*Editor's note:
Proposed further change of title:
In the course of the Melaka WG discussion, the South African National
Body noted the existence of prior work which is of potential value to
this project. In particular “ISO 15504 – Information Technology –
Process Assessment” was cited, especially because it includes
substantial work to define models for “capability” and “process” which
offer the potential for re-use in the privacy context, while still
avoiding any potential clash with the CMU “Service Mark” referred to
below.
Accordingly, I propose a further amendment to the suggested title of
ISO 29190, to : “Privacy Capability Assessment Model”.
For completeness (and to minimise the risk of a further iteration) I
retain the following passage from the previously circulated version of
the document:
“As has been noted by WG 5 members, the phrase "Capability Maturity
Model" - which features in the current work package for N8286 (ISO
29190) is encumbered by a "Service Mark", held by Carnegie Mellon
University (CMU). On enquiry, CMU say that they do object to unlicensed
use of the phrase, and have in the past issued "cease and desist"
notices to enforce their position.
Without wishing to comment on that stance in any way, I suggest we
simply adopt a descriptive phrase which encapsulates the aim of our
document - and I propose Privacy Capability Assessment [Framework].
This avoids any issues associated with the phrase "Capability Maturity
Model", and summarises what the document is about: that is, it is a tool for
helping an organisation assess its capability to achieve good
privacy outcomes.
The proposed title also has the advantage that it leaves the way open for
- Privacy Capability Assessment Criteria
- Privacy Capability Assessment Programme(s)
- Privacy Capability Assessment Service(s)
to be defined and documented as and when that may become appropriate.”
In the light of other NB comments received since the Melaka meeting, I
make the following addition to the above list:




Privacy
Privacy
Privacy
Privacy
Capability
Capability
Capability
Capability
Assessment Criteria
Assessment Programme(s)
Assessment Service(s)
Management
I hope this proposal meets with your approval.
Robin Wilton
Acting Editor
Introduction
1.1
Purpose
The aim of this document is to provide organisations with high-level guidance
about how to assess the maturity of their ability to manage and achieve privacyrelated outcomes. One challenge in formulating such guidance is that the issue of
privacy management is a multi-faceted one:
●
the decision support information useful to a senior executive in
formulating and executing privacy strategy is different from the decision
support useful to operational and line-of-business staff – even though their
various activities may all ultimately be directed towards the same goal;
●
there are likely to be multiple “privacy stakeholders” (that is, parties who
have an interest in the way the organisation in question manages privacy);
those stakeholders may impose very different requirements – for example,
driven by legal and regulatory compliance requirements, but also by an
inter-related group of “good practice” factors such as policy, code-ofconduct, business risk, audit, personal privacy, reputational and/or
financial imperatives.
This broader, good practice context is important because it is perfectly possible
for an organisation to meet its legal/regulatory compliance obligations and still
suffer significant damage if it fails to address the requirements of the other
stakeholders. An assessment of the organisation's capabilities in this area, then,
will have to meet two principal sets of criteria:
1. It must provide the organisation with information which is useful to the
appropriate level or levels of management;
2. It should cater for the fact that “capability” needs to be assessed in many
different domains (legal compliance, risk management, reputation and so
on).
1.2
Intended audience
This document is aimed at those individuals responsible for directing, managing
and operating an organisation's privacy management capabilities, or those
responsible for advising that stakeholder group. As indicated above, that implies
that the capability model will consider multiple kinds of privacy stakeholder
requirement, and will result in guidance to multiple levels of readership, from
enterprise strategists to operational and line-of-business managers.
However, this document is not intended as a comprehensive manual for each
identified set of stakeholder requirements. For example, it would be beyond its
scope to document the audit procedures appropriate to an enterprise privacy
policy (though it is within scope to indicate the role that audit should play in
contributing to that policy). The Capability Assessment Model, then, should be
seen as a first step in a longer process. That first step should be aimed at
producing a “snapshot” (assessment) of the organisation's current capabilities in
the area of privacy.
There are many ways in which an organisation might choose to make use of such
a snapshot in guiding its future decisions and actions. As indicated in the editor's
not (see Introduction above), the Capability Assessment Model might be a prelude
to the definition of formal assessment criteria, assessment programmes,
assessment services, and thence also to equivalent models for Management, as
opposed to Assessment. (NB – the result of such a development would, of course,
have to avoid a further clash with the Carnegie Mellon “Service Mark” - but use
of the phrase “Capability Management Model” should satisfy both requirements.)
Information technology – Security techniques –
Privacy capability assessment model*
* for more details regarding the proposed title change please see the section
"Introduction" in this document
1
Scope
The intent of this International Standard is to provide ogranisations with high-level
guidance about how to assess their capability to achieve privacy-related outcomes.
In particular, it:
●
●
specifies a set of levels for privacy capability assessment
specifies key functional areas against which privacy capability should be assessed
(legal compliance, stakeholder expectations, risk to the organisation)
●
2
provides guidance on how to map the levels of assessment onto an enterprise
privacy model.
Normative references
[For the time being I have opted not to populate this section, which is meant to
contain only references to those referenced documents which are “indispensable
for the application of” 20190. I propose that we start by populating a bibliography
with those documents which are potentially relevant to 29190 and then “promote”
any which are considered to be indispensable.]
3
Terms and definitions
It is not the intention of 29190 to develop its own glossary. If 29190 finds it needs
to use particular terms in a specific way (for instance “persona”, “contextual
integrity” etc.) which is not already reflected in a reference glossary, 29190 will
include an internal description of the use of the term, and action will be taken to
propose its inclusion in a reference glossary.
4
Symbols and abbreviated terms
5
Relationships to other privacy assurance approaches
This section should reflect two separate pieces of work:
(i) a conceptual analysis of how privacy capability assessment relates to any
subsequent privacy management disciplines such as self-assessment, audit,
codes of practice, regulatory and legislative requirements, governance and
so on;
(ii) the results of a high-level survey of current programmes in this area...
recognizing that this data will be ephemeral and therefore included strictly
as interim guidance and not for normative purposes.
Amongst these may be some or all of the following:
5.1
Self-assessment tools
5.2
Audit
5.3
Industry and/or professional codes of practice (for instance, from
highly regulated industries such as financial services, defence etc.,
or from bodies such as ISACA and/or IAPP)
5.4
“Management” equivalents of the “Assessment” documents (defining
frameworks, processes and criteria which enable the oprganisation to act
on the results of the Assessment).
6
Maturity models
6.1
Background
In the current global environment, there is a tendency towards collection, use,
disclosure and retention of more and more personal information, for purposes
ranging from national security and law enforcement to support for business
operations. As is evident from the almost daily notification of privacy breaches,
much more work is required on the part of organizations to adequately protect the
personal information that they are collecting, using, disclosing and retaining, as
required by relevant legislation and regulation.
One way to develop and refine an organization’s processes is to begin with an
assessment of theirexisting capabilities in this area. A capability assessment
model [such as is defined by ISO 15540] is a structured collection of elements
that describe the characteristics of effective processes. In the form documented
by ISO 15540, the model allows an organization to rate its processes on the
following scale:
0. Incomplete
1. Performed Managed Established Predictable
2. Optimizing
With some refinement, the model can be used to assess how mature an
organization is with respect to, for instance, protecting personal information as
required by relevant legislation and regulation. A maturity model can also be used
as a benchmark for comparing different organizations where there is something
that can be used as a basis for comparison. For the purposes of this document, the
basis for comparison would be the organizations’ processes for handling personal
information in a manner compliant with legislation regulation and relevant good
practice.
A maturity model typically involves the following aspects:
a) Maturity Levels: a layered framework providing a progression to the discipline
needed to engage in continuous improvement. It is important to note that an
organization develops the ability to assess the impact of a new practice,
technology or tool on their business activities. Hence it is not a matter of
adopting these, rather it is a matter of determining how innovative efforts
influence existing practices.
This empowers projects, teams, and organizations by giving them the foundation
to support reasoned choice.
b) Key Process Areas: a Key Process Area (KPA) identifies a cluster of related
activities which, when performed collectively, achieve a set of goals considered
important.
c) Goals: the goals of a key process area summarize the states that must exist for
that key process area to have been implemented in an effective and lasting way.
The extent to which the goals have been accomplished is an indicator how much
capability the organization has established at that maturity level. The goals signify
the scope, boundaries and intent of each key process area.
d) Common Features: common features include practices that implement and
institutionalize a key process area.
Common features are frequently defined as: Commitment to Perform; Ability to
Perform; Activities Performed, Measurement and Analysis, and Verifying
Implementation.
e) Key Practices: the key practices describe the elements of infrastructure and
practice that contribute most effectively to the implementation and
institutionalization of the key process areas.
The objective of the document is to provide guidance to organizations on
assessing how mature they are with respect to compliance with privacy and data
protection legislation and relevant good practice. The document will focus on
assessing those activities organizations should carry out in order to demonstrate
such compliance.
6.2 General
This section should contain brief background information on the subject of
maturity models and their applicability to the adoption and management of
innovative technology.
“S-curves”
For instance the section could include reference to the outputs from the PRIME
project by John Borking and others, citing the work of Richard Nolan, Watts
Humphreys and Everett Rogers in describing the application of an “S-curve”
model to the analysis of innovation adoption. This work reflected French
sociologist Gabriel Tarde's much earlier (Les lois de l'imitation - 1890)
observation that cultural diffusion of innovation often follows an s-shaped curve.
This is relevant because in many aspects privacy management is still a nascent set
of disciplines, some of which are gaining adoption at different rates from others.
6.3
Key performance indicators
“S-curves” and maturity models
This section should aim to describe sets of key performance indicators by using
the “s-curve” concept to map privacy disciplines onto maturity criteria such as
those set out in section 7, below, and the following high-level list:
1.
2.
3.
4.
5.
6.
6.4
conceptual framework
legal context
implementation readiness
process readiness
regulatory and compliance criteria
adoption culture/behaviour
Maturity levels
The two preceding sections provide a general introduction to the idea of capability
models (and how they relate to the adoption of innovation by organisations over
time), and sets of criteria against which the organisation's behaviour can be
assessed. However, as mentioned above, the classic maturity model introduces a
further level of conceptual metric, based on the six levels mentioned:
1. Incomplete
2. Performed
3. Managed
4. Established
5. Predictable
6. Optimizing
i)
There is benefit in including this level of conceptual metric, as it is of more use
(to the corporate executive responsible) than some of the more detailed analysis
and audit results which one could expect from assessment at the “key
performance indicator” level.
In other words, 29190 as a whole has the potential to guide organisations towards
the production of several different kinds of output:



an over-all “score” against a simple capability assessment such as the six-level
model above;
a set of metrics indicating assessment against key performance indicators in
areas such as those listed under (6.2) and in section 7;
the detailed outputs from audit and management disciplines in specific areas
of privacy and data management (for instance, assessment against data
protection criteria, data custody best practice, and so on).
A suggested framework for these outputs is as follows (cf. AFNOR comment
FR4, in N8750 Attachment 1):
1. Assessment of the level of privacy maturity which is appropriate to the
organisation, given its purpose, function, risk assessment etc.

The aim would be to create a short (10-15 questions, aimed at senior
stakeholders) which creates this “target” score for the organisation.
2. Assessment of the actual, current levels of maturity for each key process
area in the organisation

For each such key process area, the current maturity level would be
summarised in a paragraph explaining why one of the six defined
levels has been assigned
3. Advice on how to improve key process area maturity levels to bring them
from the “actual/observed” to the “target” level

These recommendations and advice would be likely to depend on (or
refer to) the kinds of other standard/asset referred to in Section 1
Scope, Sub-section 1.2 Intended Audience – namely, Capability
Assessment Criteria, Programmes, Services and a possible Capability
Management Model.
7
Privacy capability assessment model
7.1
General
[I have deferred populating this section until the group has had an
opportunity to review and comment on the changes made so far]
7.2
Key performance indicators
7.2.1 Inventory. The organization's understanding of its processing of
personal information, including its accounting of the processes, systems,
databases, and third parties involved with processing personal information.
7.2.2 Policy. The corporate and business unit policies over privacy and
the use (from collection to destruction) and protection of personal
information.
7.2.3 Governance. The roles and responsibilities for managing the use
and protection of personal information at the corporate and business unit
levels.
7.2.4 Risk Management. An approach for managing privacy risk and
business compliance across the organization, addressing the use of
technologies, and dealing with the trans-border and multi-jurisdictional
challenges.
7.2.5 Procedures & Controls. Procedures and controls to actively
enforce policy and other compliance obligations, and monitoring of those
procedures and controls to ensure they remain intact and effective.
7.2.6 Information Security. Managing the confidentiality, integrity, and
availability of personal information and the related information technology
used to collect, use, transfer, retain, and destroy the information.
7.2.7 Third Party Management. Third party risk management
processes that account for privacy, including performing due diligence
during the selection process, putting controls in place—both contractually
and for the secure transfer of the information—and building a solid basis
of confidence that the third parties using the personal information can
protect it and govern its use.
7.2.8 Compliance. The company's program to manage compliance with
policy, regulations, and other obligations around the use and protection of
personal information.
7.2.9 Incident Management. The process, documented in a
comprehensive plan, which provides an effective and orderly response to
incidents and potential incidents involving personal information.
7.2.10 Training & Awareness. General and tailored training related to
the organization’s use and protection of personal information, supported
by an ongoing awareness program and related guidance
8
Bibliography
This section should consist of an annotated list of relevant documents – including
other standards documents applicable to the specific topic of privacy, and a
pointer to appropriate Glossary/Terminology material.