Difference between revisions of "ISO"

From IPEN Wiki
Jump to navigation Jump to search
(44 intermediate revisions by the same user not shown)
Line 51: Line 51:
<li>NP: New Work Item</li>
<li>NP: New Work Item</li>
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li>
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li>
<li>DTS: Draft Technical Specification</li>
<li>Technical Specification</li>
<li>Technical Specification</li>
</ul>
</ul>
Line 126: Line 125:
|}
|}


== <span style="font-size:larger">Standards and Projects</span> ==
== <span style="font-size:larger">Published standards</span> ==


=== <span style="font-size: larger;">19608 TS&nbsp;</span><span style="font-size: larger; line-height: 1.2;">Guidance for developing&nbsp;</span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> ===
=== <span style="font-size: larger;">19608 TS&nbsp;</span><span style="font-size: larger; line-height: 1.2;">Guidance for developing&nbsp;</span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> ===
Line 158: Line 157:
|}
|}


=== <span style="font-size: larger; line-height: 1.2;">20547 IS Big data reference architecture - Part 4 - Security and privacy</span> ===
=== <span style="font-size: larger;">20889 IS </span><span style="font-size: larger;">Privacy enhancing de-identification terminology and classification of techniques</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor
| Editor<br/>
| Jinhua Min, Xuebin Zhou<br/>
| Chris Mitchell and&nbsp;Lionel Vodzislawsky<br/>
|-
|-
| ScopeS
| Scope
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing<br/>and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.<br/>In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their<br/>characteristics, and their applicability for minimizing the risk of re-identification<br/>
|-
|-
| Documentation
| Documentation
|  
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there:&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]],&nbsp;​[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]
 
|-
|-
| Calendar
| Calendar
|  
|  
1st WD provided in June 2016
1st WD December 2015
 
2nd WD June 2016


2nd WD provided in May 2017
1st CD Devember 2016


3rd WD provided in November 2017
2nd CD May 2017


4th WD provided in April 2018
1st DIS January 2018


1st CD provided in November 2018
FDIS August 2018


Further to Tel-Aviv (April 2019), a 2nd CD will be provided
Published in November 2018


|-
|-
| Comments&nbsp;
| Comments
|  
| <br/><br/>
WG9 is working on the following
 
*20546&nbsp;: big data overview and vocabulary
*20547&nbsp;: big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)
 
Part 4 is transferred to SC27 for development, with close liaison with WG 9
 
[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore
 
*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)
 
Further to Berlin meetin, decision to change title (term fabric is removed)
 
|}
|}


=== <span style="font-size: larger;">20889 IS </span><span style="font-size: larger;">Privacy enhancing de-identification terminology and classification of techniques</span> ===
=== <span style="font-size:larger;">27018 IS Code of practice for protection of PII in public clouds acting as PII processors</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
| Chris Mitchell and&nbsp;Lionel Vodzislawsky<br/>
| <br/>
|-
|-
| Scope
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing<br/>and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.<br/>In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their<br/>characteristics, and their applicability for minimizing the risk of re-identification<br/>
|  
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
 
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.
 
|-
|-
| Documentation
| Documentation
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/>
|-
|-
| Calendar
| Comments
|  
|  
1st WD December 2015
1st published in 2014


2nd WD June 2016
ISO/IEC JTC&nbsp;1,&nbsp;''Information technology'', Subcommittee SC&nbsp;27,&nbsp;''IT Security techniques''
<div><br/></div>
|}


1st CD Devember 2016
=== <span style="font-size: larger;">27550&nbsp;</span><span style="font-size: 18.252px; line-height: 21.9024px;">TR Privacy engineering for system lifecycle processes</span> ===


2nd CD May 2017
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor<br/>
| <span style="line-height: 20.8px;">Antonio Kung, Mathias Reinis</span>
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:


1st DIS January 2018
*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
 
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;
FDIS August 2018


Published in November 2018
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations
 
|-
| Comments
| <br/><br/>
|}
 
=== <span style="font-size: larger;">23491&nbsp;IS Security techniques - Guidelines for IoT domotics security and privacy</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Mahmoud Ghaddar
 
|-
| Scope
|
This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems


|-
|-
| Documentation
| Documentation
| <br/>
| A youtube presentation on privacy engineering:&nbsp;[https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]
|-
|-
| Calendar
| Calendar
|  
|  
|}
1st WD provided in January 2017


=== 27018 IS Code of practice for protection of PII in public clouds acting as PII processors ===
2nd WD provided in June 2017


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
1st PDTR provided in January 2018
|-
| Editor<br/>
| <br/>
|-
| Scope
|
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.


It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.
2nd PDTR provided in June 2018


|-
3rd PDTR provided in October 2018
| Documentation
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/>
|-
| Comments
|
1st published in 2014
 
ISO/IEC JTC&nbsp;1,&nbsp;''Information technology'', Subcommittee SC&nbsp;27,&nbsp;''IT Security techniques''
<div><br/></div>
|}


Version for publication provided in April 2019


Publication in September 2019


=== <span style="font-size:larger;">27030 IS Security and Privacy for the Internet of Things</span> ===
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Comments<br/>
| Faud Khan, Koji Nakao, Antonio Kung, Luc Poulin
|-
| Scope
|  
|  
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).
[Antonio Kung]
 
*Follows ISO/IEC 15288&nbsp;Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies
 
|}


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Documentation
| <br/>
|-
| Calendar
|  
|  
<span style="line-height: 20.8px;">Started in Wuhan April 2018</span>
|}


<span style="line-height: 20.8px;">1st WD provided in June 2018</span>
=== <span style="font-size: 18.252px; line-height: 21.9024px;">27701&nbsp;IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines</span> ===
 
<span style="line-height: 20.8px;">2nd WD provided in November 2018</span>
 
<span style="line-height: 20.8px;">Further to Tel Aviv (April 2019) a 3rd further draft will be provided</span>


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Comments
| Editor<br/>
| Alan Shipman, Oliver Weissmann,&nbsp;Srinivas Poosarla,&nbsp;Heung Youl Youm
|-
| Scope
|  
|  
<span style="line-height: 20.8px;">Follow up of</span>
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.


*<span style="line-height: 20.8px;">SP Privacy guidelines for IoT (WG5)</span>
In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
*<span style="line-height: 20.8px;">SP Security guidelines for IoT (WG4)</span>
*<span style="line-height: 20.8px;">SP Security and privacy guidelines for IoT (WG4 with participation of WG5)</span>


|}
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.


=== <span style="font-size: larger;">27045 IS Big Data Security and Privacy - Processes</span> ===
Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor<br/>
| Xiaoyuan Bai - Alastair Walker -&nbsp;Hongru Zhu
|-
| Scope
|
This document defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes.
 
The processes include a set of indicators of process performance and process capability.The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. These processes are described in different terms, such as process purpose, outcomes, activities and tasks


|-
|-
Line 348: Line 290:
| Calendar
| Calendar
|  
|  
<span style="line-height: 20.8px;">1st WD was provided in January 2019</span>
1st WD provided in April 2017


<span style="line-height: 20.8px;">Further to Tel Aviv (April 2019) a 2nd WD will be provided</span>
2nd WD provided in June 2017
 
1st CD provided in April 2018
 
2nd CD provided in June 2018
 
DIS provided in March 2019
 
Publication in August 2019


|-
|-
| Comments
| Comments
|  
|  
<span style="line-height: 20.8px;">Is a WG4 project</span>
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019


|}
|}


=== <span style="font-size: larger;">27550&nbsp;</span><span style="font-size: 18.252px; line-height: 21.9024px;">TR Privacy engineering for system lifecycle processes</span> ===
=== <span style="font-size: larger;">29100 IS Privacy framework</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
| <span style="line-height: 20.8px;">Antonio Kung, Mathias Reinis</span>
|-
| Scope
|  
|  
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:
<span style="line-height: 20.7999992370605px">Stefan Weiss</span>


*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
<span style="line-height: 20.7999992370605px">Revision&nbsp;: Nat Sakimura</span>
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;
 
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations


|-
| Scope
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/>
|-
|-
| Documentation
| Documentation
| A youtube presentation on privacy engineering:&nbsp;[https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/>
|-
|-
| Calendar
| Comments
|  
|  
1st WD provided in January 2017
In the Tampa meeting, a recommendation was made to go for a review (see below study period)


2nd WD provided in June 2017
A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work


1st PDTR provided in January 2018
The amended version will be available further to the Berlin meeting


2nd PDTR provided in June 2018
|}


3rd PDTR provided in October 2018
=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===


Version for publication provided in April 2019
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor
|
<span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov,</span>


Publication in September 2019
<span style="line-height: 20.7999992370605px">For revision: Nat Sakimura, Shinsaku Kiyomote</span>


|-
|-
| Comments<br/>
| Scope
|  
|  
[Antonio Kung]
This International Standard describes a privacy architecture framework that
 
<ol style="line-height: 18.9090900421143px;">
*Follows ISO/IEC 15288&nbsp;Systems and software engineering -- System life cycle processes
<li>describes concerns for ICT systems that process PII;</li>
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>
 
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.


|-
| Documentation
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/>
|-
| Comments
| Revision initiated in Berlin (November 2017)
|}
|}


=== <span style="font-size: larger; line-height: 1.2;">27551 IS Requirements for attribute-based unlinkable entity authentication</span> ===
=== <span style="font-size:larger">29134 IS Guidelines for Privacy impact assessment</span> ===


{| style="width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor
| Nat Sakimura,&nbsp;Jaehoon Na,&nbsp;Pascal Pailler
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/>
|-
|-
| Scope
| Scope
|  
|  
This International Standard
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).


&nbsp;
It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.


*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.
*Specifies requirements for attribute-based unlinkable entity authentication implementations.


&nbsp; This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.
 
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.
 
For principles and guidelines on risk management, reference is made to ISO 31000:2009.


|-
|-
Line 427: Line 391:
| <br/>
| <br/>
|-
|-
| Calendar<br/>
| Calendar
|
| <span style="line-height: 1.6">Published in June 2017</span><br/>
1st WD provided in April 2017
 
2nd WD provided in Dec 2017
 
3rd WD provided in July 2018
 
4th WD provided in February 2019
 
1st CD provided in October 2019
 
Further to the Paris meeting (October 2019), 27551 will move to DIS
 
|-
|-
| Comments<br/>
| Comments
| <br/>
| <br/>
|}
|}
<div></div>
=== <span style="font-size:larger">29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)</span> ===


=== <span style="font-size:larger;">27555 IS Guidelines on Personally Identifiable Information Deletion</span> ===
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
|  
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/>
Dorotea Alessandra de Marco, Yan Sun,&nbsp;Volker Hammer
 
|-
|-
| Scope
| Scope
|  
|  
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).


*a harmonised terminology for PII deletion,
In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.


This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:
This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.
 
*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.


|-
|-
| Documentation
| Documentation
| <br/>
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]
|-
|-
| Calendar
| Calendar
|  
| Published in August 2017
1st WD provided in March 2019
|-
 
2nd WD provided in June 2019
 
Further to Paris meeting (October 2019), it will go for 1st CD. Title changed (former title: establishing a PII deletion concept in organisations)
 
|-
| Comments
| Comments
| It is based on a German standard
| Also an ITU reference (ITU-T X.gpim)
|}
|}


=== <span style="font-size: larger;">27556&nbsp;IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences</span> ===
=== <span style="font-size:larger;">29190 IS Privacy capability assessment model</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor<br/>
| Editor
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
| <span style="line-height: 20.8px;">Alan Shipman</span><br/>
|-
|-
| Scope
| Scope
|  
|  
This document presents a user-centric framework for PII handling based on privacy preferences and privacy preference administration, which
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6;">In particular, it:</span>
 
<ul style="line-height: 18.9091px;">
*defines the actors and roles in the PII handling,
<li>specifies steps in assessing processes to determine privacy capability;</li>
*describes components, their relationships and procedures,
<li>specifies a set of levels for privacy capability assessment;</li>
*describes role and properties of a privacy preference management within a privacy information management system, and
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
*provides requirements for privacy preference administration and PII handing based on privacy preference management.
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>


|-
| Documentation
| Must be purchased.&nbsp;[http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]
|-
|-
| Calendar
| Calendar
|  
| <br/>
Established in Gjovik (October 2018)
 
1st WD provided In June 2019
 
Further to Paris (October 2019), a second WD will be provided
 
|-
|-
| Documentation
| Comments
| <br/>
| <br/>
|-
| Comments<br/>
|}
|}


=== <span style="font-size: larger; line-height: 21.9024px;">27570&nbsp;TS&nbsp;Privacy Guidelines for Smart Cities</span> ===
=== <span style="font-size: larger;">29191 IS Requirements for partially anonymous, partially unlinkable authentication</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor
| Editor<br/>
| Antonio Kung, Heung Youl Youm
| Kazue Sako (NEC)
|-
|-
| Scope
| Scope
|  
|  
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.


&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments
This document provides guidance to the use of group signatures for data minimization and user convenience.
 
This guideline is applicable in use cases where authentication or authorization is needed.
 
It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.


|-
|-
| Documentation
| Documentation
| <br/>
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)
|-
|-
| Calendar
| Comments<br/>
|  
|  
<span style="line-height: 20.8px;">1st WD was provided in June 2018 further the Wuhan meeting.</span>
Published in December 2012


<span style="line-height: 20.8px;">2nd WD was provided in October 2018 further to the Gjovik meeting.</span>
Under pre-review


<span style="line-height: 20.8px;">A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.</span>
|}


<span style="line-height: 20.8px;">A 2nd PDTS will be provided further to the Paris meeting (October 2019).</span>
== <span style="font-size: larger;">Standards in development</span> ==


|-
=== <br/><span style="font-size: larger;">20547 IS Big data reference architecture - Part 4 - Security and privacy</span> ===
| Comments
|
<span style="line-height: 20.8px;">Follow up of SP Privacy in Smart cities</span>
 
<span style="line-height: 20.8px;">Liaison will take place with WG11 (smart cities), SC40 (</span>IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)
<div><br/></div>
|}
 
=== <span style="font-size: 18.252px; line-height: 21.9024px;">27701&nbsp;IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor
| Alan Shipman, Oliver Weissmann,&nbsp;Srinivas Poosarla,&nbsp;Heung Youl Youm
| Jinhua Min, Xuebin Zhou<br/>
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
|-
| Scope
| Documentation
|  
|  
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there:&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]],&nbsp;​[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]
 
In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.


This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.
|-
| Documentation
| <br/>
|-
|-
| Calendar
| Calendar
|  
|  
1st WD provided in April 2017
1st WD provided in June 2016


2nd WD provided in June 2017
2nd WD provided in May 2017


1st CD provided in April 2018
3rd WD provided in November 2017


2nd CD provided in June 2018
4th WD provided in April 2018


DIS provided in March 2019
1st CD provided in November 2018
 
2nd CD provided in October 2019


Publication in August 2019
Further to Paris (October 2019), it will move to DIS


|-
|-
| Comments
| Comments&nbsp;
|  
|  
Was initiatlly ISO/IEC 27552. Was renamed to ISO/IEC 27701
WG9 is working on the following
 
*20546&nbsp;: big data overview and vocabulary
*20547&nbsp;: big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)


|}
Part 4 is transferred to SC27 for development, with close liaison with WG 9


=== <span style="font-size: larger;">29100 IS Privacy framework</span> ===
[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
|-
*address the 5 Vs concern (volume, velocity, variety, veracity, value)
| Editor<br/>
|
<span style="line-height: 20.7999992370605px">Stefan Weiss</span>


<span style="line-height: 20.7999992370605px">Revision&nbsp;: Nat Sakimura</span>
Further to Berlin meetin, decision to change title (term fabric is removed)
 
|}
 
=== <br/><span style="font-size: larger;">23491&nbsp;IS Security techniques - Guidelines for IoT domotics security and privacy</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Mahmoud Ghaddar


|-
|-
| Scope
| Scope
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/>
|  
This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems
 
|-
|-
| Documentation
| Documentation
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/>
| <br/>
|-
|-
| Comments
| Calendar
|  
|  
In the Tampa meeting, a recommendation was made to go for a review (see below study period)
<span style="line-height: 20.8px;">Started in Paris October 2018 with a preliminary version</span>


A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work
<span style="line-height: 20.8px;">Further to the Paris meeting, a 1st WD to be provided</span>
 
The amended version will be available further to the Berlin meeting


|}
|}


=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===
=== <span style="font-size: larger;">27030 IS Security and Privacy for the Internet of Things</span> ===


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor<br/>
|
| Faud Khan, Koji Nakao, Antonio Kung, Luc Poulin
<span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov,</span>
 
<span style="line-height: 20.7999992370605px">For revision: Nat Sakimura, Shinsaku Kiyomote</span>
 
|-
|-
| Scope
| Scope
|  
|  
This International Standard describes a privacy architecture framework that
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>
 
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.


|-
|-
| Documentation
| Documentation
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/>
| <br/>
|-
|-
| Comments
| Calendar
| Revision initiated in Berlin (November 2017)
|  
|}
<span style="line-height: 20.8px;">Started in Wuhan April 2018</span>
 
<span style="line-height: 20.8px;">1st WD provided in June 2018</span>


=== <span style="font-size:larger">29134 IS Guidelines for Privacy impact assessment</span> ===
<span style="line-height: 20.8px;">2nd WD provided in November 2018</span>
 
<span style="line-height: 20.8px;">3rd WD provided in June 2019</span>
 
<span style="line-height: 20.8px;">Further to Paris (Octoberl 2019) a 4th draft will be provided</span>


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor
| Comments
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/>
|-
| Scope
|  
|  
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).
<span style="line-height: 20.8px;">Follow up of</span>


It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.
*<span style="line-height: 20.8px;">SP Privacy guidelines for IoT (WG5)</span>
*<span style="line-height: 20.8px;">SP Security guidelines for IoT (WG4)</span>
*<span style="line-height: 20.8px;">SP Security and privacy guidelines for IoT (WG4 with participation of WG5)</span>


In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.
|}


It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.
=== <span style="font-size: larger;">27045 IS Big data security and privacy - processes</span> ===


This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor<br/>
| Xiaoyuan Bai - Alastair Walker -&nbsp;Hongru Zhu
|-
| Scope
|
This document defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes.


For principles and guidelines on risk management, reference is made to ISO 31000:2009.
The processes include a set of indicators of process performance and process capability.The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. These processes are described in different terms, such as process purpose, outcomes, activities and tasks


|-
|-
Line 682: Line 620:
|-
|-
| Calendar
| Calendar
| <span style="line-height: 1.6">Published in June 2017</span><br/>
|  
<span style="line-height: 20.8px;">1st WD was provided in January 2019</span>
 
<span style="line-height: 20.8px;">Further to Tel Aviv (April 2019) a 2nd WD will be provided</span>
 
|-
|-
| Comments
| Comments
| <br/>
|  
<span style="line-height: 20.8px;">Is a WG4 project</span>
 
|}
|}
<div></div>
=== <span style="font-size:larger">29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)</span> ===


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
=== <span style="font-size: larger;">27046&nbsp;IS Big data security and privacy&nbsp;- Implementation guidelines</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/>
| Le Yu
|-
|-
| Scope
| Scope
|  
|  
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data
 
In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).
 
This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.


|-
|-
| Documentation
| Documentation
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]
| <br/>
|-
|-
| Calendar
| Calendar
| Published in August 2017
|  
|-
|-
| Comments
| Comments
| Also an ITU reference (ITU-T X.gpim)
| <br/>
|}
|}






=== <span style="font-size:larger;"><span style="line-height: 21.9px;">29184 IS Online privacy notices and consent</span></span> ===
=== <span style="font-size:larger;">27551 IS Requirements for attribute-based unlinkable entity authentication</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor<br/>
| Nat Sakimura,&nbsp;Jaehoon Na,&nbsp;Pascal Pailler
|-
| Scope
|
This International Standard


{| cellpadding="1" cellspacing="1" border="1" style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
&nbsp;
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Editor<br/>
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | <span style="line-height: 20.8px;">Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck</span><br/>
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Scope
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.


This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.


|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
&nbsp; This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Documentation
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | <br/>
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Calendar
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
1st WD provided in June 2016


2nd WD provided in April 2017
|-
| Documentation
| <br/>
|-
| Calendar<br/>
|
1st WD provided in April 2017


3rd WD provided in June 2017
2nd WD provided in Dec 2017


1nd CD provided in December 2017
3rd WD provided in July 2018


<span style="line-height: 20.8px;">2nd CD provided in July 2018</span>
4th WD provided in February 2019


<span style="line-height: 20.8px;">3rd CD provided in January 2019</span>
1st CD provided in October 2019


<span style="line-height: 20.8px;">DIS provided in April 2019</span>
Further to the Paris meeting (October 2019), 27551 will move to DIS


<span style="line-height: 20.8px;">Further to Paris meeting (october 2019) will go for FDIS</span>
|-
| Comments<br/>
| <br/>
|}


|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
=== <span style="font-size: larger;">27555 IS Guidelines on Personally Identifiable Information Deletion</span> ===
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Comments
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
<span style="line-height: 20.8px;">i</span><span style="line-height: 20.8px;">nitiated in Jaipur (Oct 2015)</span>


Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
 
|}
 
=== <span style="font-size: larger;">29190 IS Privacy capability assessment model</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor
| Editor
| <span style="line-height: 20.8px;">Alan Shipman</span><br/>
|  
Dorotea Alessandra de Marco, Yan Sun,&nbsp;Volker Hammer
 
|-
|-
| Scope
| Scope
|  
|  
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6;">In particular, it:</span>
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>


|-
*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.
 
This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:
 
*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.
 
|-
| Documentation
| Documentation
| Must be purchased.&nbsp;[http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]
| <br/>
|-
|-
| Calendar
| Calendar
| <br/>
|  
1st WD provided in March 2019
 
2nd WD provided in June 2019
 
Further to Paris meeting (October 2019), it will go for 1st CD. Title changed (former title: establishing a PII deletion concept in organisations)
 
|-
|-
| Comments
| Comments
| <br/>
| It is based on a German standard
|}
|}


=== <span style="font-size: larger;">29191 IS Requirements for partially anonymous, partially unlinkable authentication</span> ===
=== <span style="font-size: larger;">27556&nbsp;IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor<br/>
| Editor<br/>
| Kazue Sako (NEC)
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
|-
| Scope
| Scope
|  
|  
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.
This document presents a user-centric framework for PII handling based on privacy preferences and privacy preference administration, which
 
*defines the actors and roles in the PII handling,
*describes components, their relationships and procedures,
*describes role and properties of a privacy preference management within a privacy information management system, and
*provides requirements for privacy preference administration and PII handing based on privacy preference management.


This document provides guidance to the use of group signatures for data minimization and user convenience.
|-
| Calendar
|
Established in Gjovik (October 2018)


This guideline is applicable in use cases where authentication or authorization is needed.
1st WD provided In June 2019


It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.
Further to Paris (October 2019), a second WD will be provided


|-
|-
| Documentation
| Documentation
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)
| <br/>
|-
|-
| Comments<br/>
| Comments<br/>
|
Published in December 2012
Under pre-review
|}
|}


=== <span style="font-size: larger;">31700 IS Consumer Protection - Privacy-by-design fo consumer goods and services</span> ===
=== <span style="font-size: larger; line-height: 21.9024px;">27570&nbsp;TS&nbsp;Privacy Guidelines for Smart Cities</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
|  
| Antonio Kung, Heung Youl Youm
Project leader: Michelle Chibba
 
|-
|-
| Scope
| Scope
|  
|  
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens


In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.
&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments
 
The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services


|-
|-
| Documentation
| Documentation
| See&nbsp;[https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
| <br/>
|-
|-
| Calendar
| Calendar
|  
|  
*Official start date: November 1 2018
<span style="line-height: 20.8px;">1st WD was provided in June 2018 further the Wuhan meeting.</span>
*First meeting:&nbsp;November 1-2 2018, BSI London
 
*Adhoc meeting, February 24-24, 2019, DIN Berlin
<span style="line-height: 20.8px;">2nd WD was provided in October 2018 further to the Gjovik meeting.</span>
*Second meeting&nbsp;: May 21-23 2018, Toronto, where 1st working draft will be discussed
 
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
<span style="line-height: 20.8px;">A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.</span>
*Third meeting: October 21-23 AFNOR Paris
 
<span style="line-height: 20.8px;">A 2nd PDTS will be provided further to the Paris meeting (October 2019).</span>


|-
|-
| Comments
| Comments
|  
|  
Note that this an ISO standard
<span style="line-height: 20.8px;">Follow up of SP Privacy in Smart cities</span>


This standard is managed by the&nbsp;[https://www.iso.org/committee/6935430.html PC 317 technical committee]&nbsp;that will be chaired by Jan Schallaboek
<span style="line-height: 20.8px;">Liaison will take place with WG11 (smart cities), SC40 (</span>IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)
<div><br/></div>
<div><br/></div>
|}
|}


=== <span style="font-size: larger;"><span style="line-height: 21.9px;">29184 IS Online privacy notices and consent</span></span> ===


{| cellpadding="1" cellspacing="1" border="1" style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Editor<br/>
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | <span style="line-height: 20.8px;">Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck</span><br/>
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Scope
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.


== <span style="font-size: larger;">New work item proposals</span> ==
This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.


=== <span style="font-size: larger;">NWIP IS Big data security and privacy&nbsp;- Implementation guidelines</span> ===
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Documentation
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | <br/>
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Calendar
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
1st WD provided in June 2016


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
2nd WD provided in April 2017
|-
 
| Editor
3rd WD provided in June 2017
| Le Yu
 
|-
1nd CD provided in December 2017
| Scope
 
|
<span style="line-height: 20.8px;">2nd CD provided in July 2018</span>
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data
 
<span style="line-height: 20.8px;">3rd CD provided in January 2019</span>
 
<span style="line-height: 20.8px;">DIS provided in April 2019</span>
 
<span style="line-height: 20.8px;">Further to Paris meeting (october 2019) will go for FDIS</span>
 
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Comments
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |  
<span style="line-height: 20.8px;">i</span><span style="line-height: 20.8px;">nitiated in Jaipur (Oct 2015)</span>
 
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent


|-
| Documentation
| <br/>
|-
| Calendar
|
|-
| Comments
| <div><br/></div>
|}
|}
<span style="font-size: larger;"></span><span style="font-size: larger;"></span>
 
=== <span style="font-size:larger;">NWIP IS Privacy technologies – Consent record information structure</span><span style="font-size: larger;"></span> ===
=== <span style="font-size: larger;">31700 IS Consumer Protection - Privacy-by-design for consumer goods and services</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
Line 889: Line 858:
| Editor
| Editor
|  
|  
Project leader: Michelle Chibba
|-
|-
| Scope
| Scope
|  
|  
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.


In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.
The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services


|-
|-
| Documentation
| Documentation
| <br/>
| See&nbsp;[https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
|-
| Calendar
| Calendar
|
*Official start date: November 1 2018
*First meeting:&nbsp;November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting&nbsp;: May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 AFNOR Paris
|-
| Comments
|
Note that this an ISO standard
This standard is managed by the&nbsp;[https://www.iso.org/committee/6935430.html PC 317 technical committee]&nbsp;that will be chaired by Jan Schallaboek
<div><br/></div>
|}
|}


=== <span style="font-size:larger;">NWIP&nbsp;IS Organizational privacy risk management</span> ===
== <span style="font-size: larger;">New work item proposals proposed in October 2019</span> ==
 
=== <span style="font-size:larger;">NWIP TS Privacy technologies – Consent record information structure</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
|  
| Andrew Hughes
|-
|-
| Scope
| Scope
|  
|  
This document specifies an interoperable, open and extensible information structure for recording PII Principals'&nbsp;or data subjects'&nbsp;consent to data processing. This document&nbsp;further&nbsp;provides guidance on the use of consent receipts and consent records associated with a&nbsp;PII Principal's data processing&nbsp;consent&nbsp;to support&nbsp;the:


—&nbsp;provision of&nbsp;a record of the&nbsp;consent&nbsp;to&nbsp;the PII Principal;
— exchange of consent information between information systems; and,
— management of the lifecycle of the&nbsp;recorded&nbsp;consent.&nbsp;&nbsp;


|-
|-
Line 918: Line 916:
| Calendar
| Calendar
|}
|}
<span style="font-size:larger;"></span>
 
=== <span style="font-size: larger;">NWIP&nbsp;IS&nbsp;Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001</span> ===
=== <span style="font-size:larger;">NWIP&nbsp;IS Organizational privacy risk management</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
Line 925: Line 923:
| Editor
| Editor
|  
|  
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes
|-
|-
| Scope
| Scope
|  
|  
Provides guidelines for organizational privacy risk management.&nbsp;


Designed to provide guidance to organizations processing personally identifiable&nbsp;information (PII) for integrating risks to the organization related to the processing of PII, including&nbsp;the privacy impact to individuals, as part of an organizational privacy risk management program.
Assists in the implementation of a risk-based privacy program which can be&nbsp;integrated in the overall risk management of the organization, and supports the requirement for risk&nbsp;management as specified in management systems (such as ISO/IEC 27701:2019).<br/>This document is applicable to all types and sizes of organizations, including public and private&nbsp;companies, government entities and not-for-profit organizations, which are organizations&nbsp;processing PII, or developing products and services that can be used to process PII.


|-
|-
Line 937: Line 941:
|}
|}


=== <span style="font-size:larger;">NWIP&nbsp;IS Privacy-enhancing data de-identification framework</span> ===
=== <span style="font-size: larger;">NWIP&nbsp;IS&nbsp;Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
|  
| Helge Kreutzmann&nbsp;
|-
|-
| Scope
| Scope
|  
|  
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.


NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.


|-
|-
Line 953: Line 961:
|-
|-
| Calendar
| Calendar
|
|}
|}


== On-going study periods ==
=== <span style="font-size:larger;">NWIP&nbsp;IS Privacy-enhancing data de-identification framework</span> ===


=== Guidance on processes of a privacy information management system (<span style="font-size: 16px;">Started in October 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor
| Malcom Townsend
|-
| Scope
|  
|  
Michael Steiner, Alan Shipman
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.
 
&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.


|-
|-
| Objective
| Documentation
| <br/>
|-
| Calendar
|  
|  
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.
|}


Consider the following:
== On-going study periods ==
<ol style="list-style-type:lower-roman;">
 
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
 
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
 
<li>ISO Handbook “The integrated use of management system standards”</li>
=== Privacy consideration in practical workflows&nbsp;<span style="font-size: 13px; line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2018)</span> ===
<li>ISO/IEC 33004</li>
<div>
<li>2<sup>nd</sup> WD of ISO/IEC 27022</li>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
</ol>
|-
| Leaders
| Mickey Cohen<br/>
|-
| Objective
|
The scope of this study period is to collect contributions:
 
<font color="#000000"><span lang="EN-US">(1) On workflows describing&nbsp;'''use-cases'''&nbsp;where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole</span></font>
 
<span lang="EN-US">(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy</span>


|-
|-
Line 992: Line 1,015:
|}
|}
</div>
</div>
=== Privacy for Fintech services&nbsp;<span style="font-size: 16px;">(Started in October 2019)</span> ===
=== <span style="font-size: 13px;">Use case for identity assurance (</span><font size="3" style="line-height: 19.2px;">Started in October 2018)</font> ===
<div>
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
|  
|  
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra
Andrew Hughes,&nbsp;<span style="background-color: transparent;">Tony Nadalin,&nbsp;</span><span style="background-color: transparent;">Patrick Curry</span>
 
 


|-
|-
| Objective
| Objective
|  
|  
Objectives
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.&nbsp; These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115
 
*Apply privacy principles described in ISO/IEC 29100:2011
*Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
*Consider privacy risks related to providing Fintech services
*Consider regulatory requirements that impact privacy of customers
*Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
*Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment
 
Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.


|-
|-
| Documentation
|  
|  
Documentation


 
| <br/>
|-
|-
| Comments
| Comments
Line 1,025: Line 1,041:


|}
|}
</div>
</div></div>
=== Privacy consideration in practical workflows&nbsp;<span style="font-size: 13px; line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2018)</span> ===
=== <span style="font-size: 13px;">Impact of Artificial Intelligence on Privacy (</span><font size="3" style="line-height: 19.2px;">Started in October 2018)</font> ===
<div>
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Mickey Cohen<br/>
|-
| Objective
|  
|  
The scope of this study period is to collect contributions:
Antonio Kung,&nbsp;<span style="background-color: transparent;">Srinivas Poosarla,&nbsp;</span><span style="background-color: transparent;">Peter Dickman,&nbsp;Gurshabad Grover, Peter Deussen, Heung Your Youm,&nbsp;</span>Zhao Yunwei
 
|-
| Objective
|
<span style="background-color: transparent;">Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period</span>


<font color="#000000"><span lang="EN-US">(1) On workflows describing&nbsp;'''use-cases'''&nbsp;where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole</span></font>
*to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
*to review the new threats to privacy which AI can create,
*to review how AI can be used by deploying improved privacy controls, and
*to provide recommendations for standardization work.


<span lang="EN-US">(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy</span>
Is extended for 6 months


|-
|-
| Documentation
|  
|  
Documentation


|
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:


{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;"
|-
|-
| Comments
|  
|  
IEEE Ethically Aligned AI


|
<span style="font-size:xx-small;">[https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf]</span>


|}
</div>
=== <span style="font-size: 16px;">Additional Privacy-Enhancing Data De-identification standards (Started in April 2018)</span> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Ethics guidelines for trustworthy AI<br/>
| Malcom Townsend, Heung Youl Youm
| <span style="font-size:xx-small;">[https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112]</span><br/>
|-
| Privacy Commissioners declaration&nbsp;<br/>
| <span style="font-size:xx-small;">[https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf]</span><br/>
|-
| AI as a Disruptive Opportunity and Challenge for Security<br/>
| <span style="font-size:xx-small;">[https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf]</span><br/>
|-
| The impact of AI on life cycle processes<br/>
| <span style="font-size:xx-small;">[https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf]</span><br/>
|-
| Asilomar principles
| <span style="font-size:xx-small;">[https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles]</span><br/>
|-
| Malicious AI report
| <span style="font-size:xx-small;">[https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&amp;nbsp];</span><br/>
|-
|-
| Scope
| Privacy and Freedom of Expression In the Age of Artificial Intelligence&nbsp;<br/>
|  
| <span style="font-size:xx-small;">[https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence]</span><br/>
<span lang="EN-GB" style="margin: 0px;"><font face="Calibri" color="#000000" size="3">This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.</font></span>
 
|-
|-
| UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?<br/>
|  
|  
Documentation
<span style="font-size:xx-small;">[https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf]</span>
 
|-
| Australian Human Rights Commission report on Human Rights and Technology<br/>
| <span style="font-size:xx-small;">[https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf]</span><br/>
|}


| <br/>
|-
|-
| Comments
| Comments
|  
|  
Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence
An intermediate report was provided in Tel-Aviv (April 2019).
A second report was provided in Paris (October 2019)


A further study of SC42 ISO/IEC 24030 on AI use cases will be carried out


|}
|}
</div></div>
</div></div>
=== Use case for identity assurance (<font size="3" style="line-height: 19.2px;">Started in October 2018)</font> ===
=== Consent receipts and records&nbsp;<span style="line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2019)</span> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
|  
| Collin Wallis, Andrew Hughes<br/>
Andrew Hughes,&nbsp;<span style="background-color: transparent;">Tony Nadalin,&nbsp;</span><span style="background-color: transparent;">Patrick Curry</span>
 
 
 
|-
|-
| Objective
| Objective
|  
|  
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.&nbsp; These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing


|-
|-
| Documentation
|  
|  
Documentation


| <br/>
 
|-
|-
| Comments
| Comments
Line 1,102: Line 1,143:


|}
|}
</div></div>
</div>
=== Identity Standards Landscape Document Update (<font size="3" style="line-height: 19.2px;">Started in October 2018)</font> ===
 
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
=== Privacy engineering model&nbsp;<span style="line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
|  
| John Sabo, Antonio Kung, Srinivas Poorsala
Andrew Hughes,&nbsp;<span style="background-color: transparent;">Christophe Stenuit,&nbsp;</span><span style="background-color: transparent;">Kai Rannenberg</span>
 
 
 
|-
|-
| Objective
| Objective
| Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
|-
| Documentation
|  
|  
<font color="#000000">''S''</font>olicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document


|-
|
Documentation


| <br/>
|-
|-
| Comments
| Comments
Line 1,129: Line 1,165:


|}
|}
</div></div>
 
=== Impact of Artificial Intelligence on Privacy (<font size="3" style="line-height: 19.2px;">Started in October 2018)</font> ===
 
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
 
=== Guidance on processes of a privacy information management system (<span style="font-size: 16px;">Started in October 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
|  
|  
Antonio Kung,&nbsp;<span style="background-color: transparent;">Srinivas Poosarla,&nbsp;</span><span style="background-color: transparent;">Peter Dickman,&nbsp;Gurshabad Grover, Peter Deussen, Heung Your Youm,&nbsp;</span>Zhao Yunwei
Michael Steiner, Alan Shipman


|-
|-
| Objective
| Objective
|  
|  
<span style="background-color: transparent;">Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period</span>
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.


*to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
Consider the following:
*to review the new threats to privacy which AI can create,
<ol style="list-style-type: lower-roman;">
*to review how AI can be used by deploying improved privacy controls, and
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
*to provide recommendations for standardization work.
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2<sup>nd</sup>&nbsp;WD of ISO/IEC 27022</li>
</ol>


|-
|-
| Documentation
|  
|  
Documentation


|
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:


{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;"
|-
|-
| Comments
|  
|  
IEEE Ethically Aligned AI


|}
</div>
=== Privacy for Fintech services&nbsp;<span style="font-size: 16px;">(Started in October 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|  
|  
<span style="font-size:xx-small;">[https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf]</span>
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra


|-
|-
| Ethics guidelines for trustworthy AI<br/>
| Objective
| <span style="font-size:xx-small;">[https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112]</span><br/>
|  
Objectives
 
*Apply privacy principles described in ISO/IEC 29100:2011
*Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
*Consider privacy risks related to providing Fintech services
*Consider regulatory requirements that impact privacy of customers
*Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
*Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment
 
Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.
 
|-
|-
| Privacy Commissioners declaration&nbsp;<br/>
| Documentation
| <span style="font-size:xx-small;">[https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf]</span><br/>
|  
 
 
|-
|-
| AI as a Disruptive Opportunity and Challenge for Security<br/>
| Comments
| <span style="font-size:xx-small;">[https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf]</span><br/>
|  
|-
 
| The impact of AI on life cycle processes<br/>
| <span style="font-size:xx-small;">[https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf]</span><br/>
|-
| Asilomar principles
| <span style="font-size:xx-small;">[https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles]</span><br/>
|-
| Malicious AI report
| <span style="font-size:xx-small;">[https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&amp;nbsp];</span><br/>
|-
| Privacy and Freedom of Expression In the Age of Artificial Intelligence&nbsp;<br/>
| <span style="font-size:xx-small;">[https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence]</span><br/>
|-
| UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?<br/>
|
<span style="font-size:xx-small;">[https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf]</span>


|-
| Australian Human Rights Commission report on Human Rights and Technology<br/>
| <span style="font-size:xx-small;">[https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf]</span><br/>
|}
|}
</div></div>


|-
== <span style="font-size: larger;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2px;">Completed Study Periods</span></span> ==
| Comments
 
|
The following study periods have been completed.&nbsp;
Expected to have a strong collaboration with JTC1/SC42 Artitificial Intelligence


An intermediate report was provided in Tel-Aviv.
=== <span style="line-height: 1.2; font-size: larger;">Privacy engineering framework (Started in April 2015. Completed in April 2016)</span> ===


|}
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
</div></div>
=== Consent recepts and records&nbsp;<span style="line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Collin Wallis, Andrew Hughes<br/>
| <span style="line-height: 20.8px;">Antonio Kung, Matthias Reinis</span><br/>
|-
|-
| Objective
| Objective
|  
| Study the concept of privacy engineering and see whether new work items are needed
The scope of this study period is to assess the need for a Consent Recept and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing
 
|-
|-
| Documentation
| Documentation
|  
| Slides presenting motivation for study period by Antonio Kung:&nbsp;[http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
|-
| Timeline
| <div style="line-height: 20.8px;">
*Contributions by August 15th 2015.
**<span style="line-height: 20.8px; background-color: rgb(255, 255, 0);">​</span><span style="line-height: 20.8px;">Contribution from PRIPARE.&nbsp;[http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]</span>
*Presentation in Jaipur October 2015
**Summary made to PRIPARE project:&nbsp;[http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf]
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7&nbsp;Software and systems engineering
**Contribution made by PRIPARE&nbsp;[http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf]
*Presentation in Tampa April 2016
*Study period completed
*Followed by ISO/IEC 27550: Privacy engineering, see above
</div>
|}


=== <span style="font-size: larger;">Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Comments
| Leader
|  
| <span style="line-height: 20.8px;">Pascal Pailler, Nat Sakimura, Jaz Hoon Nah</span><br/>
 
 
|}
</div>
=== Privacy engineering model&nbsp;<span style="line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| John Sabo, Antonio Kung, Srinivas Poorsala
|-
|-
| Objective
| Objective
| Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
| <br/>
|-
|-
| Documentation
| Documentation
|  
| <br/>
 
 
|-
|-
| Comments
| Comments
|  
|  
*Initiated in Jaipur (Oct 2015)
*Replaces SP privacy-respecting identity management scheme using attribute-based credentials&nbsp;<span style="line-height: 20.8px;">(outcome of the ABC4trust FP7 project:&nbsp;</span>[https://abc4trust.eu/ https://abc4trust.eu]<span style="line-height: 20.8px;">,, initiated in April 2014 in Hong Kong), with an extended scope</span>
*<span style="line-height: 20.8px;">Completed.</span>
*<span style="line-height: 20.8px;">Followed by new project&nbsp;: ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)</span>


|}


|}
=== <span style="font-size: larger;">Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)</span> ===
</div>
=== Review of requirements for accredited certification for sector specific ISMS standards (<span style="line-height: 18.24px;">tarted in&nbsp;</span><span style="font-size: 16px;">April 2019)</span> ===
<div>
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Hans Hedbom, Alan Shipman<br/>
| Nat Sakimura, Mathias Reinis, Elaine Newton
|-
|-
| Objective
| Objective
|  
|  
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.
Collecting errors and correcting inconsistencies


|-
|-
| Comments
| Documentation
| <br/>
|-
| Comments<br/>
|  
|  
 
*Completed, has led to a draft amendment (with limited scope)


|}
|}
</div>
</div>
== <span style="font-size: larger;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2px;">Completed Study Periods</span></span> ==
=== <span style="font-size: larger;">Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)</span> ===
 
<div>
The following study periods have been completed.&nbsp;
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
 
=== <span style="line-height: 1.2; font-size: larger;">Privacy engineering framework (Started in April 2015. Completed in April 2016)</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Leaders
| Leaders
| <span style="line-height: 20.8px;">Antonio Kung, Matthias Reinis</span><br/>
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Heung Youl Youm,&nbsp;Srinivas Poorsala, Antonio Kung</span><br/>
|-
|-
| Objective
| Objective
| Study the concept of privacy engineering and see whether new work items are needed
|  
*assess the viability of producing guidelines for Privacy in IoT within WG5;
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen
 
|-
|-
| Documentation
|  
| Slides presenting motivation for study period by Antonio Kung:&nbsp;[http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
Documentation
 
| <br/>
|-
|-
| Timeline
| Comments
| <div style="line-height: 20.8px;">
|  
*Contributions by August 15th 2015.
Initiated in Tampa (April 2016)
**<span style="line-height: 20.8px; background-color: rgb(255, 255, 0);">​</span><span style="line-height: 20.8px;">Contribution from PRIPARE.&nbsp;[http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]</span>
*Presentation in Jaipur October 2015
**Summary made to PRIPARE project:&nbsp;[http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf]
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7&nbsp;Software and systems engineering
**Contribution made by PRIPARE&nbsp;[http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf]
*Presentation in Tampa April 2016
*Study period completed
*Followed by ISO/IEC 27550: Privacy engineering, see above
</div>
|}


=== <span style="font-size: larger;">Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)</span> ===
Initial contribution in Abu Dhabi (October 2016)


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.
|-
| Leader
| <span style="line-height: 20.8px;">Pascal Pailler, Nat Sakimura, Jaz Hoon Nah</span><br/>
|-
| Objective
| <br/>
|-
| Documentation
| <br/>
|-
| Comments
|
*Initiated in Jaipur (Oct 2015)
*Replaces SP privacy-respecting identity management scheme using attribute-based credentials&nbsp;<span style="line-height: 20.8px;">(outcome of the ABC4trust FP7 project:&nbsp;</span>[https://abc4trust.eu/ https://abc4trust.eu]<span style="line-height: 20.8px;">,, initiated in April 2014 in Hong Kong), with an extended scope</span>
*<span style="line-height: 20.8px;">Completed.</span>
*<span style="line-height: 20.8px;">Followed by new project&nbsp;: ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)</span>


Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"
<div><br/></div>
|}
|}
 
</div>
=== <span style="font-size: larger;">Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)</span> ===
=== <span style="font-size: larger;">Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)</span> ===
<div>
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/Duration
| April 2017/6 months)
|-
|-
| Leaders
| Leaders
| Nat Sakimura, Mathias Reinis, Elaine Newton
| Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
|-
|-
| Objective
| Objective
| prepare the materials necessary to initiate an International Standard<br/>coming out of the SC 27 meeting in Berlin (Oct-2017)
|-
|  
|  
Collecting errors and correcting inconsistencies
Documentation


|-
| Documentation
| <br/>
| <br/>
|-
|-
| Comments<br/>
| Comments
|  
|  
*Completed, has led to a draft amendment (with limited scope)
Is an SC27/WG4 study periods involving WG4 and WG5.
 
Study period is completed and new work item has been proposed ([https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things]).
 
Kickoff expected in Wuhan in WG4


|}
|}
</div>
</div>
=== <span style="font-size: larger;">Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)</span> ===
=== <span style="font-size: larger; line-height: 1.2;">PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)</span> ===
<div>
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leader
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Heung Youl Youm,&nbsp;Srinivas Poorsala, Antonio Kung</span><br/>
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri<br/>
|-
|-
| Objective
| Objective
|  
|  
*assess the viability of producing guidelines for Privacy in IoT within WG5;
Study mobile application ecosystems from a privacy viewpoint
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen
 
<span style="line-height: 20.8px;">Collect views of multiple stakeholders in the mobile applications space</span>


|-
<span style="line-height: 20.8px;">Collect mobile apps privacy guidelines issued by various agencies</span>
|
 
Documentation
<span style="line-height: 20.8px;">Collate a report on the findings</span>
 
<span style="line-height: 20.8px;">Potentially provide a new work item proposal</span>


|-
| Documentation
| <br/>
| <br/>
|-
|-
| Comments
| Comments
|  
|  
Initiated in Tampa (April 2016)
Initiated in Jaipur (October 2015)


Initial contribution in Abu Dhabi (October 2016)
|}


Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.
=== <span style="font-size: larger;">Privacy in smart cities (Started in October 2015. Completed in November 2017)</span> ===


Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
<div><br/></div>
|}
</div>
=== <span style="font-size: larger;">Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/Duration
| April 2017/6 months)
|-
|-
| Leaders
| Leaders
| Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
| Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari<br/>
|-
|-
| Objective
| Objective
| prepare the materials necessary to initiate an International Standard<br/>coming out of the SC 27 meeting in Berlin (Oct-2017)
|-
|  
|  
Documentation
Connect with multiple stakeholders in the smart city space
 
Refer the existing work on smart cities
 
Collate information, feedback, inputs from the stakeholders and draft the guidelines
 
Potentially provide (a) new work item proposal(s) that can translate in guidelines


|-
| Documentation
| <br/>
| <br/>
|-
|-
| Comments
| Comments
|  
|  
Is an SC27/WG4 study periods involving WG4 and WG5.
Initiated in Jaipur (October 2015)
 
Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities)&nbsp;


Study period is completed and new work item has been proposed ([https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things]).
Presentation in Tampa (April 2016) of intermediate state


Kickoff expected in Wuhan in WG4
*Liaison with EIP-SCC mentioned (see&nbsp;[https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design]).&nbsp;


|}
Presentation in Abu Dhabi (October 2016) of intermediate state
</div>
=== <span style="font-size: larger; line-height: 1.2;">PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
*Includes contribution from pripare:&nbsp;[https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf]
|-
 
| Leader
Presentation in Hamilton (April 2017) of intermediate state
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri<br/>
 
|-
*Includes contribution from pripare&nbsp;[https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf]
| Objective
*Liaison to take place with ISO/IEC WG11 Smart cities in order to discuss the needs for privacy management guidelines
|
Study mobile application ecosystems from a privacy viewpoint


<span style="line-height: 20.8px;">Collect views of multiple stakeholders in the mobile applications space</span>
Proposal for new work item in Berlin (Nov 2017)


<span style="line-height: 20.8px;">Collect mobile apps privacy guidelines issued by various agencies</span>
|}


<span style="line-height: 20.8px;">Collate a report on the findings</span>


<span style="line-height: 20.8px;">Potentially provide a new work item proposal</span>


=== <span style="font-size: 16px;">Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Documentation
| Leaders
| <br/>
| <font face="sans-serif" color="#252525"><span style="font-size: 14px;">Mathias Reinis,&nbsp;</span></font>Heung Youl Youm<br/>
|-
|-
| Comments
| Objective
|  
|  
Initiated in Jaipur (October 2015)
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME


|}
|-
|
Documentation


=== <span style="font-size: larger;">Privacy in smart cities (Started in October 2015. Completed in November 2017)</span> ===
| <br/>
|-
| Comments
|
Terminated due to lack of contributions


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|}
</div>
=== <span style="font-size: 16px;">Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari<br/>
| David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
|-
|-
| Objective
| Objective
| <br/>
|-
|  
|  
Connect with multiple stakeholders in the smart city space
Documentation
 
Refer the existing work on smart cities


Collate information, feedback, inputs from the stakeholders and draft the guidelines
Potentially provide (a) new work item proposal(s) that can translate in guidelines
|-
| Documentation
| <br/>
| <br/>
|-
|-
| Comments
| Comments
|  
|  
Initiated in Jaipur (October 2015)
Has resulted in a NWIP
 
Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities)&nbsp;
 
Presentation in Tampa (April 2016) of intermediate state
 
*Liaison with EIP-SCC mentioned (see&nbsp;[https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design]).&nbsp;
 
Presentation in Abu Dhabi (October 2016) of intermediate state
 
*Includes contribution from pripare:&nbsp;[https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf]
 
Presentation in Hamilton (April 2017) of intermediate state
 
*Includes contribution from pripare&nbsp;[https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf]
*Liaison to take place with ISO/IEC WG11 Smart cities in order to discuss the needs for privacy management guidelines
 
Proposal for new work item in Berlin (Nov 2017)


|}
|}
</div>


 
=== <span style="font-size: 16px;">Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018)</span> ===
 
=== <span style="font-size: 16px;">Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)</span> ===
<div>
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| <font face="sans-serif" color="#252525"><span style="font-size: 14px;">Mathias Reinis,&nbsp;</span></font>Heung Youl Youm<br/>
| Christophe Stenuit, Joanne Knight
|-
|-
| Objective
| Objective
|  
| Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks<br/>
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME
 
|-
|-
|  
|  
Line 1,489: Line 1,504:
| <br/>
| <br/>
|-
|-
| Comments
| Comments<br/>
|  
| New work item proposal
Terminated due to lack of contributions
 
|}
|}
</div>
</div>
=== <span style="font-size: 16px;">Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Concluded in April 2018)</span> ===
 
=== <span style="font-size: 16px;">Concept of PII Deletion (Started in November 2017. Completed in April 2018)</span> ===
<div>
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
| Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman<br/>
|-
|-
| Objective
| Objective
| <br/>
| Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"<br/>
|-
|-
|  
|  
Line 1,512: Line 1,526:
| Comments
| Comments
|  
|  
Has resulted in a NWIP
 


|}
|}
</div>
</div>
=== <span style="font-size: 16px;">Application of ISO 31000 for identify-related risk (Started in April 2017. Concluded in April 2018)</span> ===
 
<div>
=== Development of Identify standards landscape standing document (<font size="3" style="line-height: 19.2px;">Started in&nbsp; April 2018, Completed in October 2018)</font> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Christophe Stenuit, Joanne Knight
| Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm,<br/>
|-
|-
| Objective
| Objective
| Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks<br/>
|  
|-
<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Create an initial draft of a new SD that would provide:</font></span></font>
 
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">The scope of the identity standards landscape</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A register of alignment issues that have been accepted as needing to be resolve</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Develop a proposal for the process of maintaining the standing document that includes:</font></span></font>
 
|-
|  
|  
Documentation
Documentation
Line 1,531: Line 1,554:
| <br/>
| <br/>
|-
|-
| Comments<br/>
| Comments
| New work item proposal
|  
 
 
|}
|}
</div>
</div></div>
=== <span style="font-size: 16px;">Concept of PII Deletion (Started in November 2017. Concluded in April 2018)</span> ===
=== <span style="font-size: 16px;">Identify assurance framework (Started in April 2017. Completed in October 2018)</span> ===
<div>
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman<br/>
| Patrick Curry, Anthony Nadalin
|-
|-
| Objective
| Objective
| Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"<br/>
| analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next&nbsp;steps towards developing an International Standard (or other mechanisms) for an Identity Assurance&nbsp;Framework.<br/>
|-
|-
|  
|  
Line 1,555: Line 1,580:


|}
|}
</div>
=== <span style="font-size: 16px;">Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)</span> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 1112.79px;"
|-
| Start/duration
|
April 2017 / 18 months


=== Development of Identify standards landscape standing document (<font size="3" style="line-height: 19.2px;">Started in&nbsp; April 2018, Completed in October 2018)</font> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm,<br/>
| Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
|-
| Objective
| Objective
|  
| define frameworks of user-centric PII handling based on privacy preferences of users
<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Create an initial draft of a new SD that would provide:</font></span></font>
 
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">The scope of the identity standards landscape</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A register of alignment issues that have been accepted as needing to be resolve</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Develop a proposal for the process of maintaining the standing document that includes:</font></span></font>
 
|-
|-
|  
|  
Line 1,583: Line 1,603:
| Comments
| Comments
|  
|  
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See&nbsp;[https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment]


In Berlin (November 2017),&nbsp; it was decided to consider 3 options


|}
*extension of 29101
</div></div>
*definition of a generic model
=== <span style="font-size: 16px;">Identify assurance framework (Started in April 2017. Completed in October 2018)</span> ===
*defintion of specific models
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
 
In Wuhan (May 2018), it was decided to prepare a NWIP
 
In Gjovik (October 2018), the NWIP was finalised
 
|}
</div>
=== <span style="font-size: 16px;">Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)</span> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Patrick Curry, Anthony Nadalin
| Malcom Townsend, Heung Youl Youm
|-
|-
| Objective
| Scope
| analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next&nbsp;steps towards developing an International Standard (or other mechanisms) for an Identity Assurance&nbsp;Framework.<br/>
|  
<span lang="EN-GB" style="margin: 0px;"><font face="Calibri" color="#000000" size="3">This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.</font></span>
 
|-
|-
|  
|  
Line 1,607: Line 1,639:


|}
|}
</div>
</div></div>
=== <span style="font-size: 16px;">Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)</span> ===
=== Identity Standards Landscape Document Update (<font size="3" style="line-height: 19.2px;">Started in October 2018. Completed in October 2019)</font> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 1112.79px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Start/duration
| Leaders
|  
|
April 2017 / 18 months
Andrew Hughes,&nbsp;<span style="background-color: transparent;">Christophe Stenuit,&nbsp;</span><span style="background-color: transparent;">Kai Rannenberg</span>
 
 
 
|-
| Objective
|
<font color="#000000">''S''</font>olicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document
 
|-
|
Documentation
 
| <br/>
|-
| Comments
|
 
 
|}
 
=== <span style="background-color: transparent;">Review of requirements for accredited certification for sector specific ISMS standards (S</span><span style="background-color: transparent; line-height: 18.24px;">tarted in&nbsp;</span><span style="background-color: transparent; font-size: 16px;">April 2019. Completed in October 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Hans Hedbom, Alan Shipman<br/>
|-
| Objective
|  
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.


|-
| Leaders
| Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Objective
| define frameworks of user-centric PII handling based on privacy preferences of users
|-
|
Documentation
| <br/>
|-
|-
| Comments
| Comments
|  
|  
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See&nbsp;[https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment]


In Berlin (November 2017),&nbsp; it was decided to consider 3 options
*extension of 29101
*definition of a generic model
*defintion of specific models
In Wuhan (May 2018), it was decided to prepare a NWIP
In Gjovik (October 2018), the NWIP was finalised


|}
|}
</div><br/><br/></div>
</div></div></div></div>

Revision as of 09:45, 7 February 2020

ISO red.jpgIEC logo.png

Introduction

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan SchallaböckWG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [1]

Some of the projects are also carried out in ISO/IEC JTC1/SC27/WG4.The convenor is Johann Amsenga, and the vice convenor is François Lorek

One project is carried out ​within ISO PC317. The convenor is Jan Schallaböck. ISO PC317 focuses on the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services)

Some conventions on ISO standards

The important things to know concerning ISO standards steps:

Standard
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • CD: Committee Draft
  • DIS: Draft International Standard
  • FDIS: Final Draft International Standard
  • IS: International Standard
Technical report
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • PDTR: Proposed Draft Technical Report
  • TR: Technical Report
Technical specification
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • PDTS: Proposed Draft Technical Specification
  • Technical Specification

Meetings

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

2014
  • April 7-15, 2014 Hong Kong
  • Oct 20-24, 2014 Mexico City, Mexico
2015
  • May 4-12, 2015 Kuching, Malaysia
  • Oct 26-30, 2015 Jaipur, India
2016
  • April 11-15, 2016  Tampa, USA
  • Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE
2017
  • April 18-22, 2017, Hamilton, New Zealand
  • Oct 30- Nov 3, 2017,  Berlin, Germany
2018
  • April, 16-20 Wuhan, China
  • Sept 30 - Oct 4 - Gjovik, Norway
2019
  • April 1-5, Tel-Aviv, Israel
  • October 14-18, Paris, France
  • 19 October, Paris (jointly with SC27)
2020
  • April 21-26, St Peterburg, Russia

ISO 31700 is dealt with in another committee (PC317). Here is a list of meetings that took place or that will take place in PC317.

2018
  • Nov 1-2, 2018, London
2019
  • Feb 6-8, Berlin (adhoc group)
  • May 20-23, Toronto
  • 19 October, Paris (jointly with SC27)
  • 21-23 October, Paris (colocated with SC27)

Published standards

19608 TS Guidance for developing security and privacy functional requirements based on 15408

Editor
Naruki Kai
Scope

This Technical Report provides guidance for:

  • developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
  • selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
  • procedure to define both privacy and security functional requirements in a coordinated manner
Documentation
Calendar

has been moved from TR to TS

Published in October 2018

Comments

20889 IS Privacy enhancing de-identification terminology and classification of techniques

Editor
Chris Mitchell and Lionel Vodzislawsky
Scope This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing
and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.
In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their
characteristics, and their applicability for minimizing the risk of re-identification
Documentation Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf
Calendar

1st WD December 2015

2nd WD June 2016

1st CD Devember 2016

2nd CD May 2017

1st DIS January 2018

FDIS August 2018

Published in November 2018

Comments

27018 IS Code of practice for protection of PII in public clouds acting as PII processors

Editor

Scope

This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.

Documentation Must be purchased.  http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp; (preview available)
Comments

1st published in 2014

ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques


27550 TR Privacy engineering for system lifecycle processes

Editor
Antonio Kung, Mathias Reinis
Scope

This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

  • it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
  • it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

Documentation A youtube presentation on privacy engineering: https://www.youtube.com/watch?v=BymNvbmSr2E
Calendar

1st WD provided in January 2017

2nd WD provided in June 2017

1st PDTR provided in January 2018

2nd PDTR provided in June 2018

3rd PDTR provided in October 2018

Version for publication provided in April 2019

Publication in September 2019

Comments

[Antonio Kung]

  • Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
  • Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

27701 IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines

Editor
Alan Shipman, Oliver Weissmann, Srinivas Poosarla, Heung Youl Youm
Scope

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

Documentation
Calendar

1st WD provided in April 2017

2nd WD provided in June 2017

1st CD provided in April 2018

2nd CD provided in June 2018

DIS provided in March 2019

Publication in August 2019

Comments

Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

29100 IS Privacy framework

Editor

Stefan Weiss

Revision : Nat Sakimura

Scope This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.
Documentation Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
Comments

In the Tampa meeting, a recommendation was made to go for a review (see below study period)

A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work

The amended version will be available further to the Berlin meeting

29101 IS Privacy architecture framework

Editor

Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomote

Scope

This International Standard describes a privacy architecture framework that

  1. describes concerns for ICT systems that process PII;
  2. lists components for the implementation of such systems; and
  3. provides architectural views contextualizing these components.

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

Documentation Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 (preview available)
Comments Revision initiated in Berlin (November 2017)

29134 IS Guidelines for Privacy impact assessment

Editor Mathias Reinis
Scope

This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).

It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.

In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.

It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.

This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.

For principles and guidelines on risk management, reference is made to ISO 31000:2009.

Documentation
Calendar Published in June 2017
Comments

29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)

Editor Heung Youl Youm, Alan Shipman
Scope

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

Documentation March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf
Calendar Published in August 2017
Comments Also an ITU reference (ITU-T X.gpim)

29190 IS Privacy capability assessment model

Editor Alan Shipman
Scope

This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:

  • specifies steps in assessing processes to determine privacy capability;
  • specifies a set of levels for privacy capability assessment;
  • provides guidance on the key process areas against which privacy capability can be assessed;
  • provides guidance for those implementing process assessment;
  • provides guidance on how to integrate the privacy capability assessment into organizations operations
Documentation Must be purchased. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269
Calendar
Comments

29191 IS Requirements for partially anonymous, partially unlinkable authentication

Editor
Kazue Sako (NEC)
Scope

This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

Documentation Must be purchased.  http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 (preview available)
Comments

Published in December 2012

Under pre-review

Standards in development


20547 IS Big data reference architecture - Part 4 - Security and privacy

Editor Jinhua Min, Xuebin Zhou
ScopeS Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
Documentation

Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], ​[7]

Calendar

1st WD provided in June 2016

2nd WD provided in May 2017

3rd WD provided in November 2017

4th WD provided in April 2018

1st CD provided in November 2018

2nd CD provided in October 2019

Further to Paris (October 2019), it will move to DIS

Comments 

WG9 is working on the following

  • 20546 : big data overview and vocabulary
  • 20547 : big data reference architecture
    • Part 1: Framework and application process (TR)
    • Part 2: Use cases and derived requirements (TR)
    • Part 3: Reference architecture (IS)
    • Part 4: Security and privacy fabric (IS)
    • Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

  • contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
  • address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meetin, decision to change title (term fabric is removed)


23491 IS Security techniques - Guidelines for IoT domotics security and privacy

Editor

Qin QIu, Mahmoud Ghaddar

Scope

This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems

Documentation
Calendar

Started in Paris October 2018 with a preliminary version

Further to the Paris meeting, a 1st WD to be provided

27030 IS Security and Privacy for the Internet of Things

Editor
Faud Khan, Koji Nakao, Antonio Kung, Luc Poulin
Scope

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

Documentation
Calendar

Started in Wuhan April 2018

1st WD provided in June 2018

2nd WD provided in November 2018

3rd WD provided in June 2019

Further to Paris (Octoberl 2019) a 4th draft will be provided

Comments

Follow up of

  • SP Privacy guidelines for IoT (WG5)
  • SP Security guidelines for IoT (WG4)
  • SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

27045 IS Big data security and privacy - processes

Editor
Xiaoyuan Bai - Alastair Walker - Hongru Zhu
Scope

This document defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes.

The processes include a set of indicators of process performance and process capability.The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. These processes are described in different terms, such as process purpose, outcomes, activities and tasks

Documentation
Calendar

1st WD was provided in January 2019

Further to Tel Aviv (April 2019) a 2nd WD will be provided

Comments

Is a WG4 project

27046 IS Big data security and privacy - Implementation guidelines

Editor Le Yu
Scope

This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data

Documentation
Calendar
Comments


27551 IS Requirements for attribute-based unlinkable entity authentication

Editor
Nat Sakimura, Jaehoon Na, Pascal Pailler
Scope

This International Standard

 

  • Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
  • Specifies requirements for attribute-based unlinkable entity authentication implementations.

  This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

Documentation
Calendar

1st WD provided in April 2017

2nd WD provided in Dec 2017

3rd WD provided in July 2018

4th WD provided in February 2019

1st CD provided in October 2019

Further to the Paris meeting (October 2019), 27551 will move to DIS

Comments

27555 IS Guidelines on Personally Identifiable Information Deletion

Editor

Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

Scope

This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

  • a harmonised terminology for PII deletion,
  • an approach for defining deletion/de-identification rules in an efficient way,
  • a description of required documentation, and
  • a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

  • specific legal provision, as given by national law or specified in contracts,
  • specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
  • deletion mechanisms including those for cloud storage,
  • security of deletion mechanisms,
  • specific techniques for de-identification of data.
Documentation
Calendar

1st WD provided in March 2019

2nd WD provided in June 2019

Further to Paris meeting (October 2019), it will go for 1st CD. Title changed (former title: establishing a PII deletion concept in organisations)

Comments It is based on a German standard

27556 IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences

Editor
Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
Scope

This document presents a user-centric framework for PII handling based on privacy preferences and privacy preference administration, which

  • defines the actors and roles in the PII handling,
  • describes components, their relationships and procedures,
  • describes role and properties of a privacy preference management within a privacy information management system, and
  • provides requirements for privacy preference administration and PII handing based on privacy preference management.
Calendar

Established in Gjovik (October 2018)

1st WD provided In June 2019

Further to Paris (October 2019), a second WD will be provided

Documentation
Comments

27570 TS Privacy Guidelines for Smart Cities

Editor Antonio Kung, Heung Youl Youm
Scope

The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

Documentation
Calendar

1st WD was provided in June 2018 further the Wuhan meeting.

2nd WD was provided in October 2018 further to the Gjovik meeting.

A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.

A 2nd PDTS will be provided further to the Paris meeting (October 2019).

Comments

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)


29184 IS Online privacy notices and consent

Editor
Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck
Scope

This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.

Documentation
Calendar

1st WD provided in June 2016

2nd WD provided in April 2017

3rd WD provided in June 2017

1nd CD provided in December 2017

2nd CD provided in July 2018

3rd CD provided in January 2019

DIS provided in April 2019

Further to Paris meeting (october 2019) will go for FDIS

Comments

initiated in Jaipur (Oct 2015)

Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

31700 IS Consumer Protection - Privacy-by-design for consumer goods and services

Editor

Project leader: Michelle Chibba

Scope

Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

Documentation See https://www.iso.org/standard/76402.html
Calendar
  • Official start date: November 1 2018
  • First meeting: November 1-2 2018, BSI London
  • Adhoc meeting, February 24-24, 2019, DIN Berlin
  • Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
  • Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
  • Third meeting: October 21-23 AFNOR Paris
Comments

Note that this an ISO standard

This standard is managed by the PC 317 technical committee that will be chaired by Jan Schallaboek


New work item proposals proposed in October 2019

NWIP TS Privacy technologies – Consent record information structure

Editor Andrew Hughes
Scope

This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

Documentation
Calendar

NWIP IS Organizational privacy risk management

Editor

Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

Scope

Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019).
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

Documentation
Calendar

NWIP IS Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001

Editor Helge Kreutzmann 
Scope

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

Documentation
Calendar

NWIP IS Privacy-enhancing data de-identification framework

Editor Malcom Townsend
Scope

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

Documentation
Calendar

On-going study periods

Privacy consideration in practical workflows (Started in April 2018)

Leaders Mickey Cohen
Objective

The scope of this study period is to collect contributions:

(1) On workflows describing use-cases where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole

(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy

Documentation


Comments


Use case for identity assurance (Started in October 2018)

Leaders

Andrew Hughes, Tony Nadalin, Patrick Curry


Objective

To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.  These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115

Documentation


Comments


Impact of Artificial Intelligence on Privacy (Started in October 2018)

Leaders

Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei

Objective

Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period

  • to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
  • to review the new threats to privacy which AI can create,
  • to review how AI can be used by deploying improved privacy controls, and
  • to provide recommendations for standardization work.

Is extended for 6 months

Documentation

In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:

IEEE Ethically Aligned AI

https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf

Ethics guidelines for trustworthy AI
https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112
Privacy Commissioners declaration 
https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf
AI as a Disruptive Opportunity and Challenge for Security
https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf
The impact of AI on life cycle processes
https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf
Asilomar principles https://futureoflife.org/ai-principles
Malicious AI report https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp;
Privacy and Freedom of Expression In the Age of Artificial Intelligence 
https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence
UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?

https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf

Australian Human Rights Commission report on Human Rights and Technology
https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf
Comments

Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence

An intermediate report was provided in Tel-Aviv (April 2019).

A second report was provided in Paris (October 2019)

A further study of SC42 ISO/IEC 24030 on AI use cases will be carried out

Consent receipts and records (Started in April 2019)

Leaders Collin Wallis, Andrew Hughes
Objective

The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing

Documentation


Comments


Privacy engineering model (Started in April 2019)

Leaders John Sabo, Antonio Kung, Srinivas Poorsala
Objective Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
Documentation


Comments



Guidance on processes of a privacy information management system (Started in October 2019)

Leaders

Michael Steiner, Alan Shipman

Objective

Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:

  1. ISO/IEC 27001 and ISO/IEC 27003
  2. ISO/IEC 27701 (a.k.a. DIS 27552)
  3. ISO Handbook “The integrated use of management system standards”
  4. ISO/IEC 33004
  5. 2nd WD of ISO/IEC 27022
Documentation


Comments


Privacy for Fintech services (Started in October 2019)

Leaders

Heung Youl Youm, Gurshabad Grover, Janssen Esguerra

Objective

Objectives

  • Apply privacy principles described in ISO/IEC 29100:2011
  • Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
  • Consider privacy risks related to providing Fintech services
  • Consider regulatory requirements that impact privacy of customers
  • Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
  • Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment

Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.

Documentation


Comments


Completed Study Periods

The following study periods have been completed. 

Privacy engineering framework (Started in April 2015. Completed in April 2016)

Leaders Antonio Kung, Matthias Reinis
Objective Study the concept of privacy engineering and see whether new work items are needed
Documentation Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf
Timeline

Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)

Leader Pascal Pailler, Nat Sakimura, Jaz Hoon Nah
Objective
Documentation
Comments
  • Initiated in Jaipur (Oct 2015)
  • Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: https://abc4trust.eu,, initiated in April 2014 in Hong Kong), with an extended scope
  • Completed.
  • Followed by new project : ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)

Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)

Leaders Nat Sakimura, Mathias Reinis, Elaine Newton
Objective

Collecting errors and correcting inconsistencies

Documentation
Comments
  • Completed, has led to a draft amendment (with limited scope)

Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)

Leaders Heung Youl Youm, Srinivas Poorsala, Antonio Kung
Objective
  • assess the viability of producing guidelines for Privacy in IoT within WG5;
  • to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen

Documentation


Comments

Initiated in Tampa (April 2016)

Initial contribution in Abu Dhabi (October 2016)

Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.

Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"


Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)

Start/Duration April 2017/6 months)
Leaders Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
Objective prepare the materials necessary to initiate an International Standard
coming out of the SC 27 meeting in Berlin (Oct-2017)

Documentation


Comments

Is an SC27/WG4 study periods involving WG4 and WG5.

Study period is completed and new work item has been proposed (https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things).

Kickoff expected in Wuhan in WG4

PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)

Leader Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri
Objective

Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal

Documentation
Comments

Initiated in Jaipur (October 2015)

Privacy in smart cities (Started in October 2015. Completed in November 2017)

Leaders Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari
Objective

Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines

Documentation
Comments

Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Presentation in Tampa (April 2016) of intermediate state

Presentation in Abu Dhabi (October 2016) of intermediate state

Presentation in Hamilton (April 2017) of intermediate state

Proposal for new work item in Berlin (Nov 2017)


Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)

Leaders Mathias Reinis, Heung Youl Youm
Objective

Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME

Documentation


Comments

Terminated due to lack of contributions

Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)

Leaders David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
Objective

Documentation


Comments

Has resulted in a NWIP

Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018)

Leaders Christophe Stenuit, Joanne Knight
Objective Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks

Documentation


Comments
New work item proposal

Concept of PII Deletion (Started in November 2017. Completed in April 2018)

Leaders Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman
Objective Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"

Documentation


Comments


Development of Identify standards landscape standing document (Started in  April 2018, Completed in October 2018)

Leaders Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm,
Objective

 Create an initial draft of a new SD that would provide:

  • The scope of the identity standards landscape
  •  Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards
  • A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment
  •  A register of alignment issues that have been accepted as needing to be resolve
  • Develop a proposal for the process of maintaining the standing document that includes:

Documentation


Comments


Identify assurance framework (Started in April 2017. Completed in October 2018)

Leaders Patrick Curry, Anthony Nadalin
Objective analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework.

Documentation


Comments


Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)

Start/duration

April 2017 / 18 months

Leaders Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
Objective define frameworks of user-centric PII handling based on privacy preferences of users

Documentation


Comments

Triggered by an initiative from ITU-T for such a framework applied to the IoT. See https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment

In Berlin (November 2017),  it was decided to consider 3 options

  • extension of 29101
  • definition of a generic model
  • defintion of specific models

In Wuhan (May 2018), it was decided to prepare a NWIP

In Gjovik (October 2018), the NWIP was finalised

Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)

Leaders Malcom Townsend, Heung Youl Youm
Scope

This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.

Documentation


Comments


Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019)

Leaders

Andrew Hughes, Christophe Stenuit, Kai Rannenberg


Objective

Solicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document

Documentation


Comments


Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019)

Leaders Hans Hedbom, Alan Shipman
Objective

The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.

Comments