Difference between revisions of "ISO"
Line 1: | Line 1: | ||
[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]] | |||
== <span style="font-size:larger">Introduction</span> == | |||
<span style="line-height: 1.6; | The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy). | ||
Most projects are developed within <span style="line-height: 1.6">ISO/IEC JTC1/SC27. </span>More info can be found on in the SC27 portal: | |||
*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en] | *[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en] | ||
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides) | *[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707] (set of slides) | ||
<span style="line-height: 1.6 | <span style="line-height: 1.6">Note that the portal will in general contain more information than this wiki, which</span><span style="line-height: 1.6"> focuses mainly on work carried out in </span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''. </span><span style="line-height: 1.6;">WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in </span>[https://www.din.de/en/meta/jtc1sc27/downloads [1]] | ||
Some of the projects are also carried out in '''ISO/IEC JTC1/SC27/WG4'''''<span style="line-height: 1.6;">.</span>''<span style="line-height: 1.6;">The convenor is '''Johann Amsenga''', and the vice convenor is '''François Lorek'''</span> | |||
<span style="line-height: 1.6;">One project is carried out within '''ISO PC317. '''</span>The convenor is '''Jan Schallaböck'''. ISO PC317 focuses on the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services) | |||
== <span style="font-size:larger | == <span style="font-size:larger">Some conventions on ISO standards</span> == | ||
The important things to know concerning ISO standards steps: | The important things to know concerning ISO standards steps: | ||
{| | {| style="width: 500px" cellpadding="1" cellspacing="1" border="1" | ||
|- | |- | ||
| <span style="line-height: 18.9090900421143px | | <span style="line-height: 18.9090900421143px">Standard</span><br/> | ||
| <ul style="line-height: 18.9090900421143px;"> | | <ul style="line-height: 18.9090900421143px;"> | ||
<li>SP: Study period</li> | <li>PWI: Preliminary work item (previously SP: Study period in SC27)</li> | ||
<li>NWIP: New Work Item Proposal</li> | <li>NWIP: New Work Item Proposal</li> | ||
<li>NP: New Work Item</li> | <li>NP: New Work Item</li> | ||
Line 29: | Line 35: | ||
|- | |- | ||
| <span style="line-height: 20.7999992370605px | | <span style="line-height: 20.7999992370605px">Technical report</span><br/> | ||
| <ul style="line-height: 20.7999992370605px;"> | | <ul style="line-height: 20.7999992370605px;"> | ||
<li> | <li>PWI: Preliminary work item (previously SP: Study period in SC27)</li> | ||
<li>DTR: | <li>NWIP: New work item proposal</li> | ||
<li>NP: New work item</li> | |||
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li> | |||
<li>TR: Technical Report</li> | <li>TR: Technical Report</li> | ||
</ul> | </ul> | ||
|- | |- | ||
| <span style="line-height: 20.7999992370605px | | <span style="line-height: 20.7999992370605px">Technical specification</span><br/> | ||
| <ul style="line-height: 20.7999992370605px;"> | | <ul style="line-height: 20.7999992370605px;"> | ||
<li> | <li>PWI: Preliminary work item (previously SP: Study period in SC27)</li> | ||
<li>DTS: Draft Technical Specification</li> | <li>NWIP: New Work Item Proposal</li> | ||
<li>NP: New Work Item</li> | |||
<li>WD: Working Draft</li> | |||
<li>DTS: Draft Technical Specification (formerly PDTS: Preliminary Draft Technical Specification)</li> | |||
<li>Technical Specification</li> | <li>Technical Specification</li> | ||
</ul> | </ul> | ||
Line 46: | Line 57: | ||
|} | |} | ||
== <span style="font-size: larger;">Meetings</span> == | |||
{| | Progress is finalised in plenary meetings (taking place every 6 months). | ||
Here is a list of meetings that took place or that will take place in SC27. | |||
{| style="width: 500px" cellpadding="1" cellspacing="1" border="1" | |||
|- | |- | ||
| 2014 | | 2014 | ||
| | | | ||
*<span style="line-height: 1.6 | *<span style="line-height: 1.6">April 7-15, 2014 Hong Kong</span> | ||
*<span style="line-height: 1.6 | *<span style="line-height: 1.6">Oct 20-24, 2014 Mexico City, Mexico</span> | ||
|- | |- | ||
| 2015 | | 2015 | ||
| | | | ||
*May 4-12, 2015 Kuching | *May 4-12, 2015 Kuching, Malaysia | ||
*Oct 26-30, 2015 Jaipur, India | *Oct 26-30, 2015 Jaipur, India | ||
Line 64: | Line 79: | ||
| 2016 | | 2016 | ||
| | | | ||
* | *April 11-15, 2016 Tampa, USA | ||
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE | |||
|- | |||
| 2017 | |||
| | |||
*April 18-22, 2017, Hamilton, New Zealand | |||
*Oct 30- Nov 3, 2017, Berlin, Germany | |||
|- | |||
| 2018 | |||
| | |||
*April, 16-20 Wuhan, China | |||
*Sept 30 - Oct 4 - Gjovik, Norway | |||
|- | |||
| 2019 | |||
| | |||
*April 1-5, Tel-Aviv, Israel | |||
*October 14-18, Paris, France | |||
*19 October, Paris (jointly with SC27) | |||
|- | |||
| 2020 | |||
| | |||
*April 21-26, Virtual meeting | |||
*Sept 12-16, Virtual meeting | |||
|- | |||
| 2021 | |||
| | |||
*April 12-15, Virtual meeting | |||
*October 19-29, Virtual meeting | |||
|- | |||
| 2022 | |||
| | |||
*March 29 - April 8, Virtual meeting | |||
*Sept 26-30, Hybrid meeting - Luxembourg - | |||
|- | |||
| 2023 | |||
| | |||
*April 17-21, Hybrid meeting - Redmond, US | |||
*October 16-20, Hybrid meeting - Seoul, Korea | |||
|- | |||
| 2024 | |||
| | |||
*April 8-12, Hybrid meeting - Manchester, UK | |||
*September 26 - October 5, Virtual | |||
|} | |} | ||
== <span style=" | ISO 31700 is dealt with in another committee (PC317). Here is a list of meetings that took place or that will take place in PC317. | ||
{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;" | |||
|- | |||
| 2018 | |||
| | |||
*<span style="line-height: 1.6;">Nov 1-2, 2018, London</span> | |||
|- | |||
| 2019 | |||
| | |||
*Feb 6-8, Berlin (adhoc group) | |||
*May 20-23, Toronto | |||
*19 October, Paris (jointly with SC27) | |||
*21-23 October, Paris (colocated with SC27) | |||
|- | |||
| 2020 | |||
| | |||
*17-20 March, Virtual meeting | |||
*30 Sept - 2 Oct, Virtual meeting | |||
|- | |||
| 2021 | |||
| | |||
*19-22 March, Virtual meeting | |||
*13-17 September, Virtual meeting | |||
|- | |||
| 2022 | |||
| | |||
*16-20 May, Virtual meeting | |||
|} | |||
== <span style="font-size: larger;">Privacy references lists</span> == | |||
{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;" | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |||
| Scope | |||
| | |||
The WG5 Standing Document 2 contains references with relevant descriptions to privacy-related: | |||
*Privacy regulatory authorities and regulations. | |||
*Standards. | |||
*Guidelines. | |||
*Newsletters and forums. | |||
*Organisations and associations. | |||
*Projects. | |||
*Data retention periods. | |||
The WG5 Standing Document 2 shall not be considered as: | |||
*Legal interpretations. | |||
*Having been legally validated by a global law firm or relevant lawyers. | |||
|- | |||
| Documentation | |||
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf]<br/> | |||
|- | |||
| Calendar | |||
| | |||
This document is regularly updated | |||
|} | |||
== <span style="font-size:larger">Published standards</span> == | |||
=== <span style="font-size: larger;">19608:2018 TS </span><span style="font-size: larger; line-height: 1.2;">Guidance for developing </span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> === | |||
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1" | |||
|- | |||
| Editor<br/> | |||
| Naruki Kai | |||
|- | |||
| Scope | |||
| | |||
Thi<span style="line-height: 20.8px;">s Technical Report provides guidance for:</span> | |||
*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2 | |||
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII) | |||
*procedure to define both privacy and security functional requirements in a coordinated manner | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
has been moved from TR to TS | |||
Published in October 2018 | |||
|- | |||
| Comments | |||
| <br/> | |||
|} | |||
=== <span style="font-size: larger;">20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |- | ||
| Editor | | Editor | ||
| <span style="line-height: 20. | | Jinhua Min, Xuebin Zhou<br/> | ||
|- | |||
| ScopeS | |||
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification | |||
|- | |||
| Documentation | |||
| | |||
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]], [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]] | |||
[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html] | |||
|- | |||
| Calendar | |||
| | |||
*1st WD provided in June 2016 | |||
*2nd WD provided in May 2017 | |||
*3rd WD provided in November 2017 | |||
*4th WD provided in April 2018 | |||
*1st CD provided in November 2018 | |||
*2nd CD provided in October 2019 | |||
*DIS published in October 2019 | |||
*FDIS publised in May 2020 | |||
*Published in September 2020 | |||
|- | |||
| Comments | |||
| | |||
WG9 is working on the following | |||
*20546 : big data overview and vocabulary | |||
*20547 : big data reference architecture | |||
**Part 1: Framework and application process (TR) | |||
**Part 2: Use cases and derived requirements (TR) | |||
**Part 3: Reference architecture (IS) | |||
**Part 4: Security and privacy fabric (IS) | |||
**Part 5: Standards roadmap (TR) | |||
Part 4 is transferred to SC27 for development, with close liaison with WG 9 | |||
[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore | |||
*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric | |||
*address the 5 Vs concern (volume, velocity, variety, veracity, value) | |||
Further to Berlin meeting, decision to change title (term fabric is removed) | |||
|} | |||
=== <span style="font-size: larger;">20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques</span> === | |||
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1" | |||
|- | |||
| Editor<br/> | |||
| Chris Mitchell and Lionel Vodzislawsky<br/> | |||
|- | |||
| Scope | |||
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing<br/>and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.<br/>In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their<br/>characteristics, and their applicability for minimizing the risk of re-identification<br/> | |||
|- | |||
| Documentation | |||
| | |||
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): [http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf] | |||
[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html] | |||
|- | |||
| Calendar | |||
| | |||
*1st WD December 2015 | |||
*2nd WD June 2016 | |||
*1st CD Devember 2016 | |||
*2nd CD May 2017 | |||
*1st DIS January 2018 | |||
*FDIS August 2018 | |||
*Published in November 2018 | |||
|- | |||
| Comments | |||
| <br/><br/> | |||
|} | |||
=== <span style="font-size: larger;">27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman | |||
|- | |- | ||
| Scope | | Scope | ||
| | | | ||
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. | |||
Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification. | |||
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes. | |||
|- | |- | ||
| Documentation | | Documentation | ||
| | | [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html]<br/> | ||
|- | |||
| Calendar | |||
| | |||
*Started in Paris October 2019 | |||
*1st DTS published in July 2020, | |||
*2nd DTS published in October 2020 | |||
*Publication in February 2021 | |||
*Further to the March 2022 meeting, a revision is underway, at CD level | |||
|- | |- | ||
| Comments | | Comments | ||
Line 87: | Line 348: | ||
|} | |} | ||
=== <span style="font-size:larger;"> | === <span style="font-size: larger;">27018:2014 - Revision underway - IS Code of practice for protection of PII in public clouds acting as PII processors</span> === | ||
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1" | |||
|- | |||
| | |||
Editor | |||
| | |||
Revision: Ramaswamy Chandramouli, Hendrik Decroos | |||
|- | |||
| Scope | |||
| | |||
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. | |||
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors. | |||
|- | |||
| Documentation | |||
| | |||
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html] | |||
|- | |||
| Comments | |||
| | |||
*published in 2014 | |||
*Revision underway | |||
*Further to the April 2023 meeting, discussion is taking place for a revision | |||
|} | |||
=== <span style="font-size: larger;">27400:2022 IS Security and Privacy for the Internet of Things</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor<br/> | |||
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages) | |||
|- | |||
| Scope | |||
| | |||
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT). | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*<span style="line-height: 20.8px;">Started in Wuhan April 2018</span> | |||
*<span style="line-height: 20.8px;">1st WD provided in June 2018</span> | |||
*<span style="line-height: 20.8px;">2nd WD provided in November 2018</span> | |||
*<span style="line-height: 20.8px;">3rd WD provided in June 2019</span> | |||
*<span style="line-height: 20.8px;">1st CD provided in December 2019</span> | |||
*<span style="line-height: 20.8px;">2nd CD provided in May 2020</span> | |||
*<span style="line-height: 20.8px;">3rd CD provided in March 2021</span> | |||
*<span style="line-height: 20.8px;">DIS provided in April 2021</span> | |||
*<span style="line-height: 20.8px;">FDIS provided in January 2022</span> | |||
*<span style="line-height: 20.8px;">Published in June 2022</span> | |||
|- | |||
| Comments | |||
| | |||
<span style="line-height: 20.8px;">Follow up of</span> | |||
*<span style="line-height: 20.8px;">SP Privacy guidelines for IoT (WG5)</span> | |||
*<span style="line-height: 20.8px;">SP Security guidelines for IoT (WG4)</span> | |||
*<span style="line-height: 20.8px;">SP Security and privacy guidelines for IoT (WG4 with participation of WG5)</span> | |||
<span style="line-height: 20.8px;">Aprll 2020: Renamed from 27030 to 27400</span> | |||
|} | |||
=== <span style="font-size: larger;">27402:2023 IS IoT security and privacy - Device baseline requirements</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Elaine Newton, Amit Elazari Bar On, Faud Khan | |||
|- | |||
| Scope | |||
| | |||
This document provides baseline ICT requirements for IoT devices to support security and privacy controls | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*1st WD provided in May 2020 | |||
*1st CD provided in November 2020 | |||
*2nd CD provided in July 2021 | |||
*DIS provided in December 2022 | |||
*FDIS provided in October 2023 | |||
*Publication in November 2023 | |||
|- | |||
| Comments | |||
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements) | |||
|} | |||
=== <span style="font-size: larger;">27550:2019 </span><span style="font-size: 18.252px; line-height: 21.9024px;">TR Privacy engineering for system lifecycle processes</span> === | |||
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1" | |||
|- | |||
| Editor<br/> | |||
| <span style="line-height: 20.8px;">Antonio Kung, Mathias Reinis</span> | |||
|- | |||
| Scope | |||
| | |||
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices: | |||
*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management); | |||
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design; | |||
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations | |||
|- | |||
| Documentation | |||
| | |||
A youtube presentation on privacy engineering: [https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E] | |||
[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html] | |||
|- | |||
| Calendar | |||
| | |||
*1st WD provided in January 2017 | |||
*2nd WD provided in June 2017 | |||
*1st PDTR provided in January 2018 | |||
*2nd PDTR provided in June 2018 | |||
*3rd PDTR provided in October 2018 | |||
*Version for publication provided in April 2019 | |||
*Publication in September 2019 | |||
|- | |||
| Comments<br/> | |||
| | |||
[Antonio Kung] | |||
*Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes | |||
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies | |||
|} | |||
=== <span style="font-size: larger;">27551:2021 IS Requirements for attribute-based unlinkable entity authentication</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;" | |||
|- | |||
| Editor<br/> | |||
| Nat Sakimura, Jaehoon Na, Pascal Pailler | |||
|- | |||
| Scope | |||
| | |||
This International Standard | |||
*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and | |||
*Specifies requirements for attribute-based unlinkable entity authentication implementations. | |||
This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html]<br/> | |||
|- | |||
| Calendar<br/> | |||
| | |||
*1st WD provided in April 2017 | |||
*2nd WD provided in Dec 2017 | |||
*3rd WD provided in July 2018 | |||
*4th WD provided in February 2019 | |||
*1st CD provided in October 2019 | |||
*DIS provided in November 2019 | |||
*FDIS provided in September 2020 | |||
*Published in September 2021 | |||
|- | |||
| Comments<br/> | |||
| <br/> | |||
|} | |||
=== <span style="font-size: larger;">27555:2021 IS Guidelines on Personally Identifiable Information Deletion</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| | |||
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer | |||
|- | |||
| Scope | |||
| | |||
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying: | |||
*a harmonised terminology for PII deletion, | |||
*an approach for defining deletion/de-identification rules in an efficient way, | |||
*a description of required documentation, and | |||
*a definition of roles, responsibilities and processes. | |||
This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address: | |||
*specific legal provision, as given by national law or specified in contracts, | |||
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing???? | |||
*deletion mechanisms including those for cloud storage, | |||
*security of deletion mechanisms, | |||
*specific techniques for de-identification of data. | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*1st WD provided in March 2019 | |||
*2nd WD provided in June 2019 | |||
*1st CD provided in December 2019. Title changed (former title: establishing a PII deletion concept in organisations) | |||
*2nd CD was published in June 2020 | |||
*DIS was provided in January 2021 | |||
*FDIS was provided in April 2021 | |||
*Publication in October 2021 | |||
|- | |||
| Comments | |||
| It is based on a German standard | |||
|} | |||
=== <span style="font-size: larger;">27556:2022 IS User-centric privacy preferences management framework</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;" | |||
|- | |||
| Editor<br/> | |||
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm | |||
|- | |||
| Scope | |||
| | |||
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences. | |||
|- | |||
| Calendar | |||
| | |||
*Established in Gjovik (October 2018) | |||
*1st WD provided In June 2019 | |||
*2nd WD provided in December 2019 | |||
*1st CD provided in May 2020 | |||
*2nd CD provided in October 2020 | |||
*3rd CD provided in April 2021 | |||
*DIS provided in October 2021 | |||
*FDIS provided in May 2022 | |||
*Publication in October 2022 | |||
|- | |||
| Documentation | |||
| <span style="font-size: 10pt; line-height: 107%; font-family: Arial, sans-serif;">[https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html]</span><br/> | |||
|- | |||
| Comments | |||
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework" | |||
|} | |||
=== <span style="font-size: larger;">27557:2022 IS Organizational privacy risk management</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| | |||
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes | |||
|- | |||
| Scope | |||
| | |||
Provides guidelines for organizational privacy risk management. | |||
Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program. | |||
Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019).<br/>This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII. | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*1st WD was published in May 2020 | |||
*2nd WD was published in October 2020 | |||
*1st CD was published in April 2021 | |||
*DIS was provided in October 2021 | |||
*FDIS was provided in June 2022 | |||
*Published in November 2022 | |||
|} | |||
=== <span style="font-size: larger;">27559:2022 IS Privacy-enhancing data de-identification framework</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Malcolm Townsend, Santa Borel | |||
|- | |||
| Scope | |||
| | |||
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data. | |||
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes. | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*1st WD was provided in July 2020 | |||
*2nd WD was provided in February 2021 | |||
*1st CD was prrovided in April 2021 | |||
*DIS was provided in October 2021 | |||
*FDIS was provided in June 2022 | |||
*Published in November 2022 | |||
|} | |||
=== <span style="font-size: larger;">27560:2023 TS Privacy technologies – Consent record information structure</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas | |||
|- | |||
| Scope | |||
| | |||
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the: | |||
— provision of a record of the consent to the PII Principal; | |||
— exchange of consent information between information systems; and, | |||
— management of the lifecycle of the recorded consent. | |||
|- | |||
| Documentation | |||
| https://www.iso.org/standard/80392.html | |||
|- | |||
| Calendar | |||
| | |||
*1st WD was provided in May 2020 | |||
*2nd WD was provided in January 2021 | |||
*3rd WD was provided in April 2021 | |||
*4th WD was provided in October 2021 | |||
*5th WD was provided in June 2022 | |||
*DTS was provided in October 2022 | |||
*Publication in August 2023 | |||
|} | |||
=== <span style="font-size: larger;">27561:2024 IS POMME Privac</span><span style="font-size: larger;">y operationalization model and method for engineering</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR , Michele Drgon; | |||
|- | |||
| Objective | |||
| | |||
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities. | |||
*the method is described as a process following ISO/IEC/IEEE 24774; | |||
*it operationalizes ISO/IEC 29100; | |||
*it is intended for engineers and other practitioners developing systems controlling or processing PII; | |||
*it is designed for use with other standards and privacy guidance; | |||
*it supports networked, interdependent applications and systems. | |||
|- | |||
| Documentation | |||
| https://www.iso.org/standard/80394.html | |||
|- | |||
| Calendar | |||
| | |||
*1st WD provided in April 2021 | |||
*2nd WD provided in October 2021 | |||
*1st CD provided in May 2022 | |||
*2nd CD provided in November 2022 | |||
*DIS provided in May 2023 | |||
*FDIS provided in October 2023 | |||
*standard published in March 2024 | |||
|- | |||
| Comments | |||
| | |||
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model] | |||
It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html | |||
|} | |||
</div> | |||
=== <span style="font-size: larger;">27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices</span> === | |||
<div> | |||
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala | |||
|- | |||
| Objective | |||
| | |||
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases) | |||
|- | |||
| Documentation | |||
| https://www.iso.org/standard/80396.html | |||
ISO/IEC 24030 covers 132 use cases that are described here: https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf | |||
ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf | |||
|- | |||
| Calendar | |||
| | |||
*<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Established in October 2021</span> | |||
*<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Draft TR was provided in December 2021</span> | |||
*<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022</span> | |||
*<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">3rd draft DTR was provided in September 2022</span> | |||
*<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Further to April 2023 meeting, publication was mede in May 2023</span> | |||
|- | |||
| Comments | |||
| | |||
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy] | |||
|} | |||
</div> | |||
=== <span style="font-size: larger;">27570:2021 TS Privacy Guidelines for Smart Cities</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire | |||
|- | |||
| Scope | |||
| | |||
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens | |||
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments | |||
|- | |||
| Documentation | |||
| <font color="#333333">[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]</font><br/> | |||
|- | |||
| Calendar | |||
| | |||
*<span style="line-height: 20.8px;">1st WD was provided in June 2018 further the Wuhan meeting.</span> | |||
*<span style="line-height: 20.8px;">2nd WD was provided in October 2018 further to the Gjovik meeting.</span> | |||
*<span style="line-height: 20.8px;">A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.</span> | |||
*<span style="line-height: 20.8px;">A 2nd PDTS was provided in November 2019 further to the Paris meeting</span> | |||
*<span style="line-height: 20.8px;">A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting</span> | |||
*<span style="line-height: 20.8px;">The document will go to publication further to the September 2020 virtual meeting.</span> | |||
*<span style="line-height: 20.8px;">The standard was published in January 2021 see following press release: </span>[https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html] | |||
|- | |||
| Comments | |||
| | |||
First ecosystem oriented standard for privacy | |||
<span style="line-height: 20.8px;">Follow up of SP Privacy in Smart cities</span> | |||
<span style="line-height: 20.8px;">Liaison will take place with WG11 (smart cities), SC40 (</span>IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities) | |||
|} | |||
=== <span style="font-size: 18.252px;">27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor<br/> | |||
| Alan Shipman, Oliver Weissmann, Srinivas Poosarla, Heung Youl Youm | |||
|- | |||
| Scope | |||
| | |||
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. | |||
In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. | |||
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. | |||
Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document. | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*1st WD provided in April 2017 | |||
*2nd WD provided in June 2017 | |||
*1st CD provided in April 2018 | |||
*2nd CD provided in June 2018 | |||
*DIS provided in March 2019 | |||
*Publication in August 2019 | |||
*A revision has been initiated in 2022-10 | |||
*Further to April 2023 mode, a Final Draft International Standard (FDIS) will be provided | |||
|- | |||
| Comments | |||
| | |||
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019 | |||
A second version is underway with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance | |||
|} | |||
=== <span style="font-size: larger;">29100:2011 IS Privacy framework</span> === | |||
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1" | |||
|- | |||
| Editor<br/> | |||
| | |||
<span style="line-height: 20.7999992370605px">Stefan Weiss</span> | |||
<span style="line-height: 20.7999992370605px">Revision : Nat Sakimura, Jan Schallaboeck</span> | |||
|- | |||
| Scope | |||
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/> | |||
|- | |||
| Documentation | |||
| <span style="line-height: 20.7999992370605px">Is a free standard : see </span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/> | |||
|- | |||
| Comments | |||
| | |||
*Revision published in February 2024 | |||
|} | |||
=== <span style="font-size:larger">29101:2018 IS Privacy architecture framework</span> === | |||
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1" | |||
|- | |- | ||
| Editor | | Editor | ||
| <span style="line-height: 20.7999992370605px | | | ||
<span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov,</span> | |||
<span style="line-height: 20.7999992370605px">For revision: Nat Sakimura, Shinsaku Kiyomoto</span> | |||
|- | |- | ||
| Scope | | Scope | ||
Line 107: | Line 896: | ||
|- | |- | ||
| Documentation | | Documentation | ||
| | | [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html]<br/> | ||
|- | |- | ||
| Comments | | Comments | ||
| | | Revision initiated in Berlin (November 2017) | ||
|} | |} | ||
=== <span style="font-size:larger | === <span style="font-size:larger">29134:2017 IS Guidelines for Privacy impact assessment</span> === | ||
{| | {| style="width: 900px" cellpadding="1" cellspacing="1" border="1" | ||
|- | |- | ||
| Editor | | Editor | ||
| <span style="line-height: 20.7999992370605px | | <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/> | ||
|- | |- | ||
| Scope | | Scope | ||
Line 136: | Line 925: | ||
|- | |- | ||
| Documentation | | Documentation | ||
| <br/> | | [https://www.iso.org/standard/62289.html https://www.iso.org/standard/62289.html]<br/> | ||
|- | |- | ||
| Calendar | | Calendar | ||
| <span style="line-height: 1.6 | | <span style="line-height: 1.6">Published in June 2017</span><br/> | ||
|- | |- | ||
| Comments | | Comments | ||
Line 145: | Line 934: | ||
|} | |} | ||
<div></div> | <div></div> | ||
=== <span style="font-size:larger | === <span style="font-size:larger">29151:2017 - Revision underway - IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)</span> === | ||
{| | {| style="width: 900px" cellpadding="1" cellspacing="1" border="1" | ||
|- | |- | ||
| Editor | | Editor | ||
| <span style="line-height: 20.7999992370605px | | <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/> | ||
Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park | |||
|- | |- | ||
| Scope | | Scope | ||
Line 162: | Line 953: | ||
|- | |- | ||
| Documentation | | Documentation | ||
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf] | | | ||
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): [http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf] | |||
[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html] | |||
|- | |- | ||
| Calendar | | Calendar | ||
| | | | ||
*Published in August 2017 | |||
*PWI 8888 to prepare revision in March 2023 | |||
*1st CD of revision provided in October 2023 | |||
*2nd CD of revision to be provided in Apri 2924 | |||
|- | |- | ||
| Comments | | Comments | ||
Line 171: | Line 970: | ||
|} | |} | ||
=== <span style="font-size:larger;"> | === <span style="font-size: larger;"><span style="line-height: 21.9px;">29184:2020 IS Online privacy notices and consent</span></span> === | ||
{| cellpadding="1" cellspacing="1" border="1" style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | |||
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Editor<br/> | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | <span style="line-height: 20.8px;">Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck</span><br/> | |||
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Scope | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | | |||
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal. | |||
This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context. | |||
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Documentation | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]<br/> | |||
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Calendar | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | | |||
*1st WD provided in June 2016 | |||
*2nd WD provided in April 2017 | |||
*3rd WD provided in June 2017 | |||
*1nd CD provided in December 2017 | |||
*<span style="line-height: 20.8px;">2nd CD provided in July 2018</span> | |||
*<span style="line-height: 20.8px;">3rd CD provided in January 2019</span> | |||
*<span style="line-height: 20.8px;">DIS provided in April 2019</span> | |||
*<span style="line-height: 20.8px;">FDIS provided in May 2020</span> | |||
*<span style="line-height: 20.8px;">Published in June 2020</span> | |||
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Comments | |||
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | | |||
<span style="line-height: 20.8px;">i</span><span style="line-height: 20.8px;">nitiated in Jaipur (Oct 2015)</span> | |||
{| | Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent | ||
|} | |||
=== <span style="font-size:larger;">29190:2015 IS Privacy capability assessment model</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;" | |||
|- | |- | ||
| Editor | | Editor | ||
| <span style="line-height: 20. | | <span style="line-height: 20.8px;">Alan Shipman</span><br/> | ||
|- | |- | ||
| Scope | | Scope | ||
| | | | ||
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. <span style="line-height: 1.6;">In particular, it:</span> | This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. <span style="line-height: 1.6;">In particular, it:</span> | ||
<ul style="line-height: 18. | <ul style="line-height: 18.9091px;"> | ||
<li>specifies steps in assessing processes to determine privacy capability;</li> | <li>specifies steps in assessing processes to determine privacy capability;</li> | ||
<li>specifies a set of levels for privacy capability assessment;</li> | <li>specifies a set of levels for privacy capability assessment;</li> | ||
Line 191: | Line 1,028: | ||
|- | |- | ||
| Documentation | | Documentation | ||
| | | [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html]<br/> | ||
|- | |- | ||
| Calendar | | Calendar | ||
| | | <br/> | ||
|- | |- | ||
| Comments | | Comments | ||
Line 200: | Line 1,037: | ||
|} | |} | ||
=== <span style="font-size:larger;">29191 Requirements for partially anonymous, partially unlinkable authentication</span> === | === <span style="font-size: larger;">29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication</span> === | ||
{| | {| cellpadding="1" cellspacing="1" border="1" style="width: 900px;" | ||
|- | |- | ||
| Editor | | Editor<br/> | ||
| Kazue Sako (NEC) | |||
|- | |- | ||
| Scope | | Scope | ||
Line 219: | Line 1,056: | ||
|- | |- | ||
| Documentation | | Documentation | ||
| <span style=" | | [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html] | ||
|- | |||
| Comments<br/> | |||
| | |||
*Published in December 2012 | |||
*Minor revision for FDIS in July 2024 | |||
|} | |||
=== <span style="font-size: larger;">31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| | |||
Project leader: Michelle Chibba | |||
|- | |||
| Scope | |||
| | |||
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection. | |||
In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes. | |||
The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services | |||
|- | |||
| Documentation | |||
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html] | |||
|- | |||
| Calendar | |||
| | |||
*Official start date: November 1 2018 | |||
*First meeting: November 1-2 2018, BSI London | |||
*Adhoc meeting, February 24-24, 2019, DIN Berlin | |||
*Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed | |||
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris | |||
*Third meeting: October 21-23 2019 AFNOR Paris | |||
*Fourth meeting: March 17-20 2020 Virtual | |||
*Fifth meeting: Sep 30-Oct 2 2020 Virtual | |||
*Sixth meeting: April 19-22 2021 Virtual | |||
*Seventh meeting September 13-17 2021 Virtual | |||
*Eight meeting May 16-19 2022 Virtual | |||
|- | |||
| Versions | |||
| | |||
*1st WD provided in March 2019 | |||
*2nd WD provided in July 2019 | |||
*3rd WD provided in Dec 2019 | |||
*4th WD provided in June 2020 | |||
*1st CD provided in March 2021 | |||
*2nd CD provided in May 2021 | |||
*DIS provided in January 2022 | |||
*FDIS provided in June 2022 | |||
*Publication in February 2023 | |||
|- | |- | ||
| Comments | | Comments | ||
| <br/> | | | ||
Note that this is an ISO standard managed by the [https://www.iso.org/committee/6935430.html PC 317 technical committee] that is chaired by Jan Schallaboek | |||
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases<br/></div> | |||
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127 | |||
|} | |||
=== <span style="font-size: larger;">31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| | |||
Project leader: Michelle Chibba | |||
Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco | |||
|- | |||
| Scope | |||
| | |||
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1. | |||
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services. | |||
|- | |||
| Documentation | |||
| See [https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html] | |||
|- | |||
| Calendar | |||
| | |||
*May 2019 : request for use cases | |||
*March 2020: creation of AhG on use cases | |||
*April 2021: continuation of AhG on use cases | |||
*September 2021: approval to create 31700-2Official start date: November 1 2018 | |||
*June 2022: Draft technical report | |||
*February 2023: Publication | |||
|- | |||
| Versions | |||
| | |||
*1st intenal draft provided in September 2021 | |||
*Draft TR provided in June 2022 | |||
|- | |||
| Comments | |||
| | |||
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases | |||
<div></div> | |||
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127 | |||
|} | |||
== <span style="font-size: larger;">Standards in development</span> == | |||
=== <span style="font-size: larger;">5181 IS Security and privacy - Data provenance</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Ryan Ko, Jan de Meer, Yi Zhang | |||
|- | |||
| Scope | |||
| | |||
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data. | |||
The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not. | |||
|- | |||
| Documentation | |||
|https://www.iso.org/standard/80971.html | |||
|- | |||
| Calendar | |||
|Started in February 2023 | |||
|- | |||
|- | |||
| Comments | |||
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance] | |||
*1st WD provided in March 2023 | |||
*2nd WD provided in August 2023 | |||
*3rd WD provided in December 2023 | |||
|} | |} | ||
=== <span style="font-size:larger;"> | === <span style="font-size: larger;">27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection</span> === | ||
{| | {| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| Editor | | Editor | ||
| | | Lenora Zimmerman, Antonio Kung, Byoung-Moon Chin | ||
|- | |- | ||
| Scope | | Scope | ||
| | | | ||
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks. | |||
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems. | |||
|- | |- | ||
| Documentation | | Documentation | ||
| | | https://www.iso.org/standard/56582.html | ||
|- | |- | ||
| Calendar | | Calendar | ||
| | |Project started in February 2023 | ||
|- | |||
|- | |- | ||
| Comments | | Comments | ||
| | | Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy] | ||
Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development) | |||
*1st WD provided in May 2023 | |||
*2nd WD provided in October 2023 | |||
*3rd WD to be provided in April 2024 | |||
|} | |||
=== <span style="font-size: larger;">27403 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| | |||
Qin QIu, Yanghuichen Lin, Luc Poulin | |||
|- | |||
| Scope | |||
| | |||
This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
Started in Paris October 2018 with a preliminary version | |||
*1st WD provided in October 2019 | |||
*2nd WD provided in May 2020 | |||
*3rd WD provided in March 2021 | |||
*4th WD provided in April 2021 | |||
*5th WD provided in May 2021 | |||
*6th WD provided in July 2021 | |||
*1st CD provided in January 2022 | |||
*2nd CD provided in June 2022 | |||
*DIS provided in October 2022 | |||
*2nd DIS provided in April 2023 | |||
*FDIS provided in January 2024 | |||
|- | |||
| Comment | |||
| Is a WG4 project<br/> | |||
|} | |} | ||
== <span style="font-size:larger;"><span style=" | === <span style="font-size: larger;">27562 IS Privacy guidelines for Fintech services</span> === | ||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| Heung Youl Youm, Janssen Esguerra | |||
|- | |||
| Objective | |||
| | |||
This document provides guidelines on privacy for Fintech services. | |||
It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to Fintech services. It also considers regulatory requirements, such as those from anti-money laundering, fraud detection, and countering terrorist financing. It provides privacy controls specific to Fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focussing a set of privacy requirements for each stakeholder. | |||
This document can be applicable to all kinds of organisations such as regulators, Institutions, service providers and product providers in the Fintech service environment. | |||
|- | |||
| Documentation | |||
| https://www.iso.org/standard/80395.html | |||
|- | |||
| Calendar | |||
| | |||
*1st WD provided in April 2021 | |||
*2nd WD provided in October 2021 | |||
*3rd WD provided in May 2022 | |||
*1st CD provided in November 2023 | |||
*2nd CD provided in May 2023 | |||
*DIS provided in November 2023 | |||
*FDIS to be provided in April 2024 | |||
|- | |||
| Comments | |||
| | |||
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services] | |||
|} | |||
</div> | |||
=== <span style="font-size: larger;">27565 IS Guidance on privacy preservation based on zero-knowledge proofs</span> === | |||
=== <span style="font-size:larger;"> | |||
{| | {| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;" | ||
|- | |- | ||
| | | Leaders | ||
| | | | ||
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla | |||
|- | |- | ||
| Objective | | Objective | ||
| <br/> | | | ||
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP<br/>functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely. | |||
|- | |||
| Documentation | |||
| https://www.iso.org/standard/80398.html | |||
|- | |||
| Calendar | |||
| | |||
*Established in October 2021 | |||
*1st WD provided in June 2022 | |||
*2nd WD provided in November 2022 | |||
*3rd WD provided in May 2023 | |||
*1st CD provided in December 2023 | |||
*2nd CD to be provided in May 2024 | |||
|- | |||
| Comments | |||
| | |||
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs] | |||
|} | |||
<div class="_"></div> | |||
<span style="font-size: larger;"></span> | |||
=== <span style="font-size: larger;">27566-1 IS Age assurance - Part 1: Framework</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Tony Allen, Denis Pinkas, Mark Svancarek | |||
|- | |||
| Scope | |||
| | |||
This document establishes core principles, including privacy and security, for the purpose of enabling age-related eligibility decisions | |||
|- | |||
| Documentation | |||
| https://www.iso.org/standard/88143.html | |||
|- | |||
| Calendar | |||
| | |||
*Started in May 2023 | |||
*1st WD provided in December 2023 | |||
*2nd WD provided in March 2024 | |||
*1st CD to be provided in May 2024 | |||
|- | |||
| Comments | |||
| | |||
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] | |||
|} | |||
<div class="_"></div> | |||
<span style="font-size: larger;"></span> | |||
=== <span style="font-size: larger;">27566 IS Age assurance - Part 3: Benchmarks for benchmarking analysis</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Tony Allen, Denis Pinkas, Mark Svancarek | |||
|- | |||
| Scope | |||
| | |||
This document provides guidelines for interoperability, technical architecture and use of age assurance | |||
systems. | |||
|- | |- | ||
| Documentation | | Documentation | ||
| | | https://www.iso.org/standard/88147.html | ||
|- | |||
| Calendar | |||
| | |||
*Started in October 2023 | |||
*1st WD provided in December 2023 | |||
*2ne WD to be provided in May 2024 | |||
|- | |- | ||
| Comments | | Comments | ||
| | | | ||
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] | |||
|} | |||
<div class="_"></div> | |||
<span style="font-size: larger;"></span> | |||
=== <span style="font-size: larger;">27706 IS Requirements for bodies providing audit and certification of privacy information management systems</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson | |||
|- | |||
| Scope | |||
| | |||
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. | |||
The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification. | |||
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes. | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*1st CD was provided in May 2022 | |||
*2nd CD was provided in November 2022 | |||
*DIS was provided in May 2023 | |||
*Further to October 2023 meeting, document is being restructured | |||
|- | |||
| Comments | |||
| | |||
Follow-up of ISO/IEC 27006-2 TS | |||
| <br/> | |||
|} | |} | ||
== | == Active Preliminary Work Items == | ||
{| | === <span style="font-size: medium;">PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining (Started in April 2021)</span> === | ||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |- | ||
| Leaders | | Leaders | ||
| | | | ||
Xiaoyuan Bai, Jin Peng | |||
|- | |- | ||
| Objective | | Objective | ||
| | | | ||
This document provides the followings: | |||
* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives. | |||
* a framework to mitigate the security challenges and concerns. | |||
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework. | |||
* mappings between security challenges and controls. | |||
|- | |- | ||
| Documentation | | Documentation | ||
| | | | ||
|- | |||
| Calendar | |||
| | |||
* 1st PWI in June 2021 | |||
* 2nd PWI in September 2021 | |||
* 3rd PWI in January 2022 | |||
* 4th PWI in March 2022 | |||
* 5th PWI in June 2022 | |||
* Proposal for new project in February 2023 | |||
* Further to proposal PWI is restarted in April 2023 | |||
|- | |- | ||
| Comments | | Comments | ||
| | | | ||
Is a WG4 project | |||
|} | |||
</div> | </div> | ||
=== <span style="font-size:medium;">PWI 27045 Big data security and privacy - guidelines for data security management framework (Started in April 2021)</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor<br/> | |||
| Xiaoyuan Bai - Hongru Zhu - Vicky Hailey - Shiqi Li - Liu Dapeng | |||
|- | |||
| Scope | |||
| | |||
This document provides a data security management framework that helps organizations to build the data security capabilities in the context of big data including guidelines to develop security measures. | |||
This document is applicable to all organizations, regardless of type, size or nature, that develop or use big data systems. | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/63929.html https://www.iso.org/standard/63929.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*<span style="line-height: 20.8px;">1st PWI was provided in May 2022</span> | |||
|- | |||
| Comments | |||
| | |||
<span style="line-height: 20.8px;">Is a WG4 project. An initial projects was started in October 2018 on processes with a different scope:</span> | |||
*<span style="line-height: 20.8px;">1st WD was provided in January 2019</span> | |||
*<span style="line-height: 20.8px;">2nd WD was provided in April 2019</span> | |||
*<span style="line-height: 20.8px;">3rd WD was provided in October 2019</span> | |||
*<span style="line-height: 20.8px;">4th WD was provided in May 2020</span> | |||
*<span style="line-height: 20.8px;">5th WD was provided in November 2020</span> | |||
*<span style="line-height: 20.8px;">6th WG was provided in March 2021</span> | |||
*<span style="line-height: 20.8px;">Project was restarted as a PWI in April 2021 with a new scope</span> | |||
It seems that the project will focus on security only | |||
|} | |} | ||
=== <span style="font-size: | === <span style="font-size: medium;">PWI 27046 Big data security and privacy - Implementation guidelines (restarted in April 2023)</span> === | ||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Editor | |||
| Le Yu, Victoria Hailey, Jinghua Min | |||
|- | |||
| Scope | |||
| | |||
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data | |||
|- | |||
| Documentation | |||
| [https://www.iso.org/standard/78572.html https://www.iso.org/standard/78572.html]<br/> | |||
|- | |||
| Calendar | |||
| | |||
*1st WD was provided in October 2019 | |||
*2nd WD was provided in June 2020 | |||
*3rd WD was provided in November 2020 | |||
*4th WD was provided in April 2021 | |||
*5th WD was provided in April 2022 | |||
*1st CD was provided in October 2022 | |||
*Further to April 2023 meeting, this project will be reverted to preliminary work item (PWI) | |||
|- | |||
| Comments | |||
| Is a WG4 project | |||
|} | |||
{| | === <span style="font-size: medium;">PWI 27564 Privacy models (Started in October 2021)</span> === | ||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |- | ||
| Leaders | | Leaders | ||
| | | | ||
Yod Samuel Martin, Antonio Kung, Jonathan Fox, Michelle Chibba | |||
|- | |- | ||
| Objective | | Objective | ||
| < | | | ||
Scope: PWI will study the value of specifying and maintaining privacy models | |||
Tasks: | |||
*Study use cases, e.g., connected vehicles, data spaces | |||
*Define models of interest, e.g., protection models, engineering models, ecosystem models. | |||
*Provide guidance on the lifecycle of models. Take into account ISO/IEC/IEEE 24641 (MBSSE), and liaise with SC7 | |||
*Provide guidance for the design of models ensuring a common vision with different viewpoints: citizen, policy, governance, compliance, engineering | |||
*Explain the relationship with other standards; SC7, SC27, SC41, SC42, PC317… | |||
|- | |||
| Documentation | |||
| | |||
|- | |||
| Calendar | |||
| | |||
|- | |||
| Comments | |||
| | |||
Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E] | |||
*A report was provided at the April 2023 meeting. | |||
*A 2nd report was provided at the October 2023 meeting | |||
*A proposal for a technical specification is underway | |||
|} | |||
</div> | |||
=== <span style="font-size: medium;">27566 IS Age assurance - Part 2: Interoperability, technical architecture and guidelines for use</span> === | |||
{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Tony Allen, Denis Pinkas, Mark Svancarek | |||
|- | |||
| Scope | |||
| | |||
This document provides guidelines for interoperability, technical architecture and use of age assurance | |||
systems. | |||
|- | |- | ||
| Documentation | | Documentation | ||
| | | | ||
|- | |||
| Calendar | |||
| | |||
*Started in November 2023 | |||
*1st PWI text provided in December 2023 | |||
*2nd PWI text provided in March 2024 | |||
|- | |- | ||
| Comments | | Comments | ||
| | | | ||
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification] | |||
|} | |} | ||
<div class="_"></div> | |||
<span style="font-size: larger;"></span> | |||
=== <span style="font-size: medium;">PWI 27568 Security and privacy of digital twins (Started in October 2022)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |||
| Leaders | |||
| | |||
Antonio Kung, Srinivas Poosarla, Heung Youl Youm, Mark Lizar, Vitor Jesus, Vishnu Kanhere, Patrick Curry, Karim Tobich | |||
|- | |||
| Objective | |||
| | |||
The PWI will monitor the progress in standardisation work on digital twins and investigate stakeholders concerns on the security and privacy of digital twins. | |||
A call for contributions will circulated to SC 27/WG 5, and liaison will take place with SC41. A report and recommendation for further work will be prepared for discussion in the next meeting. | |||
|- | |||
| Documentation | |||
| | |||
|- | |||
| Calendar | |||
| | |||
A first report was provided at the April 2023 meeting. | |||
A second report was provided at the October 2023 meeting. | |||
|- | |||
| Comments | |||
| | |||
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins | |||
{| | |} | ||
</div> | |||
=== <span style="font-size: medium;">PWI 27573 Privacy protection of user avatar and system avatar interactions in the metaverse (Started in October 2024)</span> === | |||
<div> | |||
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;" | |||
|- | |- | ||
| Leaders | | Leaders | ||
| | | | ||
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung | |||
|- | |- | ||
| Objective | | Objective | ||
| | | | ||
The necessity for a section on considerations regarding personal information in Metaverse standards and Specifications is emphasized. This is due to the direct impact on personal information by PII (Personally Identifiable Information) or related data subject information identification mechanisms. | |||
MSPA (Meta Standard Privacy Assessment) is utilized as a methodology for evaluating the impact on personal information, reviewing the necessity of introducing privacy protection or controls by assessing privacy protection requirements and potential threats in standards or specifications. | |||
This process also aids in analyzing and documenting potential damages that may occur to individuals. | |||
This document contains a framework for protecting personal information during interactions between user avatars and system avatars in the Metaverse. It shall specify the requirements for: | |||
*categorizing and managing the information generated and used by user avatars and system avatars; | |||
*protecting the privacy of user avatars and personal data in the Metaverse. | |||
|- | |- | ||
| Documentation | | Documentation | ||
| | | | ||
|- | |||
| Calendar | |||
| | |||
Started in April 2024 | |||
|- | |- | ||
| Comments | | Comments | ||
| | | | ||
|} | |} | ||
</div> | |||
== <span style="font-size: larger;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2px;">Completed Preliminary Work Items or Study Periods</span></span> == | |||
[[Completed study periods and pwis]] |
Latest revision as of 16:04, 11 May 2024
Introduction
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).
Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:
- http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en
- http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 (set of slides)
Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [1]
Some of the projects are also carried out in ISO/IEC JTC1/SC27/WG4.The convenor is Johann Amsenga, and the vice convenor is François Lorek
One project is carried out within ISO PC317. The convenor is Jan Schallaböck. ISO PC317 focuses on the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services)
Some conventions on ISO standards
The important things to know concerning ISO standards steps:
Standard |
|
Technical report |
|
Technical specification |
|
Meetings
Progress is finalised in plenary meetings (taking place every 6 months).
Here is a list of meetings that took place or that will take place in SC27.
2014 |
|
2015 |
|
2016 |
|
2017 |
|
2018 |
|
2019 |
|
2020 |
|
2021 |
|
2022 |
|
2023 |
|
2024 |
|
ISO 31700 is dealt with in another committee (PC317). Here is a list of meetings that took place or that will take place in PC317.
2018 |
|
2019 |
|
2020 |
|
2021 |
|
2022 |
|
Privacy references lists
Scope |
The WG5 Standing Document 2 contains references with relevant descriptions to privacy-related:
The WG5 Standing Document 2 shall not be considered as:
|
Documentation | https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf |
Calendar |
This document is regularly updated |
Published standards
19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408
Editor |
Naruki Kai |
Scope |
This Technical Report provides guidance for:
|
Documentation | https://www.iso.org/standard/65459.html |
Calendar |
has been moved from TR to TS Published in October 2018 |
Comments |
20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy
Editor | Jinhua Min, Xuebin Zhou |
ScopeS | Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification |
Documentation |
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], [7] |
Calendar |
|
Comments |
WG9 is working on the following
Part 4 is transferred to SC27 for development, with close liaison with WG 9 [Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore
Further to Berlin meeting, decision to change title (term fabric is removed) |
20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques
Editor |
Chris Mitchell and Lionel Vodzislawsky |
Scope | This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification |
Documentation |
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf |
Calendar |
|
Comments |
27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems
Editor | Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman |
Scope |
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes. |
Documentation | https://www.iso.org/standard/71676.html |
Calendar |
|
Comments |
27018:2014 - Revision underway - IS Code of practice for protection of PII in public clouds acting as PII processors
Editor |
Revision: Ramaswamy Chandramouli, Hendrik Decroos |
Scope |
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors. |
Documentation | |
Comments |
|
27400:2022 IS Security and Privacy for the Internet of Things
Editor |
Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages) |
Scope |
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT). |
Documentation | https://www.iso.org/standard/44373.html |
Calendar |
|
Comments |
Follow up of
Aprll 2020: Renamed from 27030 to 27400 |
27402:2023 IS IoT security and privacy - Device baseline requirements
Editor | Elaine Newton, Amit Elazari Bar On, Faud Khan |
Scope |
This document provides baseline ICT requirements for IoT devices to support security and privacy controls |
Documentation | https://www.iso.org/standard/80136.html |
Calendar |
|
Comments | Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements) |
27550:2019 TR Privacy engineering for system lifecycle processes
Editor |
Antonio Kung, Mathias Reinis |
Scope |
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations |
Documentation |
A youtube presentation on privacy engineering: https://www.youtube.com/watch?v=BymNvbmSr2E |
Calendar |
|
Comments |
[Antonio Kung]
|
27551:2021 IS Requirements for attribute-based unlinkable entity authentication
Editor |
Nat Sakimura, Jaehoon Na, Pascal Pailler |
Scope |
This International Standard
This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication |
Documentation | https://www.iso.org/standard/44373.html |
Calendar |
|
Comments |
27555:2021 IS Guidelines on Personally Identifiable Information Deletion
Editor |
Dorotea Alessandra de Marco, Yan Sun, Volker Hammer |
Scope |
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:
This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:
|
Documentation | https://www.iso.org/fr/standard/71673.html |
Calendar |
|
Comments | It is based on a German standard |
27556:2022 IS User-centric privacy preferences management framework
Editor |
Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm |
Scope |
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences. |
Calendar |
|
Documentation | https://www.iso.org/standard/71674.html |
Comments | Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework" |
27557:2022 IS Organizational privacy risk management
Editor |
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes |
Scope |
Provides guidelines for organizational privacy risk management. Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program. Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019). |
Documentation | https://www.iso.org/standard/71674.html |
Calendar |
|
27559:2022 IS Privacy-enhancing data de-identification framework
Editor | Malcolm Townsend, Santa Borel |
Scope |
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes. |
Documentation | https://www.iso.org/standard/71677.html |
Calendar |
|
27560:2023 TS Privacy technologies – Consent record information structure
Editor | Jan LIndquist, Andrew Hughes, Kelvin Magtalas |
Scope |
This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the: — provision of a record of the consent to the PII Principal; — exchange of consent information between information systems; and, — management of the lifecycle of the recorded consent. |
Documentation | https://www.iso.org/standard/80392.html |
Calendar |
|
27561:2024 IS POMME Privacy operationalization model and method for engineering
Leaders | John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR , Michele Drgon; |
Objective |
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.
|
Documentation | https://www.iso.org/standard/80394.html |
Calendar |
|
Comments |
It the result of the study period privacy engineering model It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html |
27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices
Leaders | Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala |
Objective |
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases) |
Documentation | https://www.iso.org/standard/80396.html
ISO/IEC 24030 covers 132 use cases that are described here: https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf |
Calendar |
|
Comments |
It is the result of phase 1 of PWI 6089 Impact of AI on security and privacy |
27570:2021 TS Privacy Guidelines for Smart Cities
Editor | Antonio Kung, Heung Youl Youm, Clotilde Cochinaire |
Scope |
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments |
Documentation | https://www.iso.org/standard/71678.html |
Calendar |
|
Comments |
First ecosystem oriented standard for privacy Follow up of SP Privacy in Smart cities Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities) |
27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
Editor |
Alan Shipman, Oliver Weissmann, Srinivas Poosarla, Heung Youl Youm |
Scope |
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document. |
Documentation | https://www.iso.org/standard/71670.html |
Calendar |
|
Comments |
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019 A second version is underway with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance |
29100:2011 IS Privacy framework
Editor |
Stefan Weiss Revision : Nat Sakimura, Jan Schallaboeck |
Scope | This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. |
Documentation | Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html |
Comments |
|
29101:2018 IS Privacy architecture framework
Editor |
Stefan Weiss and Dan Bogdanov, For revision: Nat Sakimura, Shinsaku Kiyomoto |
Scope |
This International Standard describes a privacy architecture framework that
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals. |
Documentation | https://www.iso.org/standard/75293.html |
Comments | Revision initiated in Berlin (November 2017) |
29134:2017 IS Guidelines for Privacy impact assessment
Editor | Mathias Reinis |
Scope |
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII). It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning. In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment. It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities. This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011. For principles and guidelines on risk management, reference is made to ISO 31000:2009. |
Documentation | https://www.iso.org/standard/62289.html |
Calendar | Published in June 2017 |
Comments |
29151:2017 - Revision underway - IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)
Editor | Heung Youl Youm, Alan Shipman Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park |
Scope |
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII). In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s). This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing. |
Documentation |
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf |
Calendar |
|
Comments | Also an ITU reference (ITU-T X.gpim) |
29184:2020 IS Online privacy notices and consent
Editor |
Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck |
Scope |
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal. This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context. |
Documentation | https://www.iso.org/standard/71678.html |
Calendar |
|
Comments |
initiated in Jaipur (Oct 2015) Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent |
29190:2015 IS Privacy capability assessment model
Editor | Alan Shipman |
Scope |
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
|
Documentation | https://www.iso.org/standard/45269.html |
Calendar | |
Comments |
29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication
Editor |
Kazue Sako (NEC) |
Scope |
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques. This document provides guidance to the use of group signatures for data minimization and user convenience. This guideline is applicable in use cases where authentication or authorization is needed. It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents. |
Documentation | https://www.iso.org/standard/45270.html |
Comments |
|
31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements
Editor |
Project leader: Michelle Chibba |
Scope |
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection. In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes. The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services |
Documentation | See https://www.iso.org/standard/76402.html |
Calendar |
|
Versions |
|
Comments |
Note that this is an ISO standard managed by the PC 317 technical committee that is chaired by Jan Schallaboek Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127 |
31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases
Editor |
Project leader: Michelle Chibba Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco |
Scope |
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1. The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services. |
Documentation | See https://www.iso.org/standard/76402.html |
Calendar |
|
Versions |
|
Comments |
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127 |
Standards in development
5181 IS Security and privacy - Data provenance
Editor | Ryan Ko, Jan de Meer, Yi Zhang |
Scope |
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data. The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not. |
Documentation | https://www.iso.org/standard/80971.html |
Calendar | Started in February 2023 |
Comments | Follow-up of PWI 5181 Data provenance
|
27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection
Editor | Lenora Zimmerman, Antonio Kung, Byoung-Moon Chin |
Scope |
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems. |
Documentation | https://www.iso.org/standard/56582.html |
Calendar | Project started in February 2023 |
Comments | Follow-up of PWI 6089 Impact of Artificial Intelligence on Security and Privacy
Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)
|
27403 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics
Editor |
Qin QIu, Yanghuichen Lin, Luc Poulin |
Scope |
This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems |
Documentation | https://www.iso.org/standard/78702.html |
Calendar |
Started in Paris October 2018 with a preliminary version
|
Comment | Is a WG4 project |
27562 IS Privacy guidelines for Fintech services
Leaders | Heung Youl Youm, Janssen Esguerra |
Objective |
This document provides guidelines on privacy for Fintech services. It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to Fintech services. It also considers regulatory requirements, such as those from anti-money laundering, fraud detection, and countering terrorist financing. It provides privacy controls specific to Fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focussing a set of privacy requirements for each stakeholder. This document can be applicable to all kinds of organisations such as regulators, Institutions, service providers and product providers in the Fintech service environment. |
Documentation | https://www.iso.org/standard/80395.html |
Calendar |
|
Comments |
It the result of the study period privacy guidelines for Fintech services |
27565 IS Guidance on privacy preservation based on zero-knowledge proofs
Leaders |
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla |
Objective |
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP |
Documentation | https://www.iso.org/standard/80398.html |
Calendar |
|
Comments |
It the result of PWI 7758 Guidance on privacy preservation based on zero knowledge proofs |
27566-1 IS Age assurance - Part 1: Framework
Leaders |
Tony Allen, Denis Pinkas, Mark Svancarek |
Scope |
This document establishes core principles, including privacy and security, for the purpose of enabling age-related eligibility decisions |
Documentation | https://www.iso.org/standard/88143.html |
Calendar |
|
Comments |
It the result of PWI 7732 Age verification |
27566 IS Age assurance - Part 3: Benchmarks for benchmarking analysis
Leaders |
Tony Allen, Denis Pinkas, Mark Svancarek |
Scope |
This document provides guidelines for interoperability, technical architecture and use of age assurance systems. |
Documentation | https://www.iso.org/standard/88147.html |
Calendar |
|
Comments |
It the result of PWI 7732 Age verification |
27706 IS Requirements for bodies providing audit and certification of privacy information management systems
Editor | Kimberly Lucy, Fuki Azetsu, Gigi Robinson | |
Scope |
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes. | |
Documentation | https://www.iso.org/standard/82894.html | |
Calendar |
| |
Comments |
Follow-up of ISO/IEC 27006-2 TS |
Active Preliminary Work Items
PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining (Started in April 2021)
Leaders |
Xiaoyuan Bai, Jin Peng |
Objective |
This document provides the followings:
|
Documentation | |
Calendar |
|
Comments |
Is a WG4 project |
PWI 27045 Big data security and privacy - guidelines for data security management framework (Started in April 2021)
Editor |
Xiaoyuan Bai - Hongru Zhu - Vicky Hailey - Shiqi Li - Liu Dapeng |
Scope |
This document provides a data security management framework that helps organizations to build the data security capabilities in the context of big data including guidelines to develop security measures. This document is applicable to all organizations, regardless of type, size or nature, that develop or use big data systems. |
Documentation | https://www.iso.org/standard/63929.html |
Calendar |
|
Comments |
Is a WG4 project. An initial projects was started in October 2018 on processes with a different scope:
It seems that the project will focus on security only |
PWI 27046 Big data security and privacy - Implementation guidelines (restarted in April 2023)
Editor | Le Yu, Victoria Hailey, Jinghua Min |
Scope |
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data |
Documentation | https://www.iso.org/standard/78572.html |
Calendar |
|
Comments | Is a WG4 project |
PWI 27564 Privacy models (Started in October 2021)
Leaders |
Yod Samuel Martin, Antonio Kung, Jonathan Fox, Michelle Chibba |
Objective |
Scope: PWI will study the value of specifying and maintaining privacy models Tasks:
|
Documentation |
|
Calendar |
|
Comments |
Initiated as a result of the H2020 project PDP4E
|
27566 IS Age assurance - Part 2: Interoperability, technical architecture and guidelines for use
Leaders |
Tony Allen, Denis Pinkas, Mark Svancarek |
Scope |
This document provides guidelines for interoperability, technical architecture and use of age assurance systems. |
Documentation | |
Calendar |
|
Comments |
It the result of PWI 7732 Age verification |
PWI 27568 Security and privacy of digital twins (Started in October 2022)
Leaders |
Antonio Kung, Srinivas Poosarla, Heung Youl Youm, Mark Lizar, Vitor Jesus, Vishnu Kanhere, Patrick Curry, Karim Tobich |
Objective |
The PWI will monitor the progress in standardisation work on digital twins and investigate stakeholders concerns on the security and privacy of digital twins. A call for contributions will circulated to SC 27/WG 5, and liaison will take place with SC41. A report and recommendation for further work will be prepared for discussion in the next meeting. |
Documentation |
|
Calendar |
A first report was provided at the April 2023 meeting. A second report was provided at the October 2023 meeting. |
Comments |
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins |
PWI 27573 Privacy protection of user avatar and system avatar interactions in the metaverse (Started in October 2024)
Leaders |
Hoon Jae Lee, Hee Bong Choi, Rusne Juozapaitiene, Dae-Ki Kang, Vishnu Kanhere, Antonio Kung |
Objective |
The necessity for a section on considerations regarding personal information in Metaverse standards and Specifications is emphasized. This is due to the direct impact on personal information by PII (Personally Identifiable Information) or related data subject information identification mechanisms. MSPA (Meta Standard Privacy Assessment) is utilized as a methodology for evaluating the impact on personal information, reviewing the necessity of introducing privacy protection or controls by assessing privacy protection requirements and potential threats in standards or specifications. This process also aids in analyzing and documenting potential damages that may occur to individuals. This document contains a framework for protecting personal information during interactions between user avatars and system avatars in the Metaverse. It shall specify the requirements for:
|
Documentation |
|
Calendar |
Started in April 2024 |
Comments |