{"id":4326,"date":"2024-04-27T06:20:29","date_gmt":"2024-04-27T12:20:29","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=regulations&p=4326"},"modified":"2025-03-05T10:59:33","modified_gmt":"2025-03-05T16:59:33","slug":"iso-27550","status":"publish","type":"regulations","link":"https:\/\/trustarc.com\/regulations\/iso-27550\/","title":{"rendered":"ISO 27550 International Standard"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tStandard<\/span>\n\t\t\t\t\t\t\t\t\t\t

ISO 27550 <\/h1>\n\t\t\t\t\t

The International Organization for Standardization (ISO) 27550, focuses on security techniques, establishes engineering guidelines designed to help entities to incorporate privacy engineering elements into various system lifecycle processes. <\/p>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Who should use ISO 27550?<\/h2>\n

This voluntary international standard is directed towards engineers and practitioners involved in the development, implementation or operation of systems that need privacy consideration. Managers responsible for privacy, development, product management, marketing, and operations also find this standard beneficial.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t

Key obligations of ISO 27550<\/h2>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Risk management processes<\/h4>\n

Conduct a risk management process to identify, assess, and remediate systematic risks throughout the entire lifecycle of a system product and\/or service. Perform supplementary analysis to identify risks associated with processing PII<\/a> and system vulnerabilities, estimate risks’ possibilities and consequences, and prioritize mitigating them.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Implementation of data management controls<\/h4>\n

Establish system infrastructures that enable granular control over PII to implement key privacy principles such as maintaining data quality and integrity, achieving data minimization, and implementing individuals’ privacy preferences. Enable certain privileged stakeholders to administer changes to PII management and processing, ensuring fair treatment of individuals.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Safeguarding individual identities via disassociability<\/h4>\n

Disassociability actively conceals an individual’s identity and\/or activities from unnecessary exposure during processing or transactions involving PII. Achieve disassociability through deploying cryptographic techniques, including anonymity, de-identification, unlinkability, unobservability, and pseudonymity.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Transparency<\/h4>\n

Provide individuals with information regarding the entire system lifecycle that covers actual and planned processing activities, including: why PII is needed for processing, the purpose of processing, and whether PII will be disclosed to third-parties.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\"\"\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tWhitepaper<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t

Privacy and Data Security in Mergers & Acquisitions<\/h2>\n\t\t\t\t\t\t

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today. <\/p>\n\t\t\t\t\t\t