Difference between revisions of "ISO"
Line 1: | Line 1: | ||
[[File:ISO red.jpg|200px]][[File:IEC logo.png|200px]] | [[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]] | ||
== <span style="font-size:larger">Introduction</span> == | == <span style="font-size:larger">Introduction</span> == | ||
Line 176: | Line 176: | ||
|} | |} | ||
=== <span style="font-size: larger;">20889 IS Privacy enhancing de-identification | === <span style="font-size: larger;">20889 IS Privacy enhancing de-identification techniques</span> === | ||
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1" | {| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1" |
Revision as of 10:25, 15 June 2018
Introduction
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO
- within ISO/IEC JTC1/SC27
- More info can be found on in the SC27 portal:
Note that the portal will in general contain more information that in this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck. WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [1]
Some of the projects are also carried out in ISO/IEC JTC1/SC27/WG4.The convenor is Johann Amsenga, and the vice convenor is François Lorek
- wihtin ISO/PC 317 Consumer protection: privacy by design for consumer goods and services
Some conventions on ISO standards
The important things to know concerning ISO standards steps:
Standard |
|
Technical report |
|
Technical specification |
|
Progress is finalised in plenary meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.
2014 |
|
2015 |
|
2016 |
|
2017 |
|
2018 |
|
2019 |
|
Standards and Projects
19608 TS Guidance for developing security and privacy functional requirements based on 15408
Editor |
Naruki Kai |
Scope |
This Technical Report provides guidance for:
|
Documentation | |
Calendar | has been moved from TR to TS |
Comments |
20547 IS Big data reference architecture - Part 4 - Security and privacy
Editor | Jinhua Min, Xuebin Zhou |
ScopeS | Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification |
Documentation |
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], [7] |
Calendar |
1st WD provided in June 2016 2nd WD provided in May 2017 3rd WD provided in November 2017 4th WD to be provided |
Comments |
WG9 is working on the following
Part 4 is transferred to SC27 for development, with close liaison with WG 9 [Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore
Further to Berlin meeting, decision to change title (term fabric is removed) |
20889 IS Privacy enhancing de-identification techniques
Editor |
Chris Mitchell and Lionel Vodzislawsky |
Scope | This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification |
Documentation | Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf |
Calendar |
1st WD December 2015 2nd WD June 2016 1st CD Devember 2016 2nd CD May 2017 1st DIS January 2018 Further to Wuhan, will go for FDIS |
Comments |
27018 IS Code of practice for protection of PII in public clouds acting as PII processors
Editor |
|
Scope |
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors. |
Documentation | Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498 (preview available) |
Comments |
1st published in 2014 ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques |
27030 Security and Privacy for the Internet of Things
Editor |
Faud Khan, Koji Nakao, Antonio Kung, Luc Poulain |
Scope |
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT). |
Documentation | |
Calendar |
Started in Wuhan April 2018 First draft planned in July 2018 |
Comments |
Follow up of
|
27550 TR Privacy engineering
Editor |
Antonio Kung, Mathias Reinis |
Scope |
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations |
Documentation | |
Calendar |
1st WD provided in January 2017 2nd WD provided in June 2017 1st PDTR provided in January 2018 2nd PDTR to be provided in June 2018 |
Comments |
[Antonio Kung]
|
27551 IS Requirements for attribute-based unlinkable entity authentication
Editor |
Nat Sakimura, Jaehoon Na, Pascal Pailler |
Scope |
This International Standard
This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication |
Documentation | |
Calendar |
1st WD provided in April 2017 2nd WD provided in Dec 2017 |
Comments |
27552 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management - Requirements and guidelines
Editor |
Alan Shipman, Oliver Weissmann, Srinivas Poosarla, Heung Youl Youm |
Scope |
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document. |
Documentation | |
Calendar |
1st WD provided in April 2017 2nd WD provided in June 2017 1st CD provided in April 2018 2nd CD to be discussed in October 2018 |
Comments |
|
27570 TS Privacy Guidelines for Smart Cities
Editor |
Proposed editor: Antonio Kung, Heung Youl Youm |
Scope |
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments |
Documentation | |
Calendar | A first preliminary draft will be provider in early June 2018 |
Comments |
Follow up of SP Privacy in Smart cities Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities) |
29100 IS Privacy framework
Editor |
Stefan Weiss Revision : Nat Sakimura |
Scope | This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. |
Documentation | Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html |
Comments |
In the Tampa meeting, a recommendation was made to go for a review (see below study period) A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work The amended version will be available further to the Berlin meeting |
29101 IS Privacy architecture framework
Editor |
Stefan Weiss and Dan Bogdanov, For revision: Nat Sakimura, Shinsaku Kiyomote |
Scope |
This International Standard describes a privacy architecture framework that
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals. |
Documentation | Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 (preview available) |
Comments | Revision initiated in Berlin (November 2017) |
29134 IS Privacy impact assessment -- Methodology Privacy impact assessment - Guidelines
Editor | Mathias Reinis |
Scope |
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII). It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning. In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment. It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities. This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011. For principles and guidelines on risk management, reference is made to ISO 31000:2009. |
Documentation | |
Calendar | Published in June 2017 |
Comments |
29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)
Editor | Heung Youl Youm, Alan Shipman |
Scope |
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII). In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s). This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing. |
Documentation | March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf |
Calendar | Published in August 2017 |
Comments | Also an ITU reference (ITU-T X.gpim) |