Contributing to standards, consolidating continuous risk management
There exist many different standards that include risk management aspects in all sorts of disciplines. Beawre's solution are build taking into consideration the most relevant standards for our business. The most relevant and generic one is ISO 31000:2018 "Risk management - Guidelines". This standard provides guidelines on managing risk faced by organizations and they can be customized to any organization and its context. It provides a common approach to managing any type of risk and is not industry or sector specific. Therefore, it can be used throughout the life of the organization and can be applied to any activity, including decision-making at all levels. Because it is the most generic standard to describe risk management activities and it is agnostic to any particular context, we take it as a general reference for our Risk Management solutions. There exist more specific standards, applied to more specific contexts such as security (e.g. ISO/IEC 27001:2013) and privacy (e.g. ISO/IEC 29134:2017) that are also useful to make sure that our solutions take into consideration the main directions that most organizations consider when it comes to decide how to effectively implement continuous risk management or simply manage risk in complex digital systems.
At Beawre, we work to impact the way risk management is performed in all possible ways. In order to change the world it is important to influence those standards to make sure they include important concepts such as continuous risk management. Because of this, we leverage our network of partners in Europe to actively work to contribute to ongoing standardization efforts and influence different initiatives related to risk management. For instance, we have actively organized periodic discussions about efforts related to risk management and actively discussed the evolution of several initiatives related to standards with one of our partners, Trialog. Antonio Kung (CEO of Trialog) is an ISO liaison.
Out of these discussions and joint work, in the context of PDP4E and ENACT H2020 Projects funded by the EU, we have found a way to contribute to standards including risk management as an essential piece. In particular, these are our main contributions to ongoing standardization efforts:
We have influenced “ISO/IEC 3rd DTS 27570 – Privacy protection — Privacy guidelines for smart cities” working draft. In particular, this document proposes guidelines for smart city processes, where guidance is provided for each process on governance, on data management, on risk management, on engineering and on citizen engagement. Specifically, these guidelines recommend to establish a risk management process to assess privacy impact. This document tackles integration challenges in smart cities including maintaining trust in services where the integration of multiple concerns such as security, privacy, safety and resilience is needed. This concern is highly coupled with the need for building trustworthy smart IoT systems. For instance, the increasing combination of data points may raise the risk of creating personal data, bringing new vulnerabilities. Risk management is suggested there both for ecosystem coordination and for organizations. In particular, we have reviewed and discussed the methodology to establish and implement the risk management process of the smart city service viewed as a system of systems, emphasizing the need for the implementation of continual improvement in the risk management process. A part from this, smart city privacy processes dealing with risk management may follow the following standards: information security risk management (ISO/IEC 27005), privacy impact assessment guidelines (ISO/IEC 29134), privacy requirements of smart city information systems (ISO/IEC 27701), and code of practice for PII protection (ISO/IEC 29151).
We have influenced “ISO CD 31700 : Consumer protection – Privacy by design for consumer goods and services”. In particular, the privacy risks associated with consumer products can result from personal data being gathered from a software application or a hardware device. The proliferation of new technology for IoT systems just increases the risk for consumers. We have emphasized the importance of monitoring and continuously updating risk management and the need for integrating risks of different types.
We have influenced “POMME WD Information technology — Security techniques — Privacy operationalisation model and method for engineering“. POMME can be viewed as operationalising ISO/IEC 29100, describing a process following ISO/IEC/IEEE 24774 (https://www.iso.org/standard/53815.html). This document is motivated by the fact that growing complexity of the devices, networks and ecosystems through which personal information flows continues to deepen. In particular, this document guides organizations to document identified and implemented privacy controls as part of the organization’s risk assessment. We emphasized the need for improving the visibility and management of operational privacy risks in interdependent applications, systems and associated business processes.
While not always simple for start-ups, any organization has a chance to contribute to shaping the guidelines that will drive industry efforts towards the proper management of risk.