BS ISO/IEC 29190:2015 pdf download-Information technology — Security techniques — Privacy capability assessment model.
4.5 Determine sub-optimal processes Sub-optimal processes (e.g. gaps) should then be identified from the existence of gaps between a target capability and an assessed capability. A gap is said to exist: — if the target capability requires that a particular capability be Fully achieved, while the assessed capability is less than Fully achieved; — if the target capability requires that a particular capability be Largely achieved, while the assessed capability is less than Largely achieved. The potential consequence of a gap depends upon the capability level and process capability where the gap occurs. The assessment should also identify specific areas of process major and minor non-conformance and other recommendations for improvement, as sources for determining sub-optimal processes. It is also important that findings in an assessment should be based on documented evidence or the lack of required evidence to support achieving target level for a business process. 4.6 Identify proposals for changing processes The business goals of an organization in relation to privacy are often centred around: — providing the PII principal with the capacity to perform their rights regarding their PII; — achieving compliance with legislation and regulation. These key management concerns become drivers that initiate process improvement throughout the organization with objectives of: — improving the processing of PII; — ensuring the transparency of processing of PII; — decreasing development and maintenance costs of systems that manage PII; — reducing the risk of breaches of privacy; — improving the processes for dealing with privacy breaches.
5.3 Identify privacy activities and target capabilities This process is a cluster of related activities which, when performed collectively, identify a set of privacy-related procedures. This process offers a focus for applying target capabilities that need to be implemented in an effective and lasting manner. The extent to which this process has been accomplished is an indicator of how much capability the organization has established at each capability level. This also signifies the scope, boundaries and intent of each privacy-related process. There are numerous approaches to assembling these processes and it is outside of the scope of this International Standard to prescribe a single approach. However, to help readers to better understand this requirement, two examples of possible approaches are shown below: First example, a context approach: — conceptual framework; — legal context; — implementation readiness; — process readiness; — regulatory and compliance criteria; — adoption culture/behaviour.