ISO
Introduction
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in ISO/IEC JTC1/SC27
More info can be found on in the SC27 portal:
- http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en
- http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 (set of slides)
Note that the portal will in general contain more information that in this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.
Some conventions on ISO standards
The important things to know concerning ISO standards steps:
Standard |
|
Technical report |
|
Technical specification |
|
Progress is finalised in plenary meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.
2014 |
|
2015 |
|
2016 |
|
Standards and Projects
29100 IS Privacy framework
Editor |
Stefan Weiss |
Scope | This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems. |
Documentation | Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html |
Comments |
29101 IS Privacy architecture framework
Editor | Stefan Weiss and Dan Bogdanov |
Scope |
This International Standard describes a privacy architecture framework that
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals. |
Documentation | Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 (preview available) |
Comments |
29134 Privacy impact assessment -- Methodology Privacy impact assessment - Guidelines
Editor | Mathias Reinis |
Scope |
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII). It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning. In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment. It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities. This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011. For principles and guidelines on risk management, reference is made to ISO 31000:2009. |
Documentation | |
Calendar | Currently CD |
Comments |
29151 Code of Practice for PII Protection
Editor | Heung Youl Youm, Alan Shipman |
Scope |
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII). In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s). This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing. |
Documentation | March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf |
Calendar | Currently CD |
Comments | Also an ITU reference (ITU-T X.gpim) |
29190 Privacy capability assessment model
Editor | Alan Shipman |
Scope |
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:
|
Documentation | Must be purchased. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 |
Calendar | |
Comments |
29191 Requirements for partially anonymous, partially unlinkable authentication
Editor |
|
Scope |
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques. This document provides guidance to the use of group signatures for data minimization and user convenience. This guideline is applicable in use cases where authentication or authorization is needed. It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents. |
Documentation | Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 (preview available) |
Comments |
27018 Code of practice for protection of PII in public clouds acting as PII processors
Editor |
|
Scope |
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors. |
Documentation | Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498 (preview available) |
Comments |
1st published in 2014 ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques |
20889 Privacy Enhancing De-identification Techniques
Editor |
Chris Mitchell and Lionel Vodzislawsky |
Scope | This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100. In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for minimizing the risk of re-identification |
Documentation | Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf |
Calendar | Working draft status |
Comments | Was proposed in the Kuching meeting (May 2015). |
NWIP Guidelines for online privacy notices and consent
Editor |
Nat Sakimura, Srinivas Poorsala |
Scope | Guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from a PII principals online |
Documentation | |
Calendar | |
Comments |
Initiated in Jaipur (Oct 2015) Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent |
Study Periods
Study periods are the instruments through which new items of standardisation will be introduced. They typically last 6 months (until next meeting), after which, a NWIP (New Work Item Proposal) can be made.
Privacy Engineering Framework
Leaders | Antonio Kung, Matthias Reinis |
Objective | Study the concept of privacy engineering and see whether new work items are needed |
Documentation | Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf |
Comments | Intended calendar
|
PII Protection Considerations for Smartphone App Providers
Leader | Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri |
Objective |
Study mobile application ecosystems from a privacy viewpoint Collect views of multiple stakeholders in the mobile applications space Collect mobile apps privacy guidelines issued by various agencies Collate a report on the findings Potentially provide a new work item proposal |
Documentation | |
Comments |
Initiated in Jaipur (October 2015) |
Requirements for Privacy-Preserving Attribute-based Entity Authentication
Leader | Pascal Pailler, xxx, xxx |
Objective | |
Documentation | |
Comments |
Initiated in Jaipur (Oct 2015) Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: https://abc4trust.eu,, initiated in April 2014 in Hong Kong), with a different scope |
Privacy in Smart Cities
Leaders | Saritha Nilesh Auti, Sanjeev Chhabra, Satish Katepalli Ksreenivasaiah, Antonio Kung |
Objective |
Connect with multiple stakeholders in the smart city space Refer the existing work on smart cities Collate information, feedback, inputs from the stakeholders and draft the guidelines Potentially provide (a) new work item proposal(s) that can translate in guidelines |
Documentation | |
Comments |
Initiated in Jaipur (October 2015) Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) |