The difference explained?
The draft publication of ISO27552 – Privacy Information Management is available to purchase. This makes an interesting read and is a must for any data protection advocate seeking to enhance privacy controls.
But what exactly is it and how does it align with BS10012: 2017 + A1: 2018?. ISO27552 is designed to be formulated and become an extension to the ISO27001 suite. With particular reference to the controls selection. It shares the high-level structures of Annex SL as we can see within BS10012. It has a suite of draft controls that if carefully chosen will enhance privacy arrangements.
The benefit of this draft Standard is that it will be an add-on to the well-used and respected ISO27001 – Information technology. Security techniques. Information security management systems. Requirements
It means that those organisations that already have ISO27001 will be able to address many elements of information privacy by extending their ISMS systems. We must assume that UKAS approved certification bodies will extend scope statements accordingly – for those entities choosing this approach.
So where does BS10012 – Data Protection sit? It is a British Standard only. With the subtle updates to the Data Protection Act 2018 this makes the above more focussed to the home market than say the ISO27552, which would have a broader European / international focus.
The BS10012: 2017 + A1: 2018 is totally focussed on data protection and requires careful analysis and presentation of data processing activities and the careful analysis of many of the key articles within the DPA 2018. However, embracing BS10012 will be a different undertaking to that of ISO27552. It requires a separate certification audit from a UKAS certification body and is by its nature and layout different to ISO27552 in that it is not controls based.
It is also fair to say that BS10012 does not focus on information security in the way that ISO27552 / 27001 seeks.
So, in summary if as an organisation your core activities are the management of personal data and have UK interested parties that demand assurance of the probity of your data protection management systems then BS10012 is likely to be the answer. However, ISO27552 will have some additional privacy controls that could easily compliment your security initiative.
Marcus Allen BSc MSc AMBCS FCMI FIC Int.Dip (GRC) holds twenty-five years’ experience as a management consultant in compliance solutions. He is a Fellow of the Institute of Consultants. He has worked in the data security and data protection arenas since 2000 and has been prompting and working with BS10012 since 2009 in a variety of large volume data driven sectors.
He holds a master’s degree from a premier UK research university in ‘management learning and change’.