommendations for managing security risks that might lead to a compromise of safety in a connected automotive ecosystem.

The broader transportation industry has witnessed considerable disruption already as both cars, and on and off-road vehicles, become more connected to their surrounding infrastructure. Many cars and vehicles are already connected and therefore able to send and receive data and communicate with their surroundings, which can make them vulnerable to cyber attacks.

Such challenges in this evolving ‘auto tech’ sector have created a requirement for reliable guidance to help address any factors that might affect security and, ultimately, safety.

The speed with which this sector is changing raises questions over whether all potential risk factors are being identified, or if sufficient contingency plans are in place.

It’s with this in mind that the BSI has published recommendations covering the entire connected automotive ecosystem and its constituent systems throughout their lifetimes (including manufacturing, supply chain and maintenance activities). PAS 11281 was drafted after consultation with a number of experts from various organisations*, then underwent a peer and public review and was published as a consensus document using an outcome-based approach.

The scope of the document covers potential risks to single systems through to multiple systems and considers the interdependencies and vulnerabilities. One example is the direct link between cyber security and safety. Any compromise to the cyber aspect of a cyber-physical system can manifest itself in the physical world, such as those used in connected vehicles.

Unacceptable risks to safety

Anne Hayes said: “This PAS is intended to be used by manufacturers, operators and maintainers of products, systems and services used in a connected automotive ecosystem. The technology supporting automotive transport has been evolving rapidly over the last few years and connected and autonomous vehicles are now a reality. These recommendations aim to help organisations to ensure that security-related risks in their products, services or activities do not pose unacceptable risks to safety.”

PAS 11281 complements the recently published PAS 1885:2018 The Fundamental Principles of Automotive Cyber Security, which was announced by the Department for Transport last month. For more information on PAS 11281 visit:

PAS 1885 sets out the fundamental principles for protecting vehicles and vehicle systems from cyber threats across the whole automotive life-cycle, from design right through to de-commissioning.

*The following organisations were involved in the development of this PAS: Adelard, Atkins, the Automotive Electronic Systems Innovation Network (AESIN), BodVoc, the Centre for the Protection of National Infrastructure (CPNI), the Defence Science and Technology Laboratory, the Department for Transport, Halfords Autocentres, Highways England, HORIBA MIRA, McLaren Automotive Ltd, Ricardo, Stagecoach Group, the National Cyber Security Centre and the Waverley House Consultancy Ltd

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts