IPEN Wiki - User contributions [en]

ISO

2026-03-15T22:02:26Z

Antoniok: /* PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 7709 IS Security and privacy-preserving guidelines for multi-sourced data processing ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Binsheng Zhang, Heung Youl Youm
|-
| Scope
|
This document provides guidance on identification of the security and privacy risks related to multi-sourced data processing, and related techniques to mitigate the risks. This document is applicable to organizations that use multi-sourced data or provide data services to design and develop multi-sourced data processing related systems, enhancing the security of their data processing activities
|-
| Documentation
|https://www.iso.org/standard/82889.html
|-

| Calendar
|Started in February 2026
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of
[https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7709_Security_and_privacy_reference_architecture_for_multi-party_data_fusion_and_mining_(Started_in_April_2021_and_completed_in_October_2025) PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining]

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIS to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchestration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T22:01:47Z

Antoniok: /* 7709 IS Security and privacy-preserving guidelines for multi-sourced data processing */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 7709 IS Security and privacy-preserving guidelines for multi-sourced data processing ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Binsheng Zhang, Heung Youl Youm
|-
| Scope
|
This document provides guidance on identification of the security and privacy risks related to multi-sourced data processing, and related techniques to mitigate the risks. This document is applicable to organizations that use multi-sourced data or provide data services to design and develop multi-sourced data processing related systems, enhancing the security of their data processing activities
|-
| Documentation
|https://www.iso.org/standard/82889.html
|-

| Calendar
|Started in February 2026
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of
[https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7709_Security_and_privacy_reference_architecture_for_multi-party_data_fusion_and_mining_(Started_in_April_2021_and_completed_in_October_2025) PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining]

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIS to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:56:01Z

Antoniok: /* PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 7709 IS Security and privacy-preserving guidelines for multi-sourced data processing ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Binsheng Zhang, Heung Youl Youm
|-
| Scope
|
This document provides guidance on identification of the security and privacy risks related to multi-sourced data processing, and related techniques to mitigate the risks. This document is applicable to organizations that use multi-sourced data or provide data services to design and develop multi-sourced data processing related systems, enhancing the security of their data processing activities
|-
| Documentation
|https://www.iso.org/standard/82889.html
|-

| Calendar
|Started in February 2026
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIS to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

Completed study periods and pwis

2026-03-15T21:54:40Z

Antoniok: /* ISO/IEC JTC 1/SC 27 Active Preliminary Work Items */

== Started in 2015 and completed ==

=== Privacy engineering framework (Started in April 2015. Completed in April 2016) ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Leaders
| Antonio Kung, Matthias Reinis 
|-
| Objective
| Study the concept of privacy engineering and see whether new work items are needed
|-
| Documentation
| Slides presenting motivation for study period by Antonio Kung: [http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
|-
| Timeline
| <div style="line-height: 20.8px;">
*Contributions by August 15th 2015.
**Contribution from PRIPARE. [http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]
*Presentation in Jaipur October 2015
**Summary made to PRIPARE project: [http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf]
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7 Software and systems engineering
**Contribution made by PRIPARE [http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf]
*Presentation in Tampa April 2016
*Study period completed
*Followed by ISO/IEC 27550: Privacy engineering, see above
</div>
|}

=== Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leader
| Pascal Pailler, Nat Sakimura, Jaz Hoon Nah 
|-
| Objective
| 
|-
| Documentation
| 
|-
| Comments
|
*Initiated in Jaipur (Oct 2015)
*Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: [https://abc4trust.eu/ https://abc4trust.eu],, initiated in April 2014 in Hong Kong), with an extended scope
*Completed.
*Followed by new project : ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)

|}

=== PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leader
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri 
|-
| Objective
|
Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal

|-
| Documentation
| 
|-
| Comments
|
Initiated in Jaipur (October 2015)

|}

=== Privacy in smart cities (Started in October 2015. Completed in November 2017) ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Leaders
| Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari 
|-
| Objective
|
Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines

|-
| Documentation
| 
|-
| Comments
|
Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Presentation in Tampa (April 2016) of intermediate state

*Liaison with EIP-SCC mentioned (see [https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design]). 

Presentation in Abu Dhabi (October 2016) of intermediate state

*Includes contribution from pripare: [https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf]

Presentation in Hamilton (April 2017) of intermediate state

*Includes contribution from pripare [https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf]
*Liaison to take place with ISO/IEC WG11 Smart cities in order to discuss the needs for privacy management guidelines

Proposal for new work item in Berlin (Nov 2017)

|}

== Started in 2016 and completed ==

=== Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Nat Sakimura, Mathias Reinis, Elaine Newton
|-
| Objective
|
Collecting errors and correcting inconsistencies

|-
| Documentation
| 
|-
| Comments 
|
*Completed, has led to a draft amendment (with limited scope)

|}
</div>

=== Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Srinivas Poorsala, Antonio Kung 
|-
| Objective
|
*assess the viability of producing guidelines for Privacy in IoT within WG5;
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen

|-
|
Documentation

| 
|-
| Comments
|
Initiated in Tampa (April 2016)

Initial contribution in Abu Dhabi (October 2016)

Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.

Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"
<div> </div>
|}
</div>
=== Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Mathias Reinis, Heung Youl Youm 
|-
| Objective
|
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME

|-
|
Documentation

| 
|-
| Comments
|
Terminated due to lack of contributions

|}
</div>

== Started in 2017 and completed ==

=== Guidelines for security and privacy for Internet of Things (IoT) (Started in April 2017 - Completed in November 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/Duration
| April 2017/6 months)
|-
| Leaders
| Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
|-
| Objective
| prepare the materials necessary to initiate an International Standard coming out of the SC 27 meeting in Berlin (Oct-2017)
|-
|
Documentation

| 
|-
| Comments
|
Is an SC27/WG4 study periods involving WG4 and WG5.

Study period is completed and new work item has been proposed ([https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things]).

Kickoff expected in Wuhan in WG4

|}
</div>

=== Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
|-
| Objective
| 
|-
|
Documentation

| 
|-
| Comments
|
Has resulted in a NWIP

|}
</div>

=== Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Christophe Stenuit, Joanne Knight
|-
| Objective
| Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks 
|-
|
Documentation

| 
|-
| Comments 
| New work item proposal
|}
</div>
=== Identify assurance framework (Started in April 2017. Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Patrick Curry, Anthony Nadalin
|-
| Objective
| analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework. 
|-
|
Documentation

| 
|-
| Comments
|

|}
</div>
=== Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/duration
|
April 2017 / 18 months

|-
| Leaders
| Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Objective
| define frameworks of user-centric PII handling based on privacy preferences of users
|-
|
Documentation

| 
|-
| Comments
|
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See [https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment]

In Berlin (November 2017),  it was decided to consider 3 options

*extension of 29101
*definition of a generic model
*defintion of specific models

In Wuhan (May 2018), it was decided to prepare a NWIP

In Gjovik (October 2018), the NWIP was finalised

|}
</div>

=== Concept of PII Deletion (Started in November 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman 
|-
| Objective
| Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information" 
|-
|
Documentation

| 
|-
| Comments
|

|}
</div>

== Started in 2018 and completed ==

=== Development of Identify standards landscape standing document (Started in  April 2018, Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm, 
|-
| Objective
|
 Create an initial draft of a new SD that would provide:

*The scope of the identity standards landscape
* Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards
*A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment
* A register of alignment issues that have been accepted as needing to be resolve
*Develop a proposal for the process of maintaining the standing document that includes:

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Malcom Townsend, Heung Youl Youm
|-
| Scope
|
This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Privacy consideration in practical workflows (Started in April 2018, completed in April 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Mickey Cohen 
|-
| Objective
|
The scope of this study period is to collect contributions:

(1) On workflows describing '''use-cases''' where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole

(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy

|-
| Documentation
|

|-
| Comments
|

|}

=== Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Andrew Hughes, Christophe Stenuit, Kai Rannenberg

|-
| Objective
|
''S''olicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document

|-
|
Documentation

| 
|-
| Comments
|

|}

=== Use case for identity assurance (Started in October 2018, completed in September 2020) ===

<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Andrew Hughes, Tony Nadalin, Patrick Curry

|-
| Objective
|
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.  These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Impact of Artificial Intelligence on Privacy (Started in October 2018, Completed in September 2020) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei

|-
| Objective
|
Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period

*to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
*to review the new threats to privacy which AI can create,
*to review how AI can be used by deploying improved privacy controls, and
*to provide recommendations for standardization work.

Is extended for 6 months to study TR 24030 AI use cases and to check the impact of AI on ISO/IEC 27701

Is further extended 6 months to study the integration of security

|-
|
Documentation

|
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:

{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;"
|-
|
IEEE Ethically Aligned AI

|
[https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf]

|-
| Ethics guidelines for trustworthy AI 
| [https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112] 
|-
| Privacy Commissioners declaration  
| [https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf] 
|-
| AI as a Disruptive Opportunity and Challenge for Security 
| [https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf] 
|-
| The impact of AI on life cycle processes 
| [https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf] 
|-
| Asilomar principles
| [https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles] 
|-
| Malicious AI report
| [https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp]; 
|-
| Privacy and Freedom of Expression In the Age of Artificial Intelligence  
| [https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence] 
|-
| UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able? 
|
[https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf]

|-
| Australian Human Rights Commission report on Human Rights and Technology 
| [https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf] 
|}

|-
| Comments
|
Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence

An intermediate report was provided in Tel-Aviv (April 2019).

A second report was provided in Paris (October 2019)

A third report was provided in the virtual meeting (April 2020) including the study of SC42 ISO/IEC 24030 on AI use cases and the study of ISO/IEC 27701

A fourth report was provide in the virtual meeting (Sep 2020) including a contribution to TC215 on security and privacy in eHealth. A preliminary work item is started

|}
</div></div>

== Started in 2019 and completed ==

=== Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Hans Hedbom, Alan Shipman 
|-
| Objective
|
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.

|-
| Comments
|

|}

=== Consent receipts and records (Started in April 2019, completed in October 2019) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Collin Wallis, Andrew Hughes 
|-
| Objective
|
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing

|-
| Documentation
|

|-
| Comments
|

|}
</div>

=== Privacy engineering model (Started in April 2019, Completed in September 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala
|-
| Objective
| Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
|-
| Documentation
|

|-
| Comments
|
As a result of this study period, a NWIP - Privacy operationalisation model and method for engineering has been established

|}
</div>

=== Guidance on processes of a privacy information management system (Started in October 2019, Completed in September 2020)) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michael Steiner, Alan Shipman

|-
| Objective
|
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2nd WD of ISO/IEC 27022</li>
</ol>

|-
| Documentation
|

|-
| Comments
|

|}
</div>

=== Privacy for Fintech services (Started in October 2019, completed in September 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra

|-
| Objective
|
Objectives

*Apply privacy principles described in ISO/IEC 29100:2011
*Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
*Consider privacy risks related to providing Fintech services
*Consider regulatory requirements that impact privacy of customers
*Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
*Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment

Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.

|-
| Documentation
|

|-
| Comments
|

|}
</div>

== Started in 2020 and completed ==

=== PWI 5181 Information technology - Security and privacy - Data provenance (Started in September 2020, Completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Ryan Ko, Jan de Meer, Yi Zhang

|-
| Proposed Scope
|
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data.

The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not.
|-
| Documentation
|

|-
| Comments
|
Is a WG4 project

1st report Nov 2020

2nd report March 2021

3rd report May 2021

4th report Oct 2021

5th report Feb 2022

6th report April 2021

7th report July 2022

Draft for proposed new project September 2022

|}
</div>

=== PWI 6089 Impact of Artificial Intelligence on Security and Privacy (Started in September 2020, Completed in October 2022) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
'''Phase 1 (completed):''' Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei, Volker Smoljko

'''Phase 2 (completed):''' Antonio Kung, Lenora Zimmerman

|-
| Objective
|
'''Phase 1 (completed): '''The PWI has the objective to investigate the possibility to propose one or several documents

*Part 1: a TR providing
**guidance on how to assess the impact of security and privacy of AI use cases,
**providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases)
*Part 2: a TS providing
**an overview of privacy concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate
*Part 3: a TS providing
**an overview of security concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate

The following work will be carried out in the PWI:

*extend the content of the study period report with the following
**analysis of TR 24030 use cases from a security viewpoint,
**identification of standards for which specific recommendations concerning AI would be useful,
**identification of AI standards for which specific recommendations concerning security and privacy would be useful;
**identification of specific security controls; and
**whatever contributions that matches the intended content of part 1, part 2, and part 3.
*transform the report into a set of three documents that can be submitted as draft TR and TS;
*make a recommendation on the way to proceed concerning the three documents;

'''Phase 2 (completed): '''Guidance on addressing privacy protection for artificial intelligence systems

*Currently discussed scope: 

This document provides guidance for organizations to identify and address privacy concerns in the development and use of artificial intelligence systems. The guidance in this document aims to provide information to organizations to help them better understand and address the impact of AI systems and Machine Learning techniques on individual privacy and society at-large. This document also addresses ways in which societal and regulatory expectations influence how AI systems and Machine Learning is and is not used.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems.

|-
|
Documentation

|
1st PWI report was published in April 2021.

2nd PWI report was published in October 2021

|-
| Comments
|
Is the continuation of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Impact_of_Artificial_Intelligence_on_Privacy_.28Started_in_October_2018.2C_Completed_in_September_2020.29 study period] that concluded in September 2020

Further to the completion of phase 1, part 1 is registered as a TR (ISO/IEC 27653; Impact of security and privacy in AI use cases), part 2 is still-on going. Note that part 3 has been transferred to another PWI 7699 (Guidance for addressing security threats and failures in artificial intelligence)

Further to March 2022 meeting, PWI is working on making a new work item proposal on Guidance for privacy protection in AI systems
Further to October 2022 meeting, a ballot has been initiative for ISO/IEC 27091 Cybersecurity and data protection - Artificial intelligence - Privacy Protection

|}
</div></div>

=== PWI 6102 Guidance on illustrative processes of a privacy information management system (Started in September 2020, Completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michael Steiner, Vishnu Kanhere

|-
| Objective
|
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2nd WD of ISO/IEC 27022</li>
</ol>

|-
| Documentation
|

|-
| Comments
|
Was cancelled because of lack of progress

|}
</div>

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021 and completed in October 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Started in 2021 and completed ==

=== PWI 7748 Guidance and practices for privacy preservation based on zero-knowledge proofs (Started in April 2021, completed in October 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla 

|-
| Objective
|
This work item is to provide guidance and best practices for privacy preservation based on zeroknowledge proofs, taking into account normative references and comparing specifically with ISO/IEC 27551, 27556 and 29191. It intends to cover the usage of zero-knowledge proof protocols for privacy preservation and PII protection in a wide range of data processing applications. It takes into account using zero knowledge proof based privacy-preserving verification system architectures, data process flows and module interfaces.

|-
| Documentation
|

|-
| Comments
|
Completed, transformed into a NWIP 27565

|}
</div>

=== PWI 7732 Age verification (Started in April 2021, completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen

|-
| Objective
|
Study the possibility to submit a new work item

*Age Verification Systems –Part 1: Framework, Levels of Assurance and Privacy Protection
*Age Verification Systems –Part 2: Conformity Assessment
*Age Verification Systems –Part 3: Interoperability

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|
Completed and transformed into project proposal 27566

|}
</div>
=== PWI 27045 Big data security and privacy - guidelines for data security management framework (Started in April 2021, completed in April 2024) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Xiaoyuan Bai - Hongru Zhu - Vicky Hailey - Shiqi Li - Liu Dapeng
|-
| Scope
|
This document provides a data security management framework that helps organizations to build the data security capabilities in the context of big data including guidelines to develop security measures.

This document is applicable to all organizations, regardless of type, size or nature, that develop or use big data systems.

|-
| Documentation
| [https://www.iso.org/standard/63929.html https://www.iso.org/standard/63929.html] 
|-
| Calendar
|
*1st PWI was provided in May 2022

|-
| Comments
|
Is a WG4 project. An initial projects was started in October 2018 on processes with a different scope:

**1st WD was provided in January 2019
**2nd WD was provided in April 2019
**3rd WD was provided in October 2019
**4th WD was provided in May 2020
**5th WD was provided in November 2020
**6th WG was provided in March 2021
**Project was restarted as a PWI in April 2021 with a new scope

It seems that the project will focus on security only
*1st PWI provided in May 2022
*2nd PWI provided in March 2023
*3rd PWI provided in October 2023
*NP in February 2024
|}

=== PWI 27564 Privacy models (Started in October 2021, completed in April 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Yod Samuel Martin, Antonio Kung, Jonathan Fox, Michelle Chibba

|-
| Objective
|
Scope: PWI will study the value of specifying and maintaining privacy models

Tasks:

*Study use cases, e.g., connected vehicles, data spaces
*Define models of interest, e.g., protection models, engineering models, ecosystem models.
*Provide guidance on the lifecycle of models. Take into account ISO/IEC/IEEE 24641 (MBSSE), and liaise with SC7
*Provide guidance for the design of models ensuring a common vision with different viewpoints: citizen, policy, governance, compliance, engineering
*Explain the relationship with other standards; SC7, SC27, SC41, SC42, PC317…

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|
completed and transformed into project prposal TS 27564
|}
</div>

== Started in 2022 and completed ==

=== PWI 27568 Security and privacy of digital twins (Started in October 2022 completed in March 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Srinivas Poosarla, Heung Youl Youm, Mark Lizar, Vitor Jesus, Vishnu Kanhere, Patrick Curry, Karim Tobich

|-
| Objective
|

The PWI will monitor the progress in standardisation work on digital twins and investigate stakeholders concerns on the security and privacy of digital twins.

A call for contributions will circulated to SC 27/WG 5, and liaison will take place with SC41. A report and recommendation for further work will be prepared for discussion in the next meeting.

|-
| Documentation
|

|-
| Calendar
|
*A first report was provided at the April 2023 meeting.
*A second report was provided at the October 2023 meeting.
*A third report was provided at the April 2024 meeting.
*A proposal for a NP was provided at the March 2025 meeting.
|-
| Comments
|
Completed and transformed in TS 27568 Proposal
|}
</div>

== Started in 2023 and completed ==

=== PWI 27046 Big data security and privacy - Implementation guidelines (restarted in April 2023) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Le Yu, Victoria Hailey, Jinghua Min
|-
| Scope
|
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data

|-
| Documentation
| [https://www.iso.org/standard/78572.html https://www.iso.org/standard/78572.html] 
|-
| Calendar
|
*1st WD was provided in October 2019
*2nd WD was provided in June 2020
*3rd WD was provided in November 2020
*4th WD was provided in April 2021
*5th WD was provided in April 2022
*1st CD was provided in October 2022
*Further to April 2023 meeting, this project will be reverted to preliminary work item (PWI)
*Project cancelled in September 2025
|-
| Comments
| Is a WG4 project
|}

=== PWI 27566 IS Age assurance - Part 2: Interoperability, technical architecture and guidelines for use (started in November 2023) ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document provides guidelines for interoperability, technical architecture and use of age assurance
systems.

|-
| Documentation
|
|-
| Calendar
|
*Started in November 2023
*1st PWI text provided in December 2023
*2nd PWI text provided in March 2024
*NP voted on September 2024
|-
| Comments
|
Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Completed in September 2024 and replaced by a work item
|}
<div class="_"></div>



== Started in 2024 and completed ==

=== PWI 27569 Personal identifiable information (PII) processing record information structure (Started in April 2024, completed in March 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Jan Lindquist
|-
| Objective
|

This document specifies an interoperable, open, and extensible information structure for recording
information relevant to the processing of Personally Identifiable Information (PII). This document further
provides guidance on the use of this information to support the:

*provision of a record of PII processing to another entity within or outside the organisation;
*provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;
*exchange of PII processing information i.e. information on how PII is processed between information
systems; and,
*management of the lifecycle of PII processing as based in the use of specific lawful basis.

|-
| Documentation
|

|-
| Calendar
|
*A first report was provided at the October 2024
|-
| Comments
|
Completed and led to 2nd edition of ISO/IEC 27560

|}
</div>

=== PWI 27573 Privacy protection of user avatar and system avatar interactions in the metaverse (Started in October 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Objective
|

The necessity for a section on considerations regarding personal information in Metaverse standards and Specifications is emphasized. This is due to the direct impact on personal information by PII (Personally Identifiable Information) or related data subject information identification mechanisms.

MSPA (Meta Standard Privacy Assessment) is utilized as a methodology for evaluating the impact on personal information, reviewing the necessity of introducing privacy protection or controls by assessing privacy protection requirements and potential threats in standards or specifications.

This process also aids in analyzing and documenting potential damages that may occur to individuals.

This document contains a framework for protecting personal information during interactions between user avatars and system avatars in the Metaverse. It shall specify the requirements for:

*categorizing and managing the information generated and used by user avatars and system avatars;
*protecting the privacy of user avatars and personal data in the Metaverse.
|-
| Documentation
|

|-
| Calendar
|

Started in April 2024

|-
| Comments
|
*Report provided in September 2029
*Second report provided in March 2025 with a proposal for a new project 27573 and a new PWI Privacy in metaverse frameworks
|}
</div>

=== PWI 27574 Privacy in brain-computer interface (BCI) applications (started in October 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoty kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Objective
|

This standard provides requirements and guidelines on privacy for Brain Computer Interface
Applications. It provides privacy controls specific to Brain Computer Interface Applications
to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC
27701.

|-
| Documentation
|

|-
| Calendar
|

Started in April 2024

|-
| Comments
|
*Proposal for study in April 2024
*Report provided in September 2024
*NWIP proposal provided in February 2025
|}
</div>

Completed study periods and pwis

2026-03-15T21:53:14Z

Antoniok: /* PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) */

== Started in 2015 and completed ==

=== Privacy engineering framework (Started in April 2015. Completed in April 2016) ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Leaders
| Antonio Kung, Matthias Reinis 
|-
| Objective
| Study the concept of privacy engineering and see whether new work items are needed
|-
| Documentation
| Slides presenting motivation for study period by Antonio Kung: [http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
|-
| Timeline
| <div style="line-height: 20.8px;">
*Contributions by August 15th 2015.
**Contribution from PRIPARE. [http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]
*Presentation in Jaipur October 2015
**Summary made to PRIPARE project: [http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf]
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7 Software and systems engineering
**Contribution made by PRIPARE [http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf]
*Presentation in Tampa April 2016
*Study period completed
*Followed by ISO/IEC 27550: Privacy engineering, see above
</div>
|}

=== Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leader
| Pascal Pailler, Nat Sakimura, Jaz Hoon Nah 
|-
| Objective
| 
|-
| Documentation
| 
|-
| Comments
|
*Initiated in Jaipur (Oct 2015)
*Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: [https://abc4trust.eu/ https://abc4trust.eu],, initiated in April 2014 in Hong Kong), with an extended scope
*Completed.
*Followed by new project : ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)

|}

=== PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leader
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri 
|-
| Objective
|
Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal

|-
| Documentation
| 
|-
| Comments
|
Initiated in Jaipur (October 2015)

|}

=== Privacy in smart cities (Started in October 2015. Completed in November 2017) ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Leaders
| Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari 
|-
| Objective
|
Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines

|-
| Documentation
| 
|-
| Comments
|
Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Presentation in Tampa (April 2016) of intermediate state

*Liaison with EIP-SCC mentioned (see [https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design]). 

Presentation in Abu Dhabi (October 2016) of intermediate state

*Includes contribution from pripare: [https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf]

Presentation in Hamilton (April 2017) of intermediate state

*Includes contribution from pripare [https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf]
*Liaison to take place with ISO/IEC WG11 Smart cities in order to discuss the needs for privacy management guidelines

Proposal for new work item in Berlin (Nov 2017)

|}

== Started in 2016 and completed ==

=== Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Nat Sakimura, Mathias Reinis, Elaine Newton
|-
| Objective
|
Collecting errors and correcting inconsistencies

|-
| Documentation
| 
|-
| Comments 
|
*Completed, has led to a draft amendment (with limited scope)

|}
</div>

=== Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Srinivas Poorsala, Antonio Kung 
|-
| Objective
|
*assess the viability of producing guidelines for Privacy in IoT within WG5;
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen

|-
|
Documentation

| 
|-
| Comments
|
Initiated in Tampa (April 2016)

Initial contribution in Abu Dhabi (October 2016)

Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.

Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"
<div> </div>
|}
</div>
=== Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Mathias Reinis, Heung Youl Youm 
|-
| Objective
|
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME

|-
|
Documentation

| 
|-
| Comments
|
Terminated due to lack of contributions

|}
</div>

== Started in 2017 and completed ==

=== Guidelines for security and privacy for Internet of Things (IoT) (Started in April 2017 - Completed in November 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/Duration
| April 2017/6 months)
|-
| Leaders
| Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
|-
| Objective
| prepare the materials necessary to initiate an International Standard coming out of the SC 27 meeting in Berlin (Oct-2017)
|-
|
Documentation

| 
|-
| Comments
|
Is an SC27/WG4 study periods involving WG4 and WG5.

Study period is completed and new work item has been proposed ([https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things]).

Kickoff expected in Wuhan in WG4

|}
</div>

=== Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
|-
| Objective
| 
|-
|
Documentation

| 
|-
| Comments
|
Has resulted in a NWIP

|}
</div>

=== Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Christophe Stenuit, Joanne Knight
|-
| Objective
| Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks 
|-
|
Documentation

| 
|-
| Comments 
| New work item proposal
|}
</div>
=== Identify assurance framework (Started in April 2017. Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Patrick Curry, Anthony Nadalin
|-
| Objective
| analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework. 
|-
|
Documentation

| 
|-
| Comments
|

|}
</div>
=== Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/duration
|
April 2017 / 18 months

|-
| Leaders
| Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Objective
| define frameworks of user-centric PII handling based on privacy preferences of users
|-
|
Documentation

| 
|-
| Comments
|
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See [https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment]

In Berlin (November 2017),  it was decided to consider 3 options

*extension of 29101
*definition of a generic model
*defintion of specific models

In Wuhan (May 2018), it was decided to prepare a NWIP

In Gjovik (October 2018), the NWIP was finalised

|}
</div>

=== Concept of PII Deletion (Started in November 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman 
|-
| Objective
| Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information" 
|-
|
Documentation

| 
|-
| Comments
|

|}
</div>

== Started in 2018 and completed ==

=== Development of Identify standards landscape standing document (Started in  April 2018, Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm, 
|-
| Objective
|
 Create an initial draft of a new SD that would provide:

*The scope of the identity standards landscape
* Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards
*A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment
* A register of alignment issues that have been accepted as needing to be resolve
*Develop a proposal for the process of maintaining the standing document that includes:

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Malcom Townsend, Heung Youl Youm
|-
| Scope
|
This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Privacy consideration in practical workflows (Started in April 2018, completed in April 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Mickey Cohen 
|-
| Objective
|
The scope of this study period is to collect contributions:

(1) On workflows describing '''use-cases''' where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole

(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy

|-
| Documentation
|

|-
| Comments
|

|}

=== Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Andrew Hughes, Christophe Stenuit, Kai Rannenberg

|-
| Objective
|
''S''olicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document

|-
|
Documentation

| 
|-
| Comments
|

|}

=== Use case for identity assurance (Started in October 2018, completed in September 2020) ===

<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Andrew Hughes, Tony Nadalin, Patrick Curry

|-
| Objective
|
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.  These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Impact of Artificial Intelligence on Privacy (Started in October 2018, Completed in September 2020) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei

|-
| Objective
|
Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period

*to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
*to review the new threats to privacy which AI can create,
*to review how AI can be used by deploying improved privacy controls, and
*to provide recommendations for standardization work.

Is extended for 6 months to study TR 24030 AI use cases and to check the impact of AI on ISO/IEC 27701

Is further extended 6 months to study the integration of security

|-
|
Documentation

|
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:

{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;"
|-
|
IEEE Ethically Aligned AI

|
[https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf]

|-
| Ethics guidelines for trustworthy AI 
| [https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112] 
|-
| Privacy Commissioners declaration  
| [https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf] 
|-
| AI as a Disruptive Opportunity and Challenge for Security 
| [https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf] 
|-
| The impact of AI on life cycle processes 
| [https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf] 
|-
| Asilomar principles
| [https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles] 
|-
| Malicious AI report
| [https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp]; 
|-
| Privacy and Freedom of Expression In the Age of Artificial Intelligence  
| [https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence] 
|-
| UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able? 
|
[https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf]

|-
| Australian Human Rights Commission report on Human Rights and Technology 
| [https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf] 
|}

|-
| Comments
|
Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence

An intermediate report was provided in Tel-Aviv (April 2019).

A second report was provided in Paris (October 2019)

A third report was provided in the virtual meeting (April 2020) including the study of SC42 ISO/IEC 24030 on AI use cases and the study of ISO/IEC 27701

A fourth report was provide in the virtual meeting (Sep 2020) including a contribution to TC215 on security and privacy in eHealth. A preliminary work item is started

|}
</div></div>

== Started in 2019 and completed ==

=== Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Hans Hedbom, Alan Shipman 
|-
| Objective
|
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.

|-
| Comments
|

|}

=== Consent receipts and records (Started in April 2019, completed in October 2019) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Collin Wallis, Andrew Hughes 
|-
| Objective
|
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing

|-
| Documentation
|

|-
| Comments
|

|}
</div>

=== Privacy engineering model (Started in April 2019, Completed in September 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala
|-
| Objective
| Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
|-
| Documentation
|

|-
| Comments
|
As a result of this study period, a NWIP - Privacy operationalisation model and method for engineering has been established

|}
</div>

=== Guidance on processes of a privacy information management system (Started in October 2019, Completed in September 2020)) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michael Steiner, Alan Shipman

|-
| Objective
|
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2nd WD of ISO/IEC 27022</li>
</ol>

|-
| Documentation
|

|-
| Comments
|

|}
</div>

=== Privacy for Fintech services (Started in October 2019, completed in September 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra

|-
| Objective
|
Objectives

*Apply privacy principles described in ISO/IEC 29100:2011
*Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
*Consider privacy risks related to providing Fintech services
*Consider regulatory requirements that impact privacy of customers
*Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
*Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment

Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.

|-
| Documentation
|

|-
| Comments
|

|}
</div>

== Started in 2020 and completed ==

=== PWI 5181 Information technology - Security and privacy - Data provenance (Started in September 2020, Completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Ryan Ko, Jan de Meer, Yi Zhang

|-
| Proposed Scope
|
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data.

The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not.
|-
| Documentation
|

|-
| Comments
|
Is a WG4 project

1st report Nov 2020

2nd report March 2021

3rd report May 2021

4th report Oct 2021

5th report Feb 2022

6th report April 2021

7th report July 2022

Draft for proposed new project September 2022

|}
</div>

=== PWI 6089 Impact of Artificial Intelligence on Security and Privacy (Started in September 2020, Completed in October 2022) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
'''Phase 1 (completed):''' Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei, Volker Smoljko

'''Phase 2 (completed):''' Antonio Kung, Lenora Zimmerman

|-
| Objective
|
'''Phase 1 (completed): '''The PWI has the objective to investigate the possibility to propose one or several documents

*Part 1: a TR providing
**guidance on how to assess the impact of security and privacy of AI use cases,
**providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases)
*Part 2: a TS providing
**an overview of privacy concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate
*Part 3: a TS providing
**an overview of security concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate

The following work will be carried out in the PWI:

*extend the content of the study period report with the following
**analysis of TR 24030 use cases from a security viewpoint,
**identification of standards for which specific recommendations concerning AI would be useful,
**identification of AI standards for which specific recommendations concerning security and privacy would be useful;
**identification of specific security controls; and
**whatever contributions that matches the intended content of part 1, part 2, and part 3.
*transform the report into a set of three documents that can be submitted as draft TR and TS;
*make a recommendation on the way to proceed concerning the three documents;

'''Phase 2 (completed): '''Guidance on addressing privacy protection for artificial intelligence systems

*Currently discussed scope: 

This document provides guidance for organizations to identify and address privacy concerns in the development and use of artificial intelligence systems. The guidance in this document aims to provide information to organizations to help them better understand and address the impact of AI systems and Machine Learning techniques on individual privacy and society at-large. This document also addresses ways in which societal and regulatory expectations influence how AI systems and Machine Learning is and is not used.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems.

|-
|
Documentation

|
1st PWI report was published in April 2021.

2nd PWI report was published in October 2021

|-
| Comments
|
Is the continuation of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Impact_of_Artificial_Intelligence_on_Privacy_.28Started_in_October_2018.2C_Completed_in_September_2020.29 study period] that concluded in September 2020

Further to the completion of phase 1, part 1 is registered as a TR (ISO/IEC 27653; Impact of security and privacy in AI use cases), part 2 is still-on going. Note that part 3 has been transferred to another PWI 7699 (Guidance for addressing security threats and failures in artificial intelligence)

Further to March 2022 meeting, PWI is working on making a new work item proposal on Guidance for privacy protection in AI systems
Further to October 2022 meeting, a ballot has been initiative for ISO/IEC 27091 Cybersecurity and data protection - Artificial intelligence - Privacy Protection

|}
</div></div>

=== PWI 6102 Guidance on illustrative processes of a privacy information management system (Started in September 2020, Completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michael Steiner, Vishnu Kanhere

|-
| Objective
|
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2nd WD of ISO/IEC 27022</li>
</ol>

|-
| Documentation
|

|-
| Comments
|
Was cancelled because of lack of progress

|}
</div>

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021 and completed in October 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Started in 2021 and completed ==

=== PWI 7748 Guidance and practices for privacy preservation based on zero-knowledge proofs (Started in April 2021, completed in October 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla 

|-
| Objective
|
This work item is to provide guidance and best practices for privacy preservation based on zeroknowledge proofs, taking into account normative references and comparing specifically with ISO/IEC 27551, 27556 and 29191. It intends to cover the usage of zero-knowledge proof protocols for privacy preservation and PII protection in a wide range of data processing applications. It takes into account using zero knowledge proof based privacy-preserving verification system architectures, data process flows and module interfaces.

|-
| Documentation
|

|-
| Comments
|
Completed, transformed into a NWIP 27565

|}
</div>

=== PWI 7732 Age verification (Started in April 2021, completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen

|-
| Objective
|
Study the possibility to submit a new work item

*Age Verification Systems –Part 1: Framework, Levels of Assurance and Privacy Protection
*Age Verification Systems –Part 2: Conformity Assessment
*Age Verification Systems –Part 3: Interoperability

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|
Completed and transformed into project proposal 27566

|}
</div>
=== PWI 27045 Big data security and privacy - guidelines for data security management framework (Started in April 2021, completed in April 2024) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Xiaoyuan Bai - Hongru Zhu - Vicky Hailey - Shiqi Li - Liu Dapeng
|-
| Scope
|
This document provides a data security management framework that helps organizations to build the data security capabilities in the context of big data including guidelines to develop security measures.

This document is applicable to all organizations, regardless of type, size or nature, that develop or use big data systems.

|-
| Documentation
| [https://www.iso.org/standard/63929.html https://www.iso.org/standard/63929.html] 
|-
| Calendar
|
*1st PWI was provided in May 2022

|-
| Comments
|
Is a WG4 project. An initial projects was started in October 2018 on processes with a different scope:

**1st WD was provided in January 2019
**2nd WD was provided in April 2019
**3rd WD was provided in October 2019
**4th WD was provided in May 2020
**5th WD was provided in November 2020
**6th WG was provided in March 2021
**Project was restarted as a PWI in April 2021 with a new scope

It seems that the project will focus on security only
*1st PWI provided in May 2022
*2nd PWI provided in March 2023
*3rd PWI provided in October 2023
*NP in February 2024
|}

=== PWI 27564 Privacy models (Started in October 2021, completed in April 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Yod Samuel Martin, Antonio Kung, Jonathan Fox, Michelle Chibba

|-
| Objective
|
Scope: PWI will study the value of specifying and maintaining privacy models

Tasks:

*Study use cases, e.g., connected vehicles, data spaces
*Define models of interest, e.g., protection models, engineering models, ecosystem models.
*Provide guidance on the lifecycle of models. Take into account ISO/IEC/IEEE 24641 (MBSSE), and liaise with SC7
*Provide guidance for the design of models ensuring a common vision with different viewpoints: citizen, policy, governance, compliance, engineering
*Explain the relationship with other standards; SC7, SC27, SC41, SC42, PC317…

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|
completed and transformed into project prposal TS 27564
|}
</div>

== Started in 2022 and completed ==

=== PWI 27568 Security and privacy of digital twins (Started in October 2022 completed in March 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Srinivas Poosarla, Heung Youl Youm, Mark Lizar, Vitor Jesus, Vishnu Kanhere, Patrick Curry, Karim Tobich

|-
| Objective
|

The PWI will monitor the progress in standardisation work on digital twins and investigate stakeholders concerns on the security and privacy of digital twins.

A call for contributions will circulated to SC 27/WG 5, and liaison will take place with SC41. A report and recommendation for further work will be prepared for discussion in the next meeting.

|-
| Documentation
|

|-
| Calendar
|
*A first report was provided at the April 2023 meeting.
*A second report was provided at the October 2023 meeting.
*A third report was provided at the April 2024 meeting.
*A proposal for a NP was provided at the March 2025 meeting.
|-
| Comments
|
Completed and transformed in TS 27568 Proposal
|}
</div>

== Started in 2023 and completed ==

=== PWI 27046 Big data security and privacy - Implementation guidelines (restarted in April 2023) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Le Yu, Victoria Hailey, Jinghua Min
|-
| Scope
|
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data

|-
| Documentation
| [https://www.iso.org/standard/78572.html https://www.iso.org/standard/78572.html] 
|-
| Calendar
|
*1st WD was provided in October 2019
*2nd WD was provided in June 2020
*3rd WD was provided in November 2020
*4th WD was provided in April 2021
*5th WD was provided in April 2022
*1st CD was provided in October 2022
*Further to April 2023 meeting, this project will be reverted to preliminary work item (PWI)
*Project cancelled in September 2025
|-
| Comments
| Is a WG4 project
|}

=== PWI 27566 IS Age assurance - Part 2: Interoperability, technical architecture and guidelines for use (started in November 2023) ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document provides guidelines for interoperability, technical architecture and use of age assurance
systems.

|-
| Documentation
|
|-
| Calendar
|
*Started in November 2023
*1st PWI text provided in December 2023
*2nd PWI text provided in March 2024
*NP voted on September 2024
|-
| Comments
|
Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Completed in September 2024 and replaced by a work item
|}
<div class="_"></div>



== Started in 2024 and completed ==

=== PWI 27569 Personal identifiable information (PII) processing record information structure (Started in April 2024, completed in March 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Jan Lindquist
|-
| Objective
|

This document specifies an interoperable, open, and extensible information structure for recording
information relevant to the processing of Personally Identifiable Information (PII). This document further
provides guidance on the use of this information to support the:

*provision of a record of PII processing to another entity within or outside the organisation;
*provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;
*exchange of PII processing information i.e. information on how PII is processed between information
systems; and,
*management of the lifecycle of PII processing as based in the use of specific lawful basis.

|-
| Documentation
|

|-
| Calendar
|
*A first report was provided at the October 2024
|-
| Comments
|
Completed and led to 2nd edition of ISO/IEC 27560

|}
</div>

=== PWI 27573 Privacy protection of user avatar and system avatar interactions in the metaverse (Started in October 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Objective
|

The necessity for a section on considerations regarding personal information in Metaverse standards and Specifications is emphasized. This is due to the direct impact on personal information by PII (Personally Identifiable Information) or related data subject information identification mechanisms.

MSPA (Meta Standard Privacy Assessment) is utilized as a methodology for evaluating the impact on personal information, reviewing the necessity of introducing privacy protection or controls by assessing privacy protection requirements and potential threats in standards or specifications.

This process also aids in analyzing and documenting potential damages that may occur to individuals.

This document contains a framework for protecting personal information during interactions between user avatars and system avatars in the Metaverse. It shall specify the requirements for:

*categorizing and managing the information generated and used by user avatars and system avatars;
*protecting the privacy of user avatars and personal data in the Metaverse.
|-
| Documentation
|

|-
| Calendar
|

Started in April 2024

|-
| Comments
|
*Report provided in September 2029
*Second report provided in March 2025 with a proposal for a new project 27573 and a new PWI Privacy in metaverse frameworks
|}
</div>

=== PWI 27574 Privacy in brain-computer interface (BCI) applications (started in October 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoty kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Objective
|

This standard provides requirements and guidelines on privacy for Brain Computer Interface
Applications. It provides privacy controls specific to Brain Computer Interface Applications
to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC
27701.

|-
| Documentation
|

|-
| Calendar
|

Started in April 2024

|-
| Comments
|
*Proposal for study in April 2024
*Report provided in September 2024
*NWIP proposal provided in February 2025
|}
</div>

Completed study periods and pwis

2026-03-15T21:52:40Z

Antoniok: /* Started in 2021 and completed */

== Started in 2015 and completed ==

=== Privacy engineering framework (Started in April 2015. Completed in April 2016) ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Leaders
| Antonio Kung, Matthias Reinis 
|-
| Objective
| Study the concept of privacy engineering and see whether new work items are needed
|-
| Documentation
| Slides presenting motivation for study period by Antonio Kung: [http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
|-
| Timeline
| <div style="line-height: 20.8px;">
*Contributions by August 15th 2015.
**Contribution from PRIPARE. [http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]
*Presentation in Jaipur October 2015
**Summary made to PRIPARE project: [http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf]
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7 Software and systems engineering
**Contribution made by PRIPARE [http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf]
*Presentation in Tampa April 2016
*Study period completed
*Followed by ISO/IEC 27550: Privacy engineering, see above
</div>
|}

=== Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leader
| Pascal Pailler, Nat Sakimura, Jaz Hoon Nah 
|-
| Objective
| 
|-
| Documentation
| 
|-
| Comments
|
*Initiated in Jaipur (Oct 2015)
*Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: [https://abc4trust.eu/ https://abc4trust.eu],, initiated in April 2014 in Hong Kong), with an extended scope
*Completed.
*Followed by new project : ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)

|}

=== PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leader
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri 
|-
| Objective
|
Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal

|-
| Documentation
| 
|-
| Comments
|
Initiated in Jaipur (October 2015)

|}

=== Privacy in smart cities (Started in October 2015. Completed in November 2017) ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Leaders
| Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari 
|-
| Objective
|
Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines

|-
| Documentation
| 
|-
| Comments
|
Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Presentation in Tampa (April 2016) of intermediate state

*Liaison with EIP-SCC mentioned (see [https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design]). 

Presentation in Abu Dhabi (October 2016) of intermediate state

*Includes contribution from pripare: [https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf]

Presentation in Hamilton (April 2017) of intermediate state

*Includes contribution from pripare [https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf]
*Liaison to take place with ISO/IEC WG11 Smart cities in order to discuss the needs for privacy management guidelines

Proposal for new work item in Berlin (Nov 2017)

|}

== Started in 2016 and completed ==

=== Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Nat Sakimura, Mathias Reinis, Elaine Newton
|-
| Objective
|
Collecting errors and correcting inconsistencies

|-
| Documentation
| 
|-
| Comments 
|
*Completed, has led to a draft amendment (with limited scope)

|}
</div>

=== Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Srinivas Poorsala, Antonio Kung 
|-
| Objective
|
*assess the viability of producing guidelines for Privacy in IoT within WG5;
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen

|-
|
Documentation

| 
|-
| Comments
|
Initiated in Tampa (April 2016)

Initial contribution in Abu Dhabi (October 2016)

Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.

Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"
<div> </div>
|}
</div>
=== Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Mathias Reinis, Heung Youl Youm 
|-
| Objective
|
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME

|-
|
Documentation

| 
|-
| Comments
|
Terminated due to lack of contributions

|}
</div>

== Started in 2017 and completed ==

=== Guidelines for security and privacy for Internet of Things (IoT) (Started in April 2017 - Completed in November 2017) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/Duration
| April 2017/6 months)
|-
| Leaders
| Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
|-
| Objective
| prepare the materials necessary to initiate an International Standard coming out of the SC 27 meeting in Berlin (Oct-2017)
|-
|
Documentation

| 
|-
| Comments
|
Is an SC27/WG4 study periods involving WG4 and WG5.

Study period is completed and new work item has been proposed ([https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things]).

Kickoff expected in Wuhan in WG4

|}
</div>

=== Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
|-
| Objective
| 
|-
|
Documentation

| 
|-
| Comments
|
Has resulted in a NWIP

|}
</div>

=== Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Christophe Stenuit, Joanne Knight
|-
| Objective
| Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks 
|-
|
Documentation

| 
|-
| Comments 
| New work item proposal
|}
</div>
=== Identify assurance framework (Started in April 2017. Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Patrick Curry, Anthony Nadalin
|-
| Objective
| analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework. 
|-
|
Documentation

| 
|-
| Comments
|

|}
</div>
=== Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/duration
|
April 2017 / 18 months

|-
| Leaders
| Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Objective
| define frameworks of user-centric PII handling based on privacy preferences of users
|-
|
Documentation

| 
|-
| Comments
|
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See [https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment]

In Berlin (November 2017),  it was decided to consider 3 options

*extension of 29101
*definition of a generic model
*defintion of specific models

In Wuhan (May 2018), it was decided to prepare a NWIP

In Gjovik (October 2018), the NWIP was finalised

|}
</div>

=== Concept of PII Deletion (Started in November 2017. Completed in April 2018) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman 
|-
| Objective
| Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information" 
|-
|
Documentation

| 
|-
| Comments
|

|}
</div>

== Started in 2018 and completed ==

=== Development of Identify standards landscape standing document (Started in  April 2018, Completed in October 2018) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm, 
|-
| Objective
|
 Create an initial draft of a new SD that would provide:

*The scope of the identity standards landscape
* Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards
*A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment
* A register of alignment issues that have been accepted as needing to be resolve
*Develop a proposal for the process of maintaining the standing document that includes:

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Malcom Townsend, Heung Youl Youm
|-
| Scope
|
This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Privacy consideration in practical workflows (Started in April 2018, completed in April 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Mickey Cohen 
|-
| Objective
|
The scope of this study period is to collect contributions:

(1) On workflows describing '''use-cases''' where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole

(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy

|-
| Documentation
|

|-
| Comments
|

|}

=== Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Andrew Hughes, Christophe Stenuit, Kai Rannenberg

|-
| Objective
|
''S''olicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document

|-
|
Documentation

| 
|-
| Comments
|

|}

=== Use case for identity assurance (Started in October 2018, completed in September 2020) ===

<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Andrew Hughes, Tony Nadalin, Patrick Curry

|-
| Objective
|
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.  These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115

|-
|
Documentation

| 
|-
| Comments
|

|}
</div></div>

=== Impact of Artificial Intelligence on Privacy (Started in October 2018, Completed in September 2020) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei

|-
| Objective
|
Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period

*to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
*to review the new threats to privacy which AI can create,
*to review how AI can be used by deploying improved privacy controls, and
*to provide recommendations for standardization work.

Is extended for 6 months to study TR 24030 AI use cases and to check the impact of AI on ISO/IEC 27701

Is further extended 6 months to study the integration of security

|-
|
Documentation

|
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:

{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;"
|-
|
IEEE Ethically Aligned AI

|
[https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf]

|-
| Ethics guidelines for trustworthy AI 
| [https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112] 
|-
| Privacy Commissioners declaration  
| [https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf] 
|-
| AI as a Disruptive Opportunity and Challenge for Security 
| [https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf] 
|-
| The impact of AI on life cycle processes 
| [https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf] 
|-
| Asilomar principles
| [https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles] 
|-
| Malicious AI report
| [https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp]; 
|-
| Privacy and Freedom of Expression In the Age of Artificial Intelligence  
| [https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence] 
|-
| UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able? 
|
[https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf]

|-
| Australian Human Rights Commission report on Human Rights and Technology 
| [https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf] 
|}

|-
| Comments
|
Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence

An intermediate report was provided in Tel-Aviv (April 2019).

A second report was provided in Paris (October 2019)

A third report was provided in the virtual meeting (April 2020) including the study of SC42 ISO/IEC 24030 on AI use cases and the study of ISO/IEC 27701

A fourth report was provide in the virtual meeting (Sep 2020) including a contribution to TC215 on security and privacy in eHealth. A preliminary work item is started

|}
</div></div>

== Started in 2019 and completed ==

=== Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Hans Hedbom, Alan Shipman 
|-
| Objective
|
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.

|-
| Comments
|

|}

=== Consent receipts and records (Started in April 2019, completed in October 2019) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Collin Wallis, Andrew Hughes 
|-
| Objective
|
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing

|-
| Documentation
|

|-
| Comments
|

|}
</div>

=== Privacy engineering model (Started in April 2019, Completed in September 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala
|-
| Objective
| Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
|-
| Documentation
|

|-
| Comments
|
As a result of this study period, a NWIP - Privacy operationalisation model and method for engineering has been established

|}
</div>

=== Guidance on processes of a privacy information management system (Started in October 2019, Completed in September 2020)) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michael Steiner, Alan Shipman

|-
| Objective
|
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2nd WD of ISO/IEC 27022</li>
</ol>

|-
| Documentation
|

|-
| Comments
|

|}
</div>

=== Privacy for Fintech services (Started in October 2019, completed in September 2020) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra

|-
| Objective
|
Objectives

*Apply privacy principles described in ISO/IEC 29100:2011
*Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
*Consider privacy risks related to providing Fintech services
*Consider regulatory requirements that impact privacy of customers
*Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
*Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment

Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.

|-
| Documentation
|

|-
| Comments
|

|}
</div>

== Started in 2020 and completed ==

=== PWI 5181 Information technology - Security and privacy - Data provenance (Started in September 2020, Completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Ryan Ko, Jan de Meer, Yi Zhang

|-
| Proposed Scope
|
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data.

The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not.
|-
| Documentation
|

|-
| Comments
|
Is a WG4 project

1st report Nov 2020

2nd report March 2021

3rd report May 2021

4th report Oct 2021

5th report Feb 2022

6th report April 2021

7th report July 2022

Draft for proposed new project September 2022

|}
</div>

=== PWI 6089 Impact of Artificial Intelligence on Security and Privacy (Started in September 2020, Completed in October 2022) ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
'''Phase 1 (completed):''' Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei, Volker Smoljko

'''Phase 2 (completed):''' Antonio Kung, Lenora Zimmerman

|-
| Objective
|
'''Phase 1 (completed): '''The PWI has the objective to investigate the possibility to propose one or several documents

*Part 1: a TR providing
**guidance on how to assess the impact of security and privacy of AI use cases,
**providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases)
*Part 2: a TS providing
**an overview of privacy concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate
*Part 3: a TS providing
**an overview of security concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate

The following work will be carried out in the PWI:

*extend the content of the study period report with the following
**analysis of TR 24030 use cases from a security viewpoint,
**identification of standards for which specific recommendations concerning AI would be useful,
**identification of AI standards for which specific recommendations concerning security and privacy would be useful;
**identification of specific security controls; and
**whatever contributions that matches the intended content of part 1, part 2, and part 3.
*transform the report into a set of three documents that can be submitted as draft TR and TS;
*make a recommendation on the way to proceed concerning the three documents;

'''Phase 2 (completed): '''Guidance on addressing privacy protection for artificial intelligence systems

*Currently discussed scope: 

This document provides guidance for organizations to identify and address privacy concerns in the development and use of artificial intelligence systems. The guidance in this document aims to provide information to organizations to help them better understand and address the impact of AI systems and Machine Learning techniques on individual privacy and society at-large. This document also addresses ways in which societal and regulatory expectations influence how AI systems and Machine Learning is and is not used.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems.

|-
|
Documentation

|
1st PWI report was published in April 2021.

2nd PWI report was published in October 2021

|-
| Comments
|
Is the continuation of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Impact_of_Artificial_Intelligence_on_Privacy_.28Started_in_October_2018.2C_Completed_in_September_2020.29 study period] that concluded in September 2020

Further to the completion of phase 1, part 1 is registered as a TR (ISO/IEC 27653; Impact of security and privacy in AI use cases), part 2 is still-on going. Note that part 3 has been transferred to another PWI 7699 (Guidance for addressing security threats and failures in artificial intelligence)

Further to March 2022 meeting, PWI is working on making a new work item proposal on Guidance for privacy protection in AI systems
Further to October 2022 meeting, a ballot has been initiative for ISO/IEC 27091 Cybersecurity and data protection - Artificial intelligence - Privacy Protection

|}
</div></div>

=== PWI 6102 Guidance on illustrative processes of a privacy information management system (Started in September 2020, Completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michael Steiner, Vishnu Kanhere

|-
| Objective
|
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2nd WD of ISO/IEC 27022</li>
</ol>

|-
| Documentation
|

|-
| Comments
|
Was cancelled because of lack of progress

|}
</div>

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Started in 2021 and completed ==

=== PWI 7748 Guidance and practices for privacy preservation based on zero-knowledge proofs (Started in April 2021, completed in October 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla 

|-
| Objective
|
This work item is to provide guidance and best practices for privacy preservation based on zeroknowledge proofs, taking into account normative references and comparing specifically with ISO/IEC 27551, 27556 and 29191. It intends to cover the usage of zero-knowledge proof protocols for privacy preservation and PII protection in a wide range of data processing applications. It takes into account using zero knowledge proof based privacy-preserving verification system architectures, data process flows and module interfaces.

|-
| Documentation
|

|-
| Comments
|
Completed, transformed into a NWIP 27565

|}
</div>

=== PWI 7732 Age verification (Started in April 2021, completed in October 2022) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen

|-
| Objective
|
Study the possibility to submit a new work item

*Age Verification Systems –Part 1: Framework, Levels of Assurance and Privacy Protection
*Age Verification Systems –Part 2: Conformity Assessment
*Age Verification Systems –Part 3: Interoperability

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|
Completed and transformed into project proposal 27566

|}
</div>
=== PWI 27045 Big data security and privacy - guidelines for data security management framework (Started in April 2021, completed in April 2024) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Xiaoyuan Bai - Hongru Zhu - Vicky Hailey - Shiqi Li - Liu Dapeng
|-
| Scope
|
This document provides a data security management framework that helps organizations to build the data security capabilities in the context of big data including guidelines to develop security measures.

This document is applicable to all organizations, regardless of type, size or nature, that develop or use big data systems.

|-
| Documentation
| [https://www.iso.org/standard/63929.html https://www.iso.org/standard/63929.html] 
|-
| Calendar
|
*1st PWI was provided in May 2022

|-
| Comments
|
Is a WG4 project. An initial projects was started in October 2018 on processes with a different scope:

**1st WD was provided in January 2019
**2nd WD was provided in April 2019
**3rd WD was provided in October 2019
**4th WD was provided in May 2020
**5th WD was provided in November 2020
**6th WG was provided in March 2021
**Project was restarted as a PWI in April 2021 with a new scope

It seems that the project will focus on security only
*1st PWI provided in May 2022
*2nd PWI provided in March 2023
*3rd PWI provided in October 2023
*NP in February 2024
|}

=== PWI 27564 Privacy models (Started in October 2021, completed in April 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Yod Samuel Martin, Antonio Kung, Jonathan Fox, Michelle Chibba

|-
| Objective
|
Scope: PWI will study the value of specifying and maintaining privacy models

Tasks:

*Study use cases, e.g., connected vehicles, data spaces
*Define models of interest, e.g., protection models, engineering models, ecosystem models.
*Provide guidance on the lifecycle of models. Take into account ISO/IEC/IEEE 24641 (MBSSE), and liaise with SC7
*Provide guidance for the design of models ensuring a common vision with different viewpoints: citizen, policy, governance, compliance, engineering
*Explain the relationship with other standards; SC7, SC27, SC41, SC42, PC317…

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|
completed and transformed into project prposal TS 27564
|}
</div>

== Started in 2022 and completed ==

=== PWI 27568 Security and privacy of digital twins (Started in October 2022 completed in March 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Srinivas Poosarla, Heung Youl Youm, Mark Lizar, Vitor Jesus, Vishnu Kanhere, Patrick Curry, Karim Tobich

|-
| Objective
|

The PWI will monitor the progress in standardisation work on digital twins and investigate stakeholders concerns on the security and privacy of digital twins.

A call for contributions will circulated to SC 27/WG 5, and liaison will take place with SC41. A report and recommendation for further work will be prepared for discussion in the next meeting.

|-
| Documentation
|

|-
| Calendar
|
*A first report was provided at the April 2023 meeting.
*A second report was provided at the October 2023 meeting.
*A third report was provided at the April 2024 meeting.
*A proposal for a NP was provided at the March 2025 meeting.
|-
| Comments
|
Completed and transformed in TS 27568 Proposal
|}
</div>

== Started in 2023 and completed ==

=== PWI 27046 Big data security and privacy - Implementation guidelines (restarted in April 2023) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Le Yu, Victoria Hailey, Jinghua Min
|-
| Scope
|
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data

|-
| Documentation
| [https://www.iso.org/standard/78572.html https://www.iso.org/standard/78572.html] 
|-
| Calendar
|
*1st WD was provided in October 2019
*2nd WD was provided in June 2020
*3rd WD was provided in November 2020
*4th WD was provided in April 2021
*5th WD was provided in April 2022
*1st CD was provided in October 2022
*Further to April 2023 meeting, this project will be reverted to preliminary work item (PWI)
*Project cancelled in September 2025
|-
| Comments
| Is a WG4 project
|}

=== PWI 27566 IS Age assurance - Part 2: Interoperability, technical architecture and guidelines for use (started in November 2023) ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document provides guidelines for interoperability, technical architecture and use of age assurance
systems.

|-
| Documentation
|
|-
| Calendar
|
*Started in November 2023
*1st PWI text provided in December 2023
*2nd PWI text provided in March 2024
*NP voted on September 2024
|-
| Comments
|
Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Completed in September 2024 and replaced by a work item
|}
<div class="_"></div>



== Started in 2024 and completed ==

=== PWI 27569 Personal identifiable information (PII) processing record information structure (Started in April 2024, completed in March 2025) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Jan Lindquist
|-
| Objective
|

This document specifies an interoperable, open, and extensible information structure for recording
information relevant to the processing of Personally Identifiable Information (PII). This document further
provides guidance on the use of this information to support the:

*provision of a record of PII processing to another entity within or outside the organisation;
*provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;
*exchange of PII processing information i.e. information on how PII is processed between information
systems; and,
*management of the lifecycle of PII processing as based in the use of specific lawful basis.

|-
| Documentation
|

|-
| Calendar
|
*A first report was provided at the October 2024
|-
| Comments
|
Completed and led to 2nd edition of ISO/IEC 27560

|}
</div>

=== PWI 27573 Privacy protection of user avatar and system avatar interactions in the metaverse (Started in October 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Objective
|

The necessity for a section on considerations regarding personal information in Metaverse standards and Specifications is emphasized. This is due to the direct impact on personal information by PII (Personally Identifiable Information) or related data subject information identification mechanisms.

MSPA (Meta Standard Privacy Assessment) is utilized as a methodology for evaluating the impact on personal information, reviewing the necessity of introducing privacy protection or controls by assessing privacy protection requirements and potential threats in standards or specifications.

This process also aids in analyzing and documenting potential damages that may occur to individuals.

This document contains a framework for protecting personal information during interactions between user avatars and system avatars in the Metaverse. It shall specify the requirements for:

*categorizing and managing the information generated and used by user avatars and system avatars;
*protecting the privacy of user avatars and personal data in the Metaverse.
|-
| Documentation
|

|-
| Calendar
|

Started in April 2024

|-
| Comments
|
*Report provided in September 2029
*Second report provided in March 2025 with a proposal for a new project 27573 and a new PWI Privacy in metaverse frameworks
|}
</div>

=== PWI 27574 Privacy in brain-computer interface (BCI) applications (started in October 2024) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoty kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Objective
|

This standard provides requirements and guidelines on privacy for Brain Computer Interface
Applications. It provides privacy controls specific to Brain Computer Interface Applications
to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC
27701.

|-
| Documentation
|

|-
| Calendar
|

Started in April 2024

|-
| Comments
|
*Proposal for study in April 2024
*Report provided in September 2024
*NWIP proposal provided in February 2025
|}
</div>

ISO

2026-03-15T21:50:15Z

Antoniok: /* 5181 IS Security and privacy - Data provenance */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 7709 IS Security and privacy-preserving guidelines for multi-sourced data processing ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Binsheng Zhang, Heung Youl Youm
|-
| Scope
|
This document provides guidance on identification of the security and privacy risks related to multi-sourced data processing, and related techniques to mitigate the risks. This document is applicable to organizations that use multi-sourced data or provide data services to design and develop multi-sourced data processing related systems, enhancing the security of their data processing activities
|-
| Documentation
|https://www.iso.org/standard/82889.html
|-

| Calendar
|Started in February 2026
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIS to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:40:14Z

Antoniok: /* PWI 27575 Privacy for metaverse frameworks (Started in March 2025) */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIS to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy framework in the metaverse including support on AI agent orchesgration (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung, Mieko Okuma, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:37:07Z

Antoniok: /* 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIS to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:35:26Z

Antoniok: /* 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:34:41Z

Antoniok: /* 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:34:17Z

Antoniok: /* 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition
| 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:31:33Z

Antoniok: /* 27701:2025 IS Privacy information management systems — Requirements and guidances */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:31:11Z

Antoniok: /* 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:30:30Z

Antoniok: /* 27706 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27706:2025 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:28:18Z

Antoniok: /* 27701:2025 IS Privacy information management systems — Requirements and guidances */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27706 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication expected in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:27:51Z

Antoniok: /* 27701:2025 IS Privacy information management systems — Requirements and guidances */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Previous edition 
|
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

=== 27706 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication expected in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:25:27Z

Antoniok: /* 27701:2025 IS Privacy information management systems — Requirements and guidances */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

=== 27706 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication expected in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:23:46Z

Antoniok: /* 27701:2025 IS Privacy information management systems — Requirements and guidances = */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

=== 27706 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication expected in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:20:37Z

Antoniok: /* 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

=== 27706 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication expected in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]

ISO

2026-03-15T21:20:01Z

Antoniok: /* 27701 IS Privacy information management systems — Requirements and guidances */

[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]

== Introduction ==

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides)

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in '''ISO/IEC JTC1/SC27/WG5'''''.''The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [https://www.din.de/en/meta/jtc1sc27/downloads [1]]

Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''.''The convenor is '''Faud Khan''', and the vice convenor is '''Johann Amsenga'''

Projects related to consumer protections are carried out within '''ISO PC317''' from 2018 to 2023 and within '''ISO/IEC JTC 1/SC 44 (Consumer protection in the field of privacy by design)''' since 2024, convened by '''Jan Schallaböck'''. This included the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services).

== Some conventions on ISO standards ==

The important things to know concerning ISO standards steps:

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| Standard 
| <ul style="line-height: 18.9090900421143px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>CD: Committee Draft</li>
<li>DIS: Draft International Standard</li>
<li>FDIS: Final Draft International Standard</li>
<li>IS: International Standard</li>
</ul>

|-
| Technical report 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
</ul>

|-
| Technical specification 
| <ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
</ul>

|}

== Meetings ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection ==

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
| 2014
|
*April 7-15, 2014 Hong Kong
*Oct 20-24, 2014 Mexico City, Mexico

|-
| 2015
|
*May 4-12, 2015 Kuching, Malaysia
*Oct 26-30, 2015 Jaipur, India

|-
| 2016
|
*April 11-15, 2016  Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

|-
| 2017
|
*April 18-22, 2017, Hamilton, New Zealand
*Oct 30- Nov 3, 2017,  Berlin, Germany

|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway

|-
| 2019
|
*April 1-5, Tel-Aviv, Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)

|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting

|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting

|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg - 

|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea

|-
| 2024
|
*April 8-12, Hybrid meeting - Manchester, UK
*September 26 - October 5, Virtual

|-
| 2025
|
*March 10-14, Hybrid meeting - Fairfax USA
*September 8-12, Hybrid meeting - Kunming, China
|}

== Meetings ISO/IEC JTC 1/SC 44 Consumer protection in the field of privacy by design ==
ISO 31700 is dealt with in another committee (PC317 initially and now iSO/IEC JTC1/SC44). Here is a list of meetings that took place or that will take place in PC317.

{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*Nov 1-2, 2018, London (PC317)

|-
| 2019
|
*Feb 6-8, Berlin (PC317 adhoc group)
*May 20-23, Toronto (PC317)
*19 October, Paris (PC317 jointly with SC27)
*21-23 October, Paris (PC317 colocated with SC27)

|-
| 2020
|
*17-20 March, Virtual meeting (PC317)
*30 Sept - 2 Oct, Virtual meeting (PC317)

|-
| 2021
|
*19-22 March, Virtual meeting (PC317)
*13-17 September, Virtual meeting (PC317)

|-
| 2022
|
*16-20 May, Virtual meeting (PC317)

|-
| 2025
|
*16-18 September, Hybrid meeting, Kunming, China
|}

== Privacy references lists ==

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The SC 27/WG 5 Standing Document 2 contains references with relevant descriptions to privacy-related:

*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.

|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf] 
|-
| Calendar
|
This document is regularly updated

|}

== ISO/IEC JTC 1/SC 27 published standards ==

=== 19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408 ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Naruki Kai
|-
| Scope
|
This Technical Report provides guidance for:

*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner

|-
| Documentation
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html] 
|-
| Calendar
|
has been moved from TR to TS

Published in October 2018

|-
| Comments
| 
|}

=== 20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou 
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]

[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]

|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in May 2017
*3rd WD provided in November 2017
*4th WD provided in April 2018
*1st CD provided in November 2018
*2nd CD provided in October 2019
*DIS published in October 2019
*FDIS publised in May 2020
*Published in September 2020

|-
| Comments 
|
WG9 is working on the following

*20546 : big data overview and vocabulary
*20547 : big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

|}

=== 20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Chris Mitchell and Lionel Vodzislawsky 
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification 
|-
| Documentation
|
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]

[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]

|-
| Calendar
|
*1st WD December 2015
*2nd WD June 2016
*1st CD Devember 2016
*2nd CD May 2017
*1st DIS January 2018
*FDIS August 2018
*Published in November 2018

|-
| Comments
| 
|}

=== 27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html] 
|-
| Calendar
|
*Started in Paris October 2019
*1st DTS published in July 2020,
*2nd DTS published in October 2020
*Publication in February 2021
*Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of
privacy information management systems (see [https://ipen.trialog.com/wiki/ISO#27706_IS_Requirements_for_bodies_providing_audit_and_certification_of_privacy_information_management_systems link below])

|-
| Comments
| 
|}

=== 27018:2025 IS Code of practice for protection of PII in public clouds acting as PII processors ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|
Editor
|
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
| Scope
|
This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy
principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into
consideration the regulatory requirements for the protection of PII which can be applicable within the
context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers.
Hence this document is not meant to be used for certification purposes.
|-
| Documentation
|
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]

|-
| Comments
|
*published in 2014
*Revision underway
*DIS provided in October 2023
*FDIS provided in October 2024
*publication August 2025
|}

=== 27400:2022 IS Security and Privacy for the Internet of Things ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
| Scope
|
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar
|
*Started in Wuhan April 2018
*1st WD provided in June 2018
*2nd WD provided in November 2018
*3rd WD provided in June 2019
*1st CD provided in December 2019
*2nd CD provided in May 2020
*3rd CD provided in March 2021
*DIS provided in April 2021
*FDIS provided in January 2022
*Published in June 2022
|-
| Comments
|
Follow up of

*SP Privacy guidelines for IoT (WG5)
*SP Security guidelines for IoT (WG4)
*SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

|}

=== 27402:2023 IS IoT security and privacy - Device baseline requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
| Scope
|
This document provides baseline ICT requirements for IoT devices to support security and privacy controls

|-
| Documentation
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html] 
|-
| Calendar
|
*1st WD provided in May 2020
*1st CD provided in November 2020
*2nd CD provided in July 2021
*DIS provided in December 2022
*FDIS provided in October 2023
*Publication in November 2023

|-
| Comments
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
|}

=== 27403:2024 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Yanghuichen Lin, Luc Poulin

|-
| Scope
|
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html] 
|-
| Calendar
|
Started in Paris October 2018 with a preliminary version

*1st WD provided in October 2019
*2nd WD provided in May 2020
*3rd WD provided in March 2021
*4th WD provided in April 2021
*5th WD provided in May 2021
*6th WD provided in July 2021
*1st CD provided in January 2022
*2nd CD provided in June 2022
*DIS provided in October 2022
*2nd DIS provided in April 2023
*FDIS provided in January 2024
*Publication in June 20é4

|-
| Comment
| Is a WG4 project 
|}

=== 27550:2019 TR Privacy engineering for system lifecycle processes ===

{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
| Antonio Kung, Mathias Reinis
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

|-
| Documentation
|
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]

[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]

|-
| Calendar
|
*1st WD provided in January 2017
*2nd WD provided in June 2017
*1st PDTR provided in January 2018
*2nd PDTR provided in June 2018
*3rd PDTR provided in October 2018
*Version for publication provided in April 2019
*Publication in September 2019

|-
| Comments 
|
[Antonio Kung]

*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

|}

=== 27551:2021 IS Requirements for attribute-based unlinkable entity authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Nat Sakimura, Jaehoon Na, Pascal Pailler
|-
| Scope
|
This International Standard

*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

|-
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html] 
|-
| Calendar 
|
*1st WD provided in April 2017
*2nd WD provided in Dec 2017
*3rd WD provided in July 2018
*4th WD provided in February 2019
*1st CD provided in October 2019
*DIS provided in November 2019
*FDIS provided in September 2020
*Published in September 2021

|-
| Comments 
| 
|}

=== 27555:2021 IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|
*1st WD provided in March 2019
*2nd WD provided in June 2019
*1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
*2nd CD was published in June 2020
*DIS was provided in January 2021
*FDIS was provided in April 2021
*Publication in October 2021

|-
| Comments
| It is based on a German standard
|}

=== 27556:2022 IS User-centric privacy preferences management framework ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

|-
| Calendar
|
*Established in Gjovik (October 2018)
*1st WD provided In June 2019
*2nd WD provided in December 2019
*1st CD provided in May 2020
*2nd CD provided in October 2020
*3rd CD provided in April 2021
*DIS provided in October 2021
*FDIS provided in May 2022
*Publication in October 2022

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Comments
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
|}

=== 27557:2022 IS Organizational privacy risk management ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

|-
| Scope
|
Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html] 
|-
| Calendar
|
*1st WD was published in May 2020
*2nd WD was published in October 2020
*1st CD was published in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022
|}

=== 27559:2022 IS Privacy-enhancing data de-identification framework ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend, Santa Borel
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

|-
| Documentation
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html] 
|-
| Calendar
|
*1st WD was provided in July 2020
*2nd WD was provided in February 2021
*1st CD was prrovided in April 2021
*DIS was provided in October 2021
*FDIS was provided in June 2022
*Published in November 2022

|}

=== 27560:2023 TS Privacy technologies – Consent record information structure ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

|-
| Documentation
| https://www.iso.org/standard/80392.html
|-
| Calendar
|
*1st WD was provided in May 2020
*2nd WD was provided in January 2021
*3rd WD was provided in April 2021
*4th WD was provided in October 2021
*5th WD was provided in June 2022
*DTS was provided in October 2022
*Publication in August 2023

|}

=== 27561:2024 IS POMME Privacy operationalization model and method for engineering ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
|-
| Objective
|
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.

|-
| Documentation
| https://www.iso.org/standard/80394.html
|-
| Calendar
|
*1st WD provided in April 2021
*2nd WD provided in October 2021
*1st CD provided in May 2022
*2nd CD provided in November 2022
*DIS provided in May 2023
*FDIS provided in October 2023
*standard published in March 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
</div>

=== 27562:2024 IS Privacy guidelines for fintech services ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Heung Youl Youm, Janssen Esguerra
|-
| Objective
|
This document provides guidelines on privacy for fintech services.

It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks.

This document is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.

|-
| Documentation
| https://www.iso.org/standard/80395.html
|-
| Calendar
|

*1st WD provided in April 2021
*2nd WD provided in October 2021
*3rd WD provided in May 2022
*1st CD provided in November 2023
*2nd CD provided in May 2023
*DIS provided in November 2023
*FDIS provided in May 2024
*Publication in December 2024

|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]

|}
</div>

=== 27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices ===
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
| Objective
|
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

|-
| Documentation
| https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

|-
| Calendar
|
*Established in October 2021
*Draft TR was provided in December 2021
*Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022
*3rd draft DTR was provided in September 2022
*Further to April 2023 meeting, publication was mede in May 2023

|-
| Comments
|
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]

|}
</div>

=== 27564:2025 TS Privacy protection - Guidance on the use of models for privacy engineering ===

<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Michelle Chibba, Antonio Kung, Jonathan Fox, Srinivas Poosarla

|-
| Objective
|
This document provides guidance on how to use modelling in privacy engineering.
It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references and standards for privacy engineering and for modelling..
It provides high-level use cases describing how models are used.

|-
| Documentation
|
https://www.iso.org/standard/89319.html

|-
| Calendar
|
*1st WD provided in October 2024
*1st DTS provided in April 2025
*Published in September 2025

|-
| Comments
| Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]

Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27564_Privacy_models_(Started_in_October_202,_completed_in_April_20241) PWI 27564 Privacy models]
|}
</div>
=== 27565:2026 IS Guidance on privacy preservation based on zero-knowledge proofs ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

|-
| Objective
|
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
|-
| Documentation
| https://www.iso.org/standard/80398.html
|-
| Calendar
|
*Established in October 2021
*1st WD provided in June 2022
*2nd WD provided in November 2022
*3rd WD provided in May 2023
*1st CD provided in December 2023
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS provided in April 2025
*FDIS provided in October 2025
*publication in February 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]

|}
<div class="_"></div>


=== 27566-1:2025 IS Age assurance - Part 1: Framework ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions.
|-
| Documentation
| https://www.iso.org/standard/88143.html
|-
| Calendar
|
*Started in May 2023
*1st WD provided in December 2023
*2nd WD provided in March 2024
*1st CD provided in July 2024
*DIS provided in October 2024
*FDIS provided in September 2025
*publication in December 2026
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

|}
<div class="_"></div>



=== 27570:2021 TS Privacy Guidelines for Smart Cities ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

|-
| Documentation
| [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html] 
|-
| Calendar
|
*1st WD was provided in June 2018 further the Wuhan meeting.
*2nd WD was provided in October 2018 further to the Gjovik meeting.
*A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
*A 2nd PDTS was provided in November 2019 further to the Paris meeting
*A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
*The document will go to publication further to the September 2020 virtual meeting.
*The standard was published in January 2021 see following press release: [https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]
*The standard was confimed in October 2024

|-
| Comments
|
First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

|}

=== 27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm, Oliver Weissmann, Srinivas Poosarla
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html] 
|-
| Calendar
|
*1st WD provided in April 2017
*2nd WD provided in June 2017
*1st CD provided in April 2018
*2nd CD provided in June 2018
*DIS provided in March 2019
*Publication in August 2019
*A revision has been initiated in October 2022

|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

|}

=== 29100:2011 IS Privacy framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor 
|
Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

|-
| Scope
| This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. 
|-
| Documentation
| Is a free standard : see [http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html] 
|-
| Comments
|
*Revision published in February 2024

|}

=== 29101:2018 IS Privacy architecture framework ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

|-
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

|-
| Documentation
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html] 
|-
| Comments
|
*1st edition published in april 2013
*Current edition confirmed in May 2024
|}

=== 29134:2023 IS Guidelines for Privacy impact assessment ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Mathias Reinis 
|-
| Scope
|
This document gives guidelines for:

*a process on privacy impact assessments, and
*a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

|-
| Documentation
| https://www.iso.org/fr/standard/86012.html 
|-
| Calendar
| Published in June 2017 
|-
| Comments
| 
*Is the second edition. First edition was published in 2017
|}
<div></div>

=== 29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058) ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

|-
| Documentation
|
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Published in August 2017
*PWI 8888 to prepare revision in March 2023
*1st CD of revision provided in October 2023
*2nd CD of revision to be provided in Apri 2924
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

=== 29184:2020 IS Online privacy notices and consent ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck 
|-
| Scope
|
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
|-
| Documentation
|
[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]
|-
| Calendar
|
*1st WD provided in June 2016
*2nd WD provided in April 2017
*3rd WD provided in June 2017
*1st CD provided in December 2017
*2nd CD provided in July 2018
*3rd CD provided in March 2019
*DIS provided in may 2019
*FDIS provide in march 2020
*Publication in June 2020
|-
| Comments
|

Initiated in Jaipur (Oct 2015)
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

|}

=== 29190:2015 IS Privacy capability assessment model ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| Alan Shipman 
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>

|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html] 
|-
| Calendar
| 
|-
| Comments
| 
|}

=== 29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication ===

{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor 
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments 
|
*Published in December 2012
*Minor revision for FDIS in July 2024
|}

== ISO PC317 and ISO/IEC JTC 1/SC 44 published standards ==

=== 31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

|-
| Scope
|
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*Official start date: November 1 2018
*First meeting: November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual

|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
| Comments
|
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases </div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

=== 31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
| Calendar
|
*May 2019 : request for use cases
*March 2020: creation of AhG on use cases
*April 2021: continuation of AhG on use cases
*September 2021: approval to create 31700-2Official start date: November 1 2018
*June 2022: Draft technical report
*February 2023: Publication

|-
| Versions
|
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022

|-
| Comments
|
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}

== ISO/IEC JTC 1/SC 27 standards under development ==

=== 5181 IS Security and privacy - Data provenance ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan de Meer, Xiaoyuan Bai, Ryan Ko
|-
| Scope
|
This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data
assets from multiple sources, intermediaries or users.
|-
| Documentation
|https://www.iso.org/standard/80971.html
|-

| Calendar
|Started in February 2023
|-

|-
| Comments
| This is a SC 27/WG 4 project, a follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]

*1st WD provided in March 2023
*2nd WD provided in August 2023
*3rd WD provided in December 2023
*1st CD provided in June 2024
*2nd CD provided in November 2024
*3rd CD provided in March 2025
*DIS provided in december 2025

|}

=== 10267 IS Methods to quantify the amount of personal information in a dataset ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Ian Opperman, Srinivas Poosarla, Dorotea Alessandra De Marco, Erik Boucher

|-
| Scope
|
The purpose of this document is to provide guidance on the methods to quantify the amount of personal information and to help estimate how easy it might be to reidentify someone in a dataset subjected to de-identification when it contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance can further help organisations make better decisions for privacy protection and for appropriate use, sharing and exchange of such data.
This document is a high level, principles-based advisory standard which sets out terms and concepts that can be referenced by organizations.
This document does not provide an estimate of how easy it is to identify someone where additional external data is accessible, nor does it provide a way to define whether data is PII or not.
|-
| Documentation
|https://www.iso.org/standard/89607.html
|-

| Calendar
|Started in October 2024
|-

|-
| Comments
| This project was initially submitted and approved in ISO/IEC JTC1/SC32 Data management and interchange

*1st WD provided in October 2024
*2nd WD provided in May 2025
*1st CD provided in October 2025
*DIS to be provided in April 2028

|}

=== 27045 IS Big data security and privacy — Guidelines for managing big data risks ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
|
Dapeng Liu, Victoria Hailey, Shiqi Li
|-
| Scope
|

This document provides guidance on how to navigate the threats that can arise during the big data
life cycle from the various big data characteristics that are unique to big data: volume, velocity,
variety, variability, volatility, veracity and value, including when using big data for the design and
implementation of AI systems.
This document can help organizations build or enhance their big data security and privacy
capabilities, including when using big data in the development and use of AI systems. This document
is applicable to all organizations that develop or use big data systems, regardless of their type, size or
purpose.

|-
| Documentation
| [https://www.iso.org/standard/88970.html https://www.iso.org/standard/88970.html] 
|-
| Calendar
|
This is a SC 27/WG 4 project
*1sd WD was provided in July 2024
*2nd WD Was provided in December 2024
*1st CD was provided in March 2025
*DiS was provided in October 2025
*FDIS to be provided
|-
| Comments
|
Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27045_Big_data_security_and_privacy_-_guidelines_for_data_security_management_framework_(Started_in_April_2021,_completed_in_April_2024) PWI 27045]
|}

=== 27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Priya Chakraborty, Antonio Kung, Byoung-Moon Chin

|-
| Scope
|
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
| Documentation
| https://www.iso.org/standard/56582.html
|-

| Calendar
|Project started in February 2023
|-

|-
| Comments
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

*1st WD provided in May 2023
*2nd WD provided in October 2023
*3rd WD provided in December 2024
*1st CD provided in April 2025
*2nd CD provided in July 2025
*DIS provided in October 2025
*FDiS to be provided in June 2026
|}

=== 27555 Revision IS Guidelines on Personally Identifiable Information Deletion ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Volker Hammer, Dorotea Alessandra de Marco, Alan Shipman

|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.

|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html] 
|-
| Calendar
|

*DIS to be provided in April 2026

|-
| Comments
| It is based on a German standard
|}

=== 27560 Structure of personally identifiable information (PII) processing records ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jan Lindquist, Harshvardhan Pandit
|-
| Scope
|
This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.
|-
| Documentation
|
|-
| Comment
| Is a revision of ISO/IEC TS 27560, further to PWI [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27569_Personal_identifiable_information_(PII)_processing_record_information_structure_(Started_in_April_2024,_completed_in_March_2025) 27569 PII processing record information structure]
|-
| Calendar
|
*1st WD was provided in July 2025
*1st CD was provided in September 2025
*2nd CD to be provided in April 2026
|}

=== 27566-2 IS Age assurance - Part 2: Technical approaches and guidance for implementation ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Mark Svancarek, Denis Pinkas

|-
| Scope
|
This document includes guidance for considering the characteristics of various approaches and for
making trade-offs when selecting approaches for different users, actors and use cases. The
document describes different technical approaches suitable in different ecosystems for the
implementation of age assurance systems or of age assurance components.
|-
| Documentation
|
|-
| Calendar
|
*1st WD to be provided in July 2026

|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] and of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27566_IS_Age_assurance_-_Part_2:_Interoperability,_technical_architecture_and_guidelines_for_use_(started_in_November_2023) PWI age assurance part 2: interoperability, technical architecture and guidelines for use])

|}
<div class="_"></div>



=== 27566-3 IS Age assurance - Part 3: Approaches to comparison or analysis ===

{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tony Allen, Denis Pinkas, Mark Svancarek

|-
| Scope
|
This document establishes considerations for analysing, comparing or differentiating the characteristics of age assurance systems or components.
The document includes metrics, elements and indicators of effectiveness for age assurance systems or components

|-
| Documentation
| https://www.iso.org/standard/88147.html

Initial title was "Age assurance systems – Part 3: Approaches to analysis or comparison"

|-
| Calendar
|
*Started in October 2023
*1st WD provided in December 2023
*2nd WD provided in July 2024
*3rd WD provided in April 2025
*1st CD provided in October 2025
*2nd CD to be provided in April 2025
|-
| Comments
|
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]

Former title: Benchmarks for benchmarking analysis
|}
<div class="_"></div>



=== 27568 TS Security and privacy of digital twins ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung, Patrick Curry, Vishnu Kanhere, Mark Lizar, Srinivas Poosarla, Karim Tobich, Heung Youl Youm, Hee Bong Choi

|-
| Scope
|

This document provides guidance for organizations to address security and privacy risks in digital twin systems. The guidance in this document helps organizations identify security and privacy risks throughout the digital twin system lifecycle, and establishes mechanisms to evaluate the consequences of such risks and treat them.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, academia, research institutions and not-for-profit organizations, that develop or use digital twin systems.
|-
| Documentation
|

|-
| Calendar
|
*Request for ballot made
*1st WD provided in October 2025
*2nd WD to be provided in April 2025
|-
| Comments
|
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Is the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27568_Security_and_privacy_of_digital_twins_(Started_in_October_2022) PWI 2758 Security and privacy of digital twins]

|}
</div>

=== 27573 IS Privacy protection of user avatar and system avatar interactions in the metaverse ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung

|-
| Scope
|

This document provides requirements for protecting personally identifiable information((PII) during interactions between user avatars and system avatars in the metaverse. This document identifies and classifies the PII generated and used by user avatars and system avatars and addresses privacy threats in the spaces where the avatar operates during the interactions between the user avatar and the system avatar.

|-
| Documentation
|

|-
| Calendar
|

* Request for ballot initiated in March 2025
* 1st WD provided in October 2025
* 2nc WD to be provide in April 2025

|-
| Comments
|
Result from [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]

|}
</div>

=== 27574 IS Privacy in brain-computer interface (BCI) applications ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Srinivas Poorsala, Erik Boucher, Jyoti kushwaha, Binsheng Zhang, Marta beltran Pardo
|-
| Scope
|

This document provides requirements and guidelines on privacy for Brain Computer Interface Applications. It provides privacy controls specific to Brain Computer Interface Applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701.

|-
| Documentation
|

|-
| Calendar
|

*Request for NP ballot initiated in April 2025
*1st WD to be provided in March 2026

|-
| Comments
|
*Result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_27573_Privacy_protection_of_user_avatar_and_system_avatar_interactions_in_the_metaverse_(Started_in_October_2024) PWI]
|}
</div>

=== 27701:2025 IS Privacy information management systems — Requirements and guidances ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor 
| Alan Shipman, Heung Youl Youm
|
|-
| Scope
|
This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

|-
| Documentation
| https://www.iso.org/standard/85819.html
|-
| Calendar
|

*A revision has been initiated in October 2022
*FDIS provided in June 2023
*New format CD provided in October 2023
*New DIS provided in June 2024
*New FDIS provided in January 2025
*Publication in October 2025
|-
| Comments
|

|}

=== 27706 2nd Edition - IS Requirements for bodies providing audit and certification of privacy information management systems ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

|-
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html] 
|-
| Calendar
|
*1st CD was provided in May 2022
*2nd CD was provided in November 2022
*DIS was provided in May 2023
*Further to October 2023 meeting, document is being restructured
*DIS submitted in July 2024
*FDIS submitted in November 2024
*Publication expected in October 2025
|-
| Comments
|
Follow-up of ISO/IEC 27006-2 TS
| 
|}

=== 29151 2nd Edition - IS Controls, requirements and guidance for personally identifiable information protection ===

{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
| Heung Youl Youm, Alan Shipman 

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
| Scope
|
This document specifies controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this document specifies requirements and guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This document is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.
|-
| Documentation
|

[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]

|-
| Calendar
|
*Preparation of revision started in September 2023
*1st CD provided in February 2024
*2nd CD provided in May 2024
*DIS provided in October 2024
*2nd DIS to be provided in April 2025
*FDIs to be provided in September 2025
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}

== ISO/IEC JTC 1/SC 44 standards under development ==

=== 31700-2 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Antonio Kung

|-
| Scope
|
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

|-
| Documentation
| See [https://www.iso.org/standard/91874.html]
|-
| Calendar
|
*DTS to be provided in October 2025

|-
| Comments
|
|}

== ISO/IEC JTC 1/SC 27 Active Preliminary Work Items ==

=== PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021) ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Xiaoyuan Bai, Jin Peng

|-
| Objective
|
This document provides the followings:

* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
| Documentation
|

|-
| Calendar
|
* 1st PWI in June 2021
* 2nd PWI in September 2021
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
* Proposal for new project in February 2023
* Further to proposal PWI is restarted in April 2023
* 1st PWI in September 2023
* 2nd PWI Presentation in October 2024
* 3rd PWI provided in June 2025
|-
| Comments
|
Is a WG4 project

|}
</div>

=== PWI 25863 Exploration of Security and privacy characteristics for digital identity wallets managing digital credentials (started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Patrick Curry, Sal Francomacaro, Hideaki Furukawa, Denis Pinkas, Heung Youl Youm, Li Zhang
|-
| Scope
|
This PWI will explore security and privacy characteristics for digital identity wallets in the context of frameworks based on a three roles model (issuer, holder, verifier). It will also provide considerations on acceptability and interoperability.
Excluded characteristics of:
* Digital wallets dedicated exclusively to payments, transportation ticketing or handling of crypto-assets.
* Digital wallets supporting electronic signatures.
* Digital wallets handling distributed ledger technology and blockchains

|-
| Documentation
| Initial title was "Exploration of Digital wallets storing digital credentials". During the development of the PWI the group agreed to narrow the scope of this project. The adjusted title and scope reflects this agreement. The initial scope was the following:

''This document describes the concepts and properties necessary in a digital wallet and provides a framework for the development, management, operation and use of digital wallets managing digital identity credentials.
''Excluded:
* ''Digital wallets dedicated to other activities or types of transactions and in particular to payments, including transportation payments, or for handling crypto assets are out of the scope of this document.
* ''Electronic signatures 
|-
| Calendar
|

|-
| Comments
|
|}

=== PWI 27503 Privacy and security guidelines on intelligent travel services (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Tie Sun, Bingshen Zhang, Yueqiao Wang, Antonio Kung, Vishnu Kanhere
|-
| Scope
|
This activity aims to study the general framework of an intelligent travel service system, including the relevant actors (including drivers, passengers, service providers, etc), their relationships and the data flows among them.

|-
| Documentation
|
This activity will explore and identify:
• possible use cases
• practical recommendations for the collection, processing, use, storage, and deletion of PII
• considerations for the trade-off between security and privacy
• considerations for payment security and the safety of passengers

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 27575 Privacy for metaverse frameworks (Started in March 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

|-
| Scope
|
This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks.
It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;

|-
| Documentation
|

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== ISO/IEC JTC 1/SC 44 Active Preliminary Work Items ==

=== PWI 26224 Guidelines for privacy by design of mobile information services for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Sijia Xu
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
The document supplements ISO 31700-1 with more specific
guidance, making it easier for the users of the document to implement and
understand ISO 31700-1 in the domain of mobile information services.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26225 Guidelines for privacy by design of online platforms for consumers (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Shu chen, Bingsheng Zhang
|-
| Scope
|
This document provides guidance for privacy by design of specific online platforms for consumers, based on the structure of ISO 31700-1.
|-
| Documentation
|
Online platforms serve an immense consumer base and
consequently hold vast amounts of users’ private information. It is therefore
essential to leverage the platforms’ capabilities fully, guided by a philosophy of
respect for consumers and proactive risk prevention, to protect consumers’
personal-data rights to the greatest extent through privacy by design.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 26226 Usage of Privacy Enhancing Technologies in consumer privacy by design (Started in September 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Bingsheng Zhang, Antonio Kung
|-
| Scope
|
This document provides an overview of established Privacy Enhancing
Technologies (PETs) and analyses how these technologies can be used to meet
the requirements of consumer privacy by design. It is complemented by a
number of cross-referenced case studies providing examples on how to use
specific Privacy Enhancing Technologies in specific consumer domains or for
specific consumer product categories. It also maps the descriptions with the
structure of ISO 31700-1 requirements.

|-
| Documentation
|
This document is needed to illustrate the use of PETs in the space of
consumer products. It highlights current application areas of PETs for consumer
products, along with their demonstrated effectiveness. The document will
provide guidance to stakeholders with a direct interest in building consumer
products (business manager, product owner, product architect). The guidance
will help these stakeholders to apply ISO 31700-1 effectively, thereby enforcing
ISO/IEC 29100 privacy principles.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

=== PWI 31700-3 Consumer protection — Privacy by design for consumer goods and services — Part 3: Audits of privacy by design for consumer products and services (Started in April 2025) ===

{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Kung Antonio, Choy-Harris Ingrid, Dulmage Graham Rae, Zhang Bingsheng
|-
| Scope
|
This document provides guidance for privacy by design of specific
consumer mobile information services, based on the structure of ISO 31700-1
|-
| Documentation
|
This document provides guidance on managing a privacy-by-design for consumer goods and service (PCGS) audit programme, on conducting audits, and on the competence of PGCSS auditors, in addition to the guidance contained in ISO 19011.

This document is applicable to those needing to understand or conduct internal or external audits of a PGCS or to manage an PGCS audit programme.

|-
| Calendar
|

|-
| Comments
|

|}
</div>

== Completed Preliminary Work Items or Study Periods ==

[[Completed study periods and pwis]]