Vault restructure

Corpus/📚️ Literature notes/Privacy in ISO 27k.md

@@ -0,0 +1,62 @@
+## Application specific guidelines
+[ISO/IEC 27017 cloud security](https://www.iso27001security.com/html/27017.html)
+> The code of practice provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002, in the cloud computing context.
+> The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section.
+
+[ISO/IEC 27018 Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors](https://www.iso27001security.com/html/27018.html)
+> The standard is primarily concerned with public-cloud computing service providers acting as PII processors . “A public cloud service provider is a ‘PII processor’ when it processes PII for and according to the instructions of a cloud service customer”
+
+[ISO/IEC 27030 Security and privacy for Internet of Things](https://www.iso27001security.com/html/27030.html)
+> The standard will provide guidance on the principles, risk and controls for IoT security and privacy. Currently at 2nd Committee Draft stage. The standard is due to be published in 2022.
+
+[ISO/IEC 27046 Big data security and privacy implementation](https://www.iso27001security.com/html/27046.html)
+> This standard is intended to help organizations implement the processes described in  [ISO/IEC 27045](https://www.iso27001security.com/html/27045.html)  in order to ensure the security and privacy of big data. It is currently at Working Draft stage. The standard was due to be published in 2023. However, a hiatus on the  [ISO/IEC 27045 ](https://www.iso27001security.com/html/27045.html) project implies this standard and its schedule is in doubt.
+
+[ISO/IEC 27400 IoT security and privacy](https://www.iso27001security.com/html/27400.html)
+> The standard will provide guidance on the principles, risk and controls for IoT security and privacy. It identifies some generic ‘risk sources’ and ‘risk scenarios’ relevant to IoT, essentially a selection of examples for consideration. Currently at 3rd Committee Draft stage. The standard is due to be published in 2022. 
+
+## Management frameworks (?)
+[ISO/IEC 27701 Privacy information management](https://www.iso27001security.com/html/27701.html)
+> The standard specifies a Privacy Information Management System based on ISO/IEC 27001(ISMS), 27002 (security controls) and 29100 (privacy framework). It is applicable to both controllers and processors of Personally Identifiable Information.
+
+[ISO/IEC TR 27550 Privacy engineering](https://www.iso27001security.com/html/27550.html)
+> This is an IT security standard about *engineering* IT systems to satisfy privacy requirements relating to the protection of personal data.
+
+[ISO/IEC 27552 Extension to 27001/27002 for privacy information management](https://www.iso27001security.com/html/27552.html)
+> This standard will explain how to ‘enhance’ (adapt and extend) an ISO 27001 ISMS and the associated 27002 controls to manage privacy as well as information security. Currently at DIS stage. Due to be published at the end of 2019.
+
+[ISO/IEC 27556 User-centric framework for the handling of PII and privacy preferences](https://www.iso27001security.com/html/27556.html)
+> The standard will lay out a “user-centric framework” (an architecture) to handle personal information in a controlled manner. […]  It is at 2nd Committee Draft stage and is expected to be published in early in 2023.
+
+[ISO/IEC 27557 Organizational privacy risk management](https://www.iso27001security.com/html/27557.html)
+> Currently at Working Draft stage. This standard will guide organizations on managing privacy risks that could impact the organization and/or data subjects.
+
+[ISO/IEC 29100:2011 Privacy Framework](https://www.itgovernance.asia/shop/product/iso29100-iso-29100-privacy-framework)
+> ISO/IEC 29100:2011 provides a privacy framework for when dealing with PII. The standard:
+> Specifies a common privacy terminology
+> Defines the actors and their roles in processing PII
+> Describes privacy safeguarding considerations; and
+> Provides references to known privacy principles for information technology
+
+
+
+27018 is vooral voor de rol van Verwerker.
+Bij 27018 ligt de focus op de garantie kunnen bieden aan de klant, dat er met zijn gegevens wordt omgegaan conform geldende privacy principes.
+Er wordt geen aandacht besteed aan de werking van de interne organisatie (tenzij dat nodig is voor het voorgaande).
+Het biedt maatregelen en richtlijnen in aanvulling op het 27001 ISMS en Annex A.
+Zo kun je 27018-compliant zijn in de dienstverlening aan de klant en de omgang met zijn gegevens (in de rol van verwerker), terwijl je intern (bijv. Bij HR en Marketing) niet voldoet aan de GDPR (in de rol van verwerkingsverantwoordelijke).
+Voorbeeld: A 4 Collection limitation: geen aanvullende maatregelen, terwijl dit in bijv een Client Onboarding proces van belang is.
+A 5 Data minimisation: alleen veilige verwijdering van tijdelijke bestanden. Terwijl de typische marketing afdeling zelden contactgegevens verwijdert als ze ze eenmaal in handen hebben.
+27018:A.10.1 Notification of a data breach involving PII gaat primair over de verplichtingen richting de klant m.b.t. het lekken van hun data.
+
+* BCR/SCC worden niet genoemd in de 27018
+
+
+27701 focust op de rol als Verwerkingsverantwoordelijke.
+
+
+The Information Security Management System (ISMS) defined in ISO/IEC 27001 is designed to permit the addition of sector specific requirements, without the need to develop a new Management System. ISO Management System standards, including the sector specific ones, are designed to be able to be implemented either separately or as a combined Management System.
+
+maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
+
+This document specifies PIMS-relate