The public consultation process for the draft international privacy information management standard ISO/IEC 27552 is now open until 25 February. As the UK’s national standards body, the British Standards Institution (BSI) is seeking to consult with interested parties from the tech industry, data protection practitioners, information security specialists and individuals.
Digitalisation, globalisation and the personalisation of services to the public have led to greater collection and processing of personal information. Therefore, the need for guidance on how organisations should manage and process data to reduce the risk to personal information being compromised in some way is also growing globally. This is particularly important now as many countries already have – or are in the process of enacting – data protection and privacy legislation.
The aim of ISO/IEC 27552 Security Techniques – Extensions to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management – Requirements and Guidelines is to help organisations establish, implement, maintain and continually improve upon a Privacy Information Management System.
This new international standard for privacy information management will help organisations by providing Best Practice guidance, transparency between PII controllers, an effective way in which to manage PII processes and reassurance to customers that PII is effectively managed.
This standard is a privacy extension to ISO/IEC 27001 Information Security Management Systems and ISO/IEC 27002 Security Controls, and intends to provide guidance on the protection of privacy, including how organisations should manage personal information. It also aims to assist in demonstrating compliance with privacy regulations around the world.
Anne Hayes, head of governance and resilience at the BSI, said: “Given the dynamic environment in which we operate, the need for guidance on how organisations should manage and process data to reduce the risk to personal data is becoming more important. This is why we’re encouraging everyone to engage and share their feedback on this draft privacy information management standard.”
*Experts can register their comments online at: https://standardsdevelopment.bsigroup.com/projects/2016-03384?_ga=2.176888802.655974847.1547469065-1085050989.1522317317
Connected automotive ecosystem: new recommendations
BSI has also published PAS 11281:2018 Connected Automotive Ecosystems – Impact of Security on Safety – Code of Practice to provide recommendations for managing security risks that might lead to a compromise of safety in a connected automotive ecosystem.
The broader transportation industry has witnessed considerable disruption already as both cars, and on and off-road vehicles, become more connected to their surrounding infrastructure. Many cars and vehicles are already connected and therefore able to send and receive data and communicate with their surroundings, which can make them vulnerable to cyber attacks.
Such challenges in this evolving ‘auto tech’ sector have created a requirement for reliable guidance to help address any factors that might affect security and, ultimately, safety.
The speed with which this sector is changing raises questions over whether all potential risk factors are being identified, or if sufficient contingency plans are in place.
It’s with this in mind that the BSI has published recommendations covering the entire connected automotive ecosystem and its constituent systems throughout their lifetimes (including manufacturing, supply chain and maintenance activities). PAS 11281 was drafted after consultation with a number of experts from various organisations*, then underwent a peer and public review and was published as a consensus document using an outcome-based approach.
The scope of the document covers potential risks to single systems through to multiple systems and considers the interdependencies and vulnerabilities. One example is the direct link between cyber security and safety. Any compromise to the cyber aspect of a cyber-physical system can manifest itself in the physical world, such as those used in connected vehicles.
Unacceptable risks to safety
Anne Hayes said: “This PAS is intended to be used by manufacturers, operators and maintainers of products, systems and services used in a connected automotive ecosystem. The technology supporting automotive transport has been evolving rapidly over the last few years and connected and autonomous vehicles are now a reality. These recommendations aim to help organisations to ensure that security-related risks in their products, services or activities do not pose unacceptable risks to safety.”
PAS 11281 complements the recently published PAS 1885:2018 The Fundamental Principles of Automotive Cyber Security, which was announced by the Department for Transport last month. For more information on PAS 11281 visit: https://shop.bsigroup.com/PAS11281
PAS 1885 sets out the fundamental principles for protecting vehicles and vehicle systems from cyber threats across the whole automotive life-cycle, from design right through to de-commissioning.
*The following organisations were involved in the development of this PAS: Adelard, Atkins, the Automotive Electronic Systems Innovation Network (AESIN), BodVoc, the Centre for the Protection of National Infrastructure (CPNI), the Defence Science and Technology Laboratory, the Department for Transport, Halfords Autocentres, Highways England, HORIBA MIRA, McLaren Automotive Ltd, Ricardo, Stagecoach Group, the National Cyber Security Centre and the Waverley House Consultancy Ltd