ISACA Privacy Principles and Program Management Guide provides a comprehensive explanation of all things privacy. It is a necessary resource for any auditor about to embark on a privacy audit or for privacy practitioners who need to establish a privacy management program within their organizations.
Across the world, privacy protection is handled in many ways; it is not just different across countries, but also within countries and within industries and sectors as well. This guide explains, in a clear and easy-to-follow manner, the variety of privacy protection legislation and different legal models that exist in many regions of the world.
While the definition of privacy varies this guide includes the following definition differentiating privacy from security: “Privacy is the right of an individual to trust that others will appropriately and respectfully use, store, share and dispose of his/her associated personal and sensitive information within the context, and according to the purposes, for which it was collected or derived.”1
However, due to an inability to agree on a standard/worldwide definition for privacy, the guide sets out an agreed-upon set of privacy categories that can be useful for auditors and anyone wanting to establish a privacy program. Those categories are:
- Privacy of the person
- Privacy of behavior and action
- Privacy of communication
- Privacy of data and image (information)
- Privacy of thoughts and feelings
- Privacy of location and space (territorial)
- Privacy of association
This book considers risk from new and evolving technologies, including social media, evolving cloud and container computing services, mobile applications, big data analytics, Internet of Things (IoT), bring your own device (BYOD) practices, and tracking/surveillance technologies.
There are 14 ISACA privacy principles, though the guide does take a while to get to them, first acknowledging the context, background and changes in this arena over the years. These privacy principles are clearly defined and mapped to other major privacy frameworks such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC)’s ISO/IEC 29100:2011.
The guide incorporates how ISACA’s COBIT 5 framework can support the development or auditing of privacy management by covering the five governance and management principles. The guide also explains how the COBIT 5 enablers can be adapted to build and maintain a privacy program.
The book includes high-level guidance for implementing a privacy management program. This could also be used by auditors when reviewing how an organization has gone about establishing its privacy management program. This guidance includes considering the context in which personal information is collected, ensuring the appropriate privacy protection environment is created to match the business environment, recognizing and addressing privacy pain points, enabling privacy protection change, and implementing a life cycle approach to privacy governance and management.
The guide includes five appendices containing information on legislative instruments and legal actions pertaining to privacy from most regions of the world; privacy standards, frameworks and self-regulation programs by industry, country and region, and sometimes even by city; certifications that can be obtained relating to privacy; and a range of non-ISACA privacy principles.
The guide covers all aspects related to privacy management and is highly recommended, as it provides some essential points for privacy officers, IT auditors, data managers/stewards, audit and risk committee members, and senior executive officers in any organization and industry.
Editor’s Note
ISACA Privacy Principles and Program Management Guide is available from the ISACA Bookstore. For information, visit 1q3y.39680a.com/bookstore, contact Support or telephone +1.847.660.5650.
Endnotes
1 ISACA, ISACA Privacy Principles and Program Management Guide, USA, 2017, p. 13
Reviewed by Diana M. Hamono, CISA, CGEIT, COBIT 5 Foundation
An executive director in the governance, risk and assurance team at Synergy Group in Canberra, Australian Capital Territory, Australia, and a past president of the ISACA Canberra Chapter.