Difference between revisions of "ISO"
| Line 991: | Line 991: | ||
| In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references: | In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references: | ||
| {| border="1" cellspacing="1" cellpadding="1" style="width: | {| border="1" cellspacing="1" cellpadding="1" style="width: 900px;" | ||
| |- | |- | ||
| |   | |   | ||
| [https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf] | IEEE Ethically Aligned AI | ||
| |  | |||
| <span style="font-size:xx-small;">[https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf]</span> | |||
| |- | |- | ||
| | Ethics guidelines for trustworthy AI<br/> | | Ethics guidelines for trustworthy AI<br/> | ||
| | [https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112]<br/> | | <span style="font-size:xx-small;">[https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112]</span><br/> | ||
| |- | |- | ||
| | Privacy Commissioners declaration <br/> | | Privacy Commissioners declaration <span style="font-size:xx-small;"><br/></span> | ||
| | [https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf]<br/> | | <span style="font-size:xx-small;">[https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf]</span><br/> | ||
| |- | |- | ||
| | AI as a Disruptive Opportunity and Challenge for Security<br/> | | AI as a Disruptive Opportunity and Challenge for Security<br/> | ||
| | [https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf]<br/> | | <span style="font-size:xx-small;">[https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf]</span><br/> | ||
| |- | |- | ||
| | The impact of AI on life cycle processes<br/> | | The impact of AI on life cycle processes<br/> | ||
| | [https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf]<br/> | | <span style="font-size:xx-small;">[https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf]</span><br/> | ||
| |- | |- | ||
| | Asilomar principles | | Asilomar principles | ||
| | [https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles]<br/> | | <span style="font-size:xx-small;">[https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles]</span><br/> | ||
| |- | |- | ||
| | Malicious AI report | | Malicious AI report | ||
| | https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf <br/> | | <span style="font-size:xx-small;">[https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf  https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp];</span><br/> | ||
| |- | |- | ||
| | Privacy and Freedom of Expression In the Age of Artificial Intelligence <br/> | | Privacy and Freedom of Expression In the Age of Artificial Intelligence <span style="font-size:xx-small;"><br/></span> | ||
| | https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence<br/> | | <span style="font-size:xx-small;">[https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence]</span><br/> | ||
| |- | |- | ||
| | UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?<br/> | | UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?<br/> | ||
| |   | |   | ||
| https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf | <span style="font-size:xx-small;">[https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf]</span> | ||
| |- | |- | ||
| | Australian Human Rights Commission report on Human Rights and Technology<br/> | | Australian Human Rights Commission report on Human Rights and Technology<br/> | ||
| | [https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf]<br/> | | <span style="font-size:xx-small;">[https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf]</span><br/> | ||
| |} | |} | ||
Revision as of 17:28, 5 April 2019
Introduction
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO
Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:
- http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en
- http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 (set of slides)
Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [1]
Some of the projects are also carried out in ISO/IEC JTC1/SC27/WG4.The convenor is Johann Amsenga, and the vice convenor is François Lorek
One project is carried out within ISO PC317. The convenor is Jan Schallaböck. ISO PC317 focuses on the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services)
Some conventions on ISO standards
The important things to know concerning ISO standards steps:
| Standard | 
 | 
| Technical report | 
 | 
| Technical specification | 
 | 
Meetings
Progress is finalised in plenary meetings (taking place every 6 months).
Here is a list of meetings that took place or that will take place in SC27.
| 2014 | 
 | 
| 2015 | 
 | 
| 2016 | 
 | 
| 2017 | 
 | 
| 2018 | 
 | 
| 2019 | 
 | 
| 2020 | 
 | 
ISO 31700 is dealt with in another committee (PC317). Here is a list of meetings that took place or that will take place in PC317.
| 2018 | 
 | 
| 2019 | 
 | 
Standards and Projects
19608 TS Guidance for developing security and privacy functional requirements based on 15408
| Editor | Naruki Kai | 
| Scope | This Technical Report provides guidance for: 
 | 
| Documentation | |
| Calendar | has been moved from TR to TS | 
| Comments | 
20547 IS Big data reference architecture - Part 4 - Security and privacy
| Editor | Jinhua Min, Xuebin Zhou | 
| ScopeS | Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification | 
| Documentation | Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], [7] | 
| Calendar | 1st WD provided in June 2016 2nd WD provided in May 2017 3rd WD provided in November 2017 4th WD provided in April 2018 1st CD provided in November 2018 Further to Tel-Aviv (April 2019), a 2nd CD will be provided | 
| Comments | WG9 is working on the following 
 Part 4 is transferred to SC27 for development, with close liaison with WG 9 [Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore 
 Further to Berlin meetin, decision to change title (term fabric is removed) | 
20889 IS Privacy enhancing de-identification techniques
| Editor | Chris Mitchell and Lionel Vodzislawsky | 
| Scope | This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification | 
| Documentation | Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf | 
| Calendar | 1st WD December 2015 2nd WD June 2016 1st CD Devember 2016 2nd CD May 2017 1st DIS January 2018 FDIS August 2018 Published in November 2018 | 
| Comments | 
27018 IS Code of practice for protection of PII in public clouds acting as PII processors
| Editor | |
| Scope | This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors. | 
| Documentation | Must be purchased.  http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498  (preview available) | 
| Comments | 1st published in 2014 ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques | 
27030 IS Security and Privacy for the Internet of Things
| Editor | Faud Khan, Koji Nakao, Antonio Kung, Luc Poulin | 
| Scope | This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT). | 
| Documentation | |
| Calendar | Started in Wuhan April 2018 1st WD provided in June 2018 2nd WD provided in November 2018 Further to Tel Aviv (April 2019) a 3rd further draft will be provided | 
| Comments | Follow up of 
 | 
27045 IS Big Data Security and Privacy - Processes
| Editor | Xiaoyuan Bai - Alastair Walker - Hongru Zhu | 
| Scope | This document defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes. The processes include a set of indicators of process performance and process capability.The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. These processes are described in different terms, such as process purpose, outcomes, activities and tasks | 
| Documentation | |
| Calendar | 1st WD was provided in January 2019 Further to Tel Aviv (April 2019) a 2nd WD will be provided | 
| Comments | Is a WG4 project | 
27550 TR Privacy engineering for system lifecycle processes
| Editor | Antonio Kung, Mathias Reinis | 
| Scope | This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices: 
 The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations | 
| Documentation | A youtube presentation on privacy engineering: https://www.youtube.com/watch?v=BymNvbmSr2E | 
| Calendar | 1st WD provided in January 2017 2nd WD provided in June 2017 1st PDTR provided in January 2018 2nd PDTR provided in June 2018 3rd PDTR provided in October 2018 Further to Tel Aviv (April 2019) will go for publication | 
| Comments | [Antonio Kung] 
 | 
27551 IS Requirements for attribute-based unlinkable entity authentication
| Editor | Nat Sakimura, Jaehoon Na, Pascal Pailler | 
| Scope | This International Standard 
 
 This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication | 
| Documentation | |
| Calendar | 1st WD provided in April 2017 2nd WD provided in Dec 2017 3rd WD provided in July 2018 4th WD provided in February 2019 Further to the Tel Aviv meeting, 27551 will move to first CD | 
| Comments | 
27552 IS Extension to ISO/IEC 27001 privacy management - Requirements
| Editor | Alan Shipman, Oliver Weissmann, Srinivas Poosarla, Heung Youl Youm | 
| Scope | This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document. | 
| Documentation | |
| Calendar | 1st WD provided in April 2017 2nd WD provided in June 2017 1st CD provided in April 2018 2nd CD provided in June 2018 DIS provided in March 2019 Further to Tel Aviv (April 2019) will move to publication | 
| Comments | 
 | 
27555 IS Establishing a PII delection concept in organisations
| Editor | Dorotea Alessandra de Marco, Yan Sun | 
| Scope | This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying: 
 This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address: 
 | 
| Documentation | |
| Calendar | 1st WD provided in March 2019 Further to Tel Aviv (April 2019) will go for 2nd WD | 
| Comments | It is based on a German standard | 
27556 IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences
| Editor | Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm | 
| Scope | This document presents a user-centric framework for PII handling based on privacy preferences and privacy preference administration, which 
 | 
| Calendar | Established in Gjovik (October 2018) Further to Tel Aviv (April 2019), a first WD will be provided | 
| Documentation | |
| Comments | 
27570 TS Privacy Guidelines for Smart Cities
| Editor | Proposed editor: Antonio Kung, Heung Youl Youm | 
| Scope | The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments | 
| Documentation | |
| Calendar | 1st WD was provided in June 2018 further the Wuhan meeting. 2nd WD was provided in October 2018 further to the Gjovik meeting. Further to the Tel Aviv meeting (April 2019), a PDTS will be provided | 
| Comments | Follow up of SP Privacy in Smart cities Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities) | 
29100 IS Privacy framework
| Editor | Stefan Weiss Revision : Nat Sakimura | 
| Scope | This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. | 
| Documentation | Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html | 
| Comments | In the Tampa meeting, a recommendation was made to go for a review (see below study period) A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work The amended version will be available further to the Berlin meeting | 
29101 IS Privacy architecture framework
| Editor | Stefan Weiss and Dan Bogdanov, For revision: Nat Sakimura, Shinsaku Kiyomote | 
| Scope | This International Standard describes a privacy architecture framework that 
 This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals. | 
| Documentation | Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 (preview available) | 
| Comments | Revision initiated in Berlin (November 2017) | 
29134 IS Guidelines for Privacy impact assessment
| Editor | Mathias Reinis | 
| Scope | This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII). It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning. In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment. It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities. This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011. For principles and guidelines on risk management, reference is made to ISO 31000:2009. | 
| Documentation | |
| Calendar | Published in June 2017 | 
| Comments | 
29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)
| Editor | Heung Youl Youm, Alan Shipman | 
| Scope | This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII). In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s). This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing. | 
| Documentation | March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf | 
| Calendar | Published in August 2017 | 
| Comments | Also an ITU reference (ITU-T X.gpim) | 
29184 IS Online privacy notices and consent
| Editor | Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck | 
| Scope | This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal. This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context. | 
| Documentation | |
| Calendar | 1st WD provided in June 2016 2nd WD provided in April 2017 3rd WD provided in June 2017 1nd CD provided in December 2017 2nd CD provided in July 2018 3rd CD provided in January 2019 Further to Tel Aviv (April 2019) will go for DIS | 
| Comments | initiated in Jaipur (Oct 2015) Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent | 
29190 IS Privacy capability assessment model
| Editor | Alan Shipman | 
| Scope | This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it: 
 | 
| Documentation | Must be purchased. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 | 
| Calendar | |
| Comments | 
29191 IS Requirements for partially anonymous, partially unlinkable authentication
| Editor | Kazue Sako (NEC) | 
| Scope | This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques. This document provides guidance to the use of group signatures for data minimization and user convenience. This guideline is applicable in use cases where authentication or authorization is needed. It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents. | 
| Documentation | Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 (preview available) | 
| Comments | Published in December 2012 Under pre-review | 
31700 IS Consumer Protection - Privacy-by-design fo consumer goods and services
| Editor | Project leader: Michelle Chibba | 
| Scope | Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection. In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes. The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services | 
| Documentation | See https://www.iso.org/standard/76402.html | 
| Calendar | 
 | 
| Comments | Note that this an ISO standards This standard is managed by the PC 317 technical committee that will be chaired by Jan Schallaboek | 
NWIP IS Big data security and privacy - Implementation guidelines
| Editor | Le Yu | 
| Scope | This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data | 
| Documentation | |
| Calendar | |
| Comments | 
NWIP Security techniques - Guidelines for IoT domotics security and privacy
| Editor | Qin QIu, Mahmoud Ghaddar | 
| Scope | This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems | 
| Documentation | |
| Calendar | 
On-going study periods
Privacy consideration in practical workflows (Started in April 2018)
| Leaders | Mickey Cohen | 
| Objective | The scope of this study period is to collect contributions: (1) On workflows describing use-cases where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole (2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy | 
| Documentation | 
 | 
| Comments | 
 | 
Additional Privacy-Enhancing Data De-identification standards (Started in April 2018)
| Leaders | Malcom Townsend, Heung Youl Youm | 
| Scope | This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on. | 
| Documentation | |
| Comments | 
 | 
Use case for identity assurance (Started in October 2018)
| Leaders | Andrew Hughes, Tony Nadalin, Patrick Curry 
 | 
| Objective | To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance. These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115 | 
| Documentation | |
| Comments | 
 | 
Identity Standards Landscape Document Update (Started in October 2018)
| Leaders | Andrew Hughes, Christophe Stenuit, Kai Rannenberg 
 | 
| Objective | Solicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document | 
| Documentation | |
| Comments | 
 | 
Impact of Artificial Intelligence on Privacy (Started in October 2018)
| Leaders | Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei | 
| Objective | Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period 
 | 
| Documentation | In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references: | 
| Comments | Expected to have a strong collaboration with JTC1/SC42 Artitificial Intelligence An intermediate report was provided in Tel-Aviv. | 
Consent recepts and records (Started in April 2019)
| Leaders | Collin Wallis, Andrew Hughes | 
| Objective | The scope of this study period is to assess the need for a Consent Recept and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing | 
| Documentation | 
 | 
| Comments | 
 | 
Privacy engineering model (Started in April 2019)
| Leaders | John Sabo, Antonio Kung, Srinivas Poorsala | 
| Objective | Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems | 
| Documentation | 
 | 
| Comments | 
 | 
Review of requirements for accredited certification for sector specific ISMS standards (tarted in April 2019)
| Leaders | Hans Hedbom, Alan Shipman | 
| Objective | The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon. | 
| Comments | 
 | 
Completed Study Periods
The following study periods have been completed.
Privacy engineering framework (Started in April 2015. Completed in April 2016)
| Leaders | Antonio Kung, Matthias Reinis | 
| Objective | Study the concept of privacy engineering and see whether new work items are needed | 
| Documentation | Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf | 
| Timeline | 
 | 
Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)
| Leader | Pascal Pailler, Nat Sakimura, Jaz Hoon Nah | 
| Objective | |
| Documentation | |
| Comments | 
 | 
Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)
| Leaders | Nat Sakimura, Mathias Reinis, Elaine Newton | 
| Objective | Collecting errors and correcting inconsistencies | 
| Documentation | |
| Comments | 
 | 
Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)
| Leaders | Heung Youl Youm, Srinivas Poorsala, Antonio Kung | 
| Objective | 
 | 
| Documentation | |
| Comments | Initiated in Tampa (April 2016) Initial contribution in Abu Dhabi (October 2016) Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things. Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users" | 
Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)
| Start/Duration | April 2017/6 months) | 
| Leaders | Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala | 
| Objective | prepare the materials necessary to initiate an International Standard coming out of the SC 27 meeting in Berlin (Oct-2017) | 
| Documentation | |
| Comments | Is an SC27/WG4 study periods involving WG4 and WG5. Study period is completed and new work item has been proposed (https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things). Kickoff expected in Wuhan in WG4 | 
PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)
| Leader | Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri | 
| Objective | Study mobile application ecosystems from a privacy viewpoint Collect views of multiple stakeholders in the mobile applications space Collect mobile apps privacy guidelines issued by various agencies Collate a report on the findings Potentially provide a new work item proposal | 
| Documentation | |
| Comments | Initiated in Jaipur (October 2015) | 
Privacy in smart cities (Started in October 2015. Completed in November 2017)
| Leaders | Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari | 
| Objective | Connect with multiple stakeholders in the smart city space Refer the existing work on smart cities Collate information, feedback, inputs from the stakeholders and draft the guidelines Potentially provide (a) new work item proposal(s) that can translate in guidelines | 
| Documentation | |
| Comments | Initiated in Jaipur (October 2015) Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) Presentation in Tampa (April 2016) of intermediate state 
 Presentation in Abu Dhabi (October 2016) of intermediate state 
 Presentation in Hamilton (April 2017) of intermediate state 
 Proposal for new work item in Berlin (Nov 2017) | 
Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)
| Leaders | Mathias Reinis, Heung Youl Youm | 
| Objective | Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME | 
| Documentation | |
| Comments | Terminated due to lack of contributions | 
Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Concluded in April 2018)
| Leaders | David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm | 
| Objective | |
| Documentation | |
| Comments | Has resulted in a NWIP | 
| Leaders | Christophe Stenuit, Joanne Knight | 
| Objective | Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks | 
| Documentation | |
| Comments | New work item proposal | 
Concept of PII Deletion (Started in November 2017. Concluded in April 2018)
| Leaders | Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman | 
| Objective | Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information" | 
| Documentation | |
| Comments | 
 | 
Development of Identify standards landscape standing document (Started in April 2018, Completed in October 2018)
| Leaders | Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm, | 
| Objective | Create an initial draft of a new SD that would provide: 
 | 
| Documentation | |
| Comments | 
 | 
Identify assurance framework (Started in April 2017. Completed in October 2018)
| Leaders | Patrick Curry, Anthony Nadalin | 
| Objective | analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework. | 
| Documentation | |
| Comments | 
 | 
Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)
| Start/duration | April 2017 / 18 months | 
| Leaders | Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm | 
| Objective | define frameworks of user-centric PII handling based on privacy preferences of users | 
| Documentation | |
| Comments | Triggered by an initiative from ITU-T for such a framework applied to the IoT. See https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment In Berlin (November 2017), it was decided to consider 3 options 
 In Wuhan (May 2018), it was decided to prepare a NWIP In Gjovik (October 2018), the NWIP was finalised | 

