ISO

From IPEN Wiki
Revision as of 17:03, 18 June 2015 by Antoniok (talk | contribs)
Jump to navigation Jump to search

Introduction

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in ISO/IEC JTC1/SC27

More info can be found on in the SC27 portal:

Note that the portal will in general contain more information that in this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.

Some conventions on ISO standards

The important things to know concerning ISO standards steps:

Standard
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • CD: Committee Draft
  • DIS: Draft International Standard
  • FDIS: Final Draft International Standard
  • IS: International Standard
Technical report
  • PDTR: Proposed Draft Technical Report
  • DTR: Draft Technical Report
  • TR: Technical Report
Technical specification
  • PDTS: Proposed Draft Technical Specification
  • DTS: Draft Technical Specification
  • Technical Specification

Progress is finalised in plenary meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.

2014
  • April 7-15, 2014 Hong Kong
  • Oct 20-24, 2014 Mexico City
2015
  • May 4-12, 2015 Kuching
  • Oct 26-30, 2015 Jaipur, India
2016
  • May: Tampa

Standards and Projects

29100 IS Privacy framework

Editor Stefan Weiss
Scope This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.
Documentation Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
Comments

29101 IS Privacy architecture framework

Editor Stefan Weiss
Scope

This International Standard describes a privacy architecture framework that

  1. describes concerns for ICT systems that process PII;
  2. lists components for the implementation of such systems; and
  3. provides architectural views contextualizing these components.

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

Documentation Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 (preview available)
Comments

29134 Privacy impact assessment -- Methodology Privacy impact assessment - Guidelines

Editor Mathias Reinis
Scope

This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).

It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.

In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.

It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.

This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.

For principles and guidelines on risk management, reference is made to ISO 31000:2009.

Documentation
Calendar Currently CD - DIS 2015-11 / IS 2016-05
Comments

29151 Code of Practice for PII Protection

Editor Heung Youl Youm
Scope

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

Documentation
Calendar Currently CD - DIS 2015-04 / IS 2016-04
Comments

29190 FDIS - Privacy capability assessment model

Editor: Alan Shipman. Project reference: 1.27.80

Scope

This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:

  • specifies steps in assessing processes to determine privacy capability;
  • specifies a set of levels for privacy capability assessment;
  • provides guidance on the key process areas against which privacy capability can be assessed;
  • provides guidance for those implementing process assessment;
  • provides guidance on how to integrate the privacy capability assessment into organizations operations

29191 IS Requirements for partially anonymous, partially unlinkable authentication

Editor: Project reference: 1.27.81

Scope

This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

Calendar

The 1st edition was published on 2012-12-12.

The 1st pre-review within SC 27 in 2015.

The 1st JTC 1 systematic review in 201

NWIP on Privacy Enhancing De-identification Techniques

Study leader : Chris Mitchell (U.London Holloway)

Proposal from UK, widely agreed for a new work item proposal

Study Periods

Study periods are the instruments through which new items of standardisation will be introduced. They last 6 months (until next meeting). There can be several study periods, after which, a NWIP (New Work Item Proposal) is made leading to a standardisation work..

Privacy-respecting identity management scheme using attribute-based credentials (WG 5 and WG 2 Joint Study Period)

Study leader : Pascal Pailler (Crypto Experts), Dieter Sommer (IBM Zurich)

October 2014 Mexico meeting

  • Contributions were provided
    • Switzerland: full ABC
    • France: increase scope / include existing mechanisms
    • Mexico: interested by French approach
    • Conclusion was that maybe a new 6 month study period should be added
    • PRIPARE comment
      • Antonio: I suggested that a framework/requirement document be prepared (too many questions from audience) before going to a management scheme.
      • Antonio: I suggest to PRIPARE that we somehow contribute our work to this Study Period (deadline 19-Feb-2015)
      • Have a meeting with CryptoExperts
        • Trialog will participate to a French AFNOR meeting on December 12th on that topic
        • CryptoExperts is a partner of ABC4Trust providing the smart card expertise

    Privacy Engineering Framework (initiated by PRIPARE)

    Study leader : Antonio Kung (Trialog) and Matthias Reinis

    • Proposed in Kuching
    • Well supported (US - Germany - Canada - Korea)
    • Terms or reference was suggested by an US expert. Current 

    Intended calendar

    • Contributions by mid september 2015
    • Presentation in Jaipur October 2015
    • Contribution in 2016
    • Presentation in Tampa April 2016

    Assured and Anonymised Attribute Verification (AAAV) has been initiated

    Study leader : Patrick Curry, Eduard de Jong, Third person to name from Korea

    User Friendly online Privacy Notice and Consent

    Study leaders: Nat Sakimura, Jan Schallaböck, Srinivas Poosarla

    Other documents

    ddd


    </div></div>