With the entry into force of the General Data Protection Regulation GDPR, the topic of privacy engineering, understood among others as as data protection in the design of systems and software, as well as data protection by default.
The practice of privacy engineering is supported by a growing number of privacy, security, as well as software and systems engineering standards.
We have already written a lot about the aspects of data security, the ISO/IEC 27001, ISO/IEC 27002 Information Security Management System standards. In this article, we will focus on the standards that support privacy engineering in the field of information systems and software. These are:
- ISO/IEC/IEEE 15288 Systems and Software Engineering — System Life Cycle Processes.
It establishes common principles for describing processes in terms of the systems life cycle, defines a set of processes and related terminology from an engineering point of view. These processes can be used at any level in the system structure hierarchy. Selected sets of processes (organizational, technical or design) can be used throughout the system to manage and execute the stages of the system lifecycle. This is done by involving all stakeholders (system customer/buyer, system developer and/or provider, or parties interested in the contract/agreement) with the ultimate goal of achieving customer satisfaction.
The standard also provides processes to support the definition, control and improvement of the system life cycle processes used in an organization or project. Organizations and projects can use these processes in sourcing/purchasing and delivering systems. - ISO/IEC TR 27550 Information technology — Security techniques — Privacy engineering for system life cycle processes.
The standard takes into account the principles and concepts of privacy engineering, as well as standards and practices related to privacy, security, and systems and software engineering. It extends the ISO/IEC/IEEE 15288 standard by adding detailed guidelines that will help organizations integrate privacy engineering advances into their engineering practices. - ISO/IEC/IEEE 12207 Systems and software engineering – Software life cycle processes.
The standard applies to the acquisition (including purchase) and delivery, in particular the creation, development, operation, maintenance and removal of systems, products, services and software. - ISO/IEC/IEEE 29148:2018 Systems and software engineering — Life cycle processes — Requirements engineering.
This standard provides guidance on the application of requirements and processes related to the requirements described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207. It defines the necessary processes to be implemented in requirements engineering for systems and software for the entire life cycle, etc.
As we can see, privacy engineering standards in the field of information systems and software are closely related.
As a result…
If we want to apply good practices and implement them in our organization, read the above-mentioned standards and choose the elements that will best suit the scope of the Organization and its environment (the context of the organization), the needs, requirements and expectations of the parties. interested.
Our specialists are always ready to help in the analysis of processes in the organization, the development of tailored solutions, their implementation and conducting training dedicated to managerial staff, specialists involved in the development, implementation or service of systems requiring privacy protection.