David Zetoony, co-chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, co-authored an IAPP article titled “Data Privacy Requests Metrics: Lessons for Your Privacy Program.” Read the full article here.
Thinking beyond the law: Does the ISO 27701 privacy framework use the same principles that are found within the ISO 29011 framework?
The ISO 29100 privacy framework sets forth the following eleven core principles:
- Consent and choice
- Purpose legitimacy and specification
- Collection limitation
- Data minimization
- Use, retention and disclosure limitation
- Accuracy and quality
- Openness, transparency, and notice
- Individual participation and access
- Accountability
- Information security
- Privacy compliance
The ISO 27701 privacy framework is not explicitly organized using the
Thinking beyond the law: If our organization adopts the ISO 27701 privacy framework, how many controls do we need to address?
While theoretically an organization could adopt ISO 27701 as a separate standalone framework to apply to an organization’s privacy program, the framework was conceptualized as an extension of the ISO data security standards. As a result, it is organized based upon the assumption that an organization already has a security program that is built off
Thinking beyond the law: What is the ISO 27701 privacy framework?
In 2019, the International Organization for Standards joint technical committee ISO/IEC JTC1, Information technology subcommittee SC27, developed a privacy framework that was intended to build off of the existing ISO data security standards – i.e., ISO/IEC 27001:2013 (Information security management systems) and ISO/IEC 27002:2013 (Code of practice for information security controls) – by integrating into
Does the NIST privacy framework require that companies score themselves?
No. The NIST privacy framework recommends that companies summarize their maturity with respect to each category by using four “Tiers.” The Tiers are intended to describe whether the current practices of the company with respect to the domain are partially in place (Tier 1), risk informed (Tier 2), repeatable (Tier 3), or adaptive (Tier 4).
What is a profile in the context of the NIST privacy framework?
The NIST privacy framework refers to the term “current profile” to describe the current state of a company’s privacy program in relation to a specific Subcategory. So, for example, a company might include the following description in its current profile for the following subcategory:
| Subcategory | Current Profile |
| ID.IM-P1: Systems/products/services that process data are inventoried. | The |
How many core subcategories are included in the NIST privacy framework?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. Subcategory is the most granular, and tangible, aspect of the core. In total, the NIST privacy framework proposes 100 Subcategories. It should be noted, however,
How many core categories are included in the NIST privacy framework?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. Categories are intended to be subdivisions of the Functions, and groupings of the Subcategories. In total, the NIST privacy framework contains 18 Categories.
Does ISO 27701 adopt different terminology than ISO 29100?
No. ISO 27701 utilizes the same terms, definitions, and abbreviations as ISO 29100.
How many core functions does the NIST privacy framework identify?
The NIST privacy framework refers to the term “core” to describe a set of privacy activities and outcomes. The core is composed of three nested levels: Function, Category, and Subcategory. The core “Function” is the broadest category level and consists of five recommended Functions: Identify, Govern, Control, Communicate, and Protect.