Difference between revisions of "ISO"

From IPEN Wiki
Jump to navigation Jump to search
(554 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[File:ISO.png]]
[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]


== <span style="font-size:larger">Introduction</span> ==
== <span style="font-size:larger">Introduction</span> ==


The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in&nbsp;<span style="line-height: 1.6">'''ISO/IEC JTC1/SC27'''</span>
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO


<span style="line-height: 1.6">More info can be found on in the SC27 portal:</span>
Most projects are developed within&nbsp;<span style="line-height: 1.6">ISO/IEC JTC1/SC27.&nbsp;</span>More info can be found on in the SC27 portal:


*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707]&nbsp;(set of slides)
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707]&nbsp;(set of slides)


<span style="line-height: 1.6">Note that the portal will in general contain more information that in this wiki, which</span><span style="line-height: 1.6">&nbsp;focuses mainly on work carried out in&nbsp;</span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.</span>
<span style="line-height: 1.6">Note that the portal will in general contain more information than this wiki, which</span><span style="line-height: 1.6">&nbsp;focuses mainly on work carried out in&nbsp;</span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is '''Kai Rannenberg''', and the vice convenor is '''Jan Schallaböck'''.&nbsp;</span><span style="line-height: 1.6;">WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in&nbsp;</span>[https://www.din.de/en/meta/jtc1sc27/downloads [1]]
 
Some of the projects are also carried out in&nbsp;'''ISO/IEC JTC1/SC27/WG4'''''<span style="line-height: 1.6;">.</span>''<span style="line-height: 1.6;">The convenor is '''Johann Amsenga''', and the vice convenor is '''François Lorek'''</span>
 
<span style="line-height: 1.6;">One project is carried out ​within '''ISO PC317.&nbsp;'''</span>The convenor is&nbsp;'''Jan Schallaböck'''. ISO PC317 focuses on the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services)


== <span style="font-size:larger">Some conventions on ISO standards</span> ==
== <span style="font-size:larger">Some conventions on ISO standards</span> ==
Line 16: Line 20:
The important things to know concerning ISO standards steps:
The important things to know concerning ISO standards steps:


{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"
{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| <span style="line-height: 18.9090900421143px">Standard</span><br/>
| <span style="line-height: 18.9090900421143px">Standard</span><br/>
| <ul style="line-height: 18.9090900421143px;">
| <ul style="line-height: 18.9090900421143px;">
<li>SP: Study period</li>
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>NP: New Work Item</li>
Line 32: Line 36:
|-
|-
| <span style="line-height: 20.7999992370605px">Technical report</span><br/>
| <span style="line-height: 20.7999992370605px">Technical report</span><br/>
| <ul style="line-height: 20.7999992370605px;">
|  
<li>PDTR: Proposed Draft Technical Report</li>
Former approach
<li>DTR:&nbsp;Draft Technical Report</li>
<ul style="line-height: 20.7999992370605px;">
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)</li>
<li>TR: Technical Report</li>
<li>TR: Technical Report</li>
</ul>
</ul>
Line 41: Line 49:
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/>
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/>
| <ul style="line-height: 20.7999992370605px;">
| <ul style="line-height: 20.7999992370605px;">
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li>
<li>PWI: Preliminary work item (previously&nbsp;SP: Study period in SC27)</li>
<li>DTS: Draft Technical Specification</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>WD: Working Draft</li>
<li>DTS: Draft Technical Specification&nbsp;&nbsp;(formerly PDTS: Preliminary Draft Technical Specification)</li>
<li>Technical Specification</li>
<li>Technical Specification</li>
</ul>
</ul>
Line 48: Line 59:
|}
|}


Progress is finalised in plenary&nbsp;meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.
== <span style="font-size: larger;">Meetings</span> ==


{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"
Progress is finalised in plenary&nbsp;meetings (taking place every 6 months).
 
Here is a list of meetings that took place or that will take place in SC27.
 
{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| 2014
| 2014
Line 73: Line 88:
|  
|  
*April 18-22, 2017, Hamilton, New Zealand
*April 18-22, 2017, Hamilton, New Zealand
*Oct 23-27, 2017, &nbsp;Nr Athens, Greece
*Oct 30- Nov 3, 2017, &nbsp;Berlin, Germany


|-
|-
| 2018
| 2018
|  
|  
*China
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway
 
|-
| 2019
|
*April 1-5, Tel-Aviv,&nbsp;Israel
*October 14-18, Paris, France
*19 October, Paris (jointly with SC27)
 
|-
| 2020
|
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting


|}
|}


== <span style="font-size:larger">Standards and Projects</span> ==
ISO 31700&nbsp;is dealt with in another committee (PC317). Here is a list of meetings that took place or that will take place in PC317.


=== <span style="font-size: larger;">19608 TR&nbsp;</span><span style="font-size: larger; line-height: 1.2;">Guidance for developing&nbsp;</span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> ===
{| cellpadding="1" cellspacing="1" border="1" style="width: 500px;"
|-
| 2018
|
*<span style="line-height: 1.6;">Nov 1-2, 2018, London</span>
 
|-
| 2019
|
*Feb 6-8, Berlin (adhoc group)
*May 20-23, Toronto
*19 October, Paris (jointly with SC27)
*21-23 October, Paris (colocated with SC27)
 
|-
| 2020
|
*17-20 March, Virtual meeting
*30 Sept - 2 Oct, Virtual meeting
 
|}


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
== <span style="font-size:larger">Published standards</span> ==
 
=== <span style="font-size: larger;">19608:2018 TS&nbsp;</span><span style="font-size: larger; line-height: 1.2;">Guidance for developing&nbsp;</span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> ===
 
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
Line 101: Line 154:
|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html]<br/>
|-
|-
| Calendar
| Calendar
| 3rd Draft
|  
has been moved from TR to TS
 
Published in October 2018
 
|-
|-
| Comments
| Comments
Line 110: Line 167:
|}
|}


=== <span style="font-size: larger; line-height: 1.2;">20547 TR&nbsp;Big data reference architecture - Part 4 - Security and privacy fabric</span> ===


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
 
=== <span style="font-size: larger;">20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor
| Te be confirmed: Jinhua Min and Xuebin Zhou<br/>
| Jinhua Min, Xuebin Zhou<br/>
|-
|-
| Scope
| ScopeS
| Was discussed in Tampa (April 2016). Need to be validated by WG9
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
|-
| Documentation
| Documentation
| <br/>
|  
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there:&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]],&nbsp;​[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]
 
[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]
 
|-
|-
| Calendar
| Calendar
|  
|  
Appoint editor and co-editor
1st WD provided in June 2016
 
2nd WD provided in May 2017
 
3rd WD provided in November 2017
 
4th WD provided in April 2018
 
1st CD provided in November 2018
 
2nd CD provided in October 2019


Call for contribution this summer
DIS published in October 2019


First WD for next SC27 meeting
Further to virtual meeting in April 2020, will go for FDIS


|-
|-
Line 137: Line 210:


*20546&nbsp;: big data overview and vocabulary
*20546&nbsp;: big data overview and vocabulary
*20547
*20547&nbsp;: big data reference architecture
**Part 1: Framework and application process (TR)
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 2: Use cases and derived requirements (TR)
Line 146: Line 219:
Part 4 is transferred to SC27 for development, with close liaison with WG 9
Part 4 is transferred to SC27 for development, with close liaison with WG 9


[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore
*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)
Further to Berlin meeting, decision to change title (term fabric is removed)
<div><br/></div>
|}
|}


=== <span style="font-size: larger;">20889 IS Privacy Enhancing De-identification Techniques</span> ===
=== <span style="font-size: larger;">20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques</span> ===


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
Line 159: Line 239:
|-
|-
| Documentation
| Documentation
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
|  
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
 
[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]
 
|-
|-
| Calendar
| Calendar
| Further to Tampa, will go for a 2nd Working draft
|  
1st WD December 2015
 
2nd WD June 2016
 
1st CD Devember 2016
 
2nd CD May 2017
 
1st DIS January 2018
 
FDIS August 2018
 
Published in November 2018
 
|-
|-
| Comments
| Comments
| Was proposed in the Kuching meeting (May 2015).<br/><br/>
| <br/><br/>
|}
|}


=== <span style="font-size: larger;">27018 IS Code of practice for protection of PII in public clouds acting as PII processors</span> ===
=== <span style="font-size: larger;">27018:2014 IS Code of practice for protection of PII in public clouds acting as PII processors</span> ===


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
Line 183: Line 281:
|-
|-
| Documentation
| Documentation
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/>
|  
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]
 
|-
|-
| Comments
| Comments
Line 189: Line 289:
1st published in 2014
1st published in 2014


ISO/IEC JTC&nbsp;1,&nbsp;''Information technology'', Subcommittee SC&nbsp;27,&nbsp;''IT Security techniques''
ISO/IEC JTC&nbsp;1,&nbsp;Information technology, Subcommittee SC&nbsp;27,&nbsp;IT Security techniques
<div><br/></div>
<div><br/></div>
|}
|}


=== <span style="font-size:larger">29100 IS Privacy framework</span> ===
=== <span style="font-size: larger;">27550:2019&nbsp;</span><span style="font-size: 18.252px; line-height: 21.9024px;">TR Privacy engineering for system lifecycle processes</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
| <span style="line-height: 20.7999992370605px">Stefan Weiss</span><br/>
| <span style="line-height: 20.8px;">Antonio Kung, Mathias Reinis</span>
|-
| Scope
|
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:
 
*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;
 
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations
 
|-
| Documentation
|
A youtube presentation on privacy engineering:&nbsp;[https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]
 
[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]
 
|-
| Calendar
|
1st WD provided in January 2017
 
2nd WD provided in June 2017
 
1st PDTR provided in January 2018
 
2nd PDTR provided in June 2018
 
3rd PDTR provided in October 2018
 
Version for publication provided in April 2019
 
Publication in September 2019
 
|-
| Comments<br/>
|
[Antonio Kung]
 
*Follows ISO/IEC 15288&nbsp;Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies
 
|}
<span style="font-size: 18.252px;"></span>
=== <span style="font-size: larger;">27570:2021 TS&nbsp;Privacy Guidelines for Smart Cities</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
| Scope
|
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens
 
&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments
 
|-
| Documentation
| <font color="#333333">[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]<br/></font>
|-
| Calendar
|
<span style="line-height: 20.8px;">1st WD was provided in June 2018 further the Wuhan meeting.</span>
 
<span style="line-height: 20.8px;">2nd WD was provided in October 2018 further to the Gjovik meeting.</span>
 
<span style="line-height: 20.8px;">A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.</span>
 
<span style="line-height: 20.8px;">A 2nd PDTS was provided in November 2019 further to the Paris meeting</span>
 
<span style="line-height: 20.8px;">A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting</span>
 
<span style="line-height: 20.8px;">The document will go to publication further to the September 2020 virtual meeting.</span>
 
<span style="line-height: 20.8px;">The standard was published in January 2021 see following press release:&nbsp;</span>https://www.iso.org/news/ref2631.html<span style="line-height: 20.8px;"></span>
 
|-
| Comments
|
First ecosystem oriented standard for privacy
 
<span style="line-height: 20.8px;">Follow up of SP Privacy in Smart cities</span>
 
<span style="line-height: 20.8px;">Liaison will take place with WG11 (smart cities), SC40 (</span>IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)
 
|}
 
=== <span style="font-size: 18.252px;">27701:2019 IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor<br/>
| Alan Shipman, Oliver Weissmann,&nbsp;Srinivas Poosarla,&nbsp;Heung Youl Youm
|-
| Scope
|
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
 
In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
 
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
 
Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.
 
|-
| Documentation
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html]<br/>
|-
| Calendar
|
1st WD provided in April 2017
 
2nd WD provided in June 2017
 
1st CD provided in April 2018
 
2nd CD provided in June 2018
 
DIS provided in March 2019
 
Publication in August 2019
 
|-
| Comments
|
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019
 
|}
 
=== <span style="font-size: larger;">29100:2011 IS Privacy framework</span> ===
 
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
| Editor<br/>
|
<span style="line-height: 20.7999992370605px">Stefan Weiss</span>
 
<span style="line-height: 20.7999992370605px">Revision&nbsp;: Nat Sakimura</span>
 
|-
|-
| Scope
| Scope
Line 207: Line 447:
|-
|-
| Comments
| Comments
| In the Tampa meeting, a recommendation was made to go for a review
|  
In the Tampa meeting, a recommendation was made to go for a review (see below study period)
 
A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work
 
The amended version will be available further to the Berlin meeting
 
|}
|}


=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===
=== <span style="font-size:larger">29101:2018 IS Privacy architecture framework</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor
| Editor
| <span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov</span><br/>
|  
<span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov,</span>
 
<span style="line-height: 20.7999992370605px">For revision: Nat Sakimura, Shinsaku Kiyomote</span>
 
|-
|-
| Scope
| Scope
Line 230: Line 480:
|-
|-
| Documentation
| Documentation
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/>
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html]<br/>
|-
|-
| Comments
| Comments
| <br/>
| Revision initiated in Berlin (November 2017)
|}
|}


=== <span style="font-size:larger">29134 IS Privacy impact assessment -- Methodology&nbsp;Privacy impact assessment - Guidelines</span> ===
=== <span style="font-size:larger">29134:2017 IS Guidelines for Privacy impact assessment</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor
| Editor
Line 259: Line 509:
|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/62289.html https://www.iso.org/standard/62289.html]<br/>
|-
|-
| Calendar
| Calendar
| <span style="line-height: 1.6">Further to Tampa, will go for a DIS</span><br/>
| <span style="line-height: 1.6">Published in June 2017</span><br/>
|-
|-
| Comments
| Comments
Line 268: Line 518:
|}
|}
<div></div>
<div></div>
=== <span style="font-size:larger">29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)</span> ===


=== <span style="font-size:larger">29151 IS Code of Practice for PII Protection</span> ===
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
 
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| Editor
| Editor
Line 286: Line 535:
|-
|-
| Documentation
| Documentation
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]
|  
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]
 
[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]
 
|-
|-
| Calendar
| Calendar
| <span style="line-height: 20.7999992370605px">Further to Tampa meeting, will go for DIS</span><br/>
| Published in August 2017
|-
|-
| Comments
| Comments
Line 295: Line 548:
|}
|}


=== <span style="font-size:larger">29190 IS Privacy capability assessment model</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
 
=== <span style="font-size: larger;"><span style="line-height: 21.9px;">29184:2020 IS Online privacy notices and consent</span></span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Editor<br/>
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | <span style="line-height: 20.8px;">Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck</span><br/>
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Scope
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.
 
This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.
 
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Documentation
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]<br/>
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Calendar
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
1st WD provided in June 2016
 
2nd WD provided in April 2017
 
3rd WD provided in June 2017
 
1nd CD provided in December 2017
 
<span style="line-height: 20.8px;">2nd CD provided in July 2018</span>
 
<span style="line-height: 20.8px;">3rd CD provided in January 2019</span>
 
<span style="line-height: 20.8px;">DIS provided in April 2019</span>
 
<span style="line-height: 20.8px;">FDIS provided in May 2020</span>
 
<span style="line-height: 20.8px;">Published in June 2020</span>
 
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Comments
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" |
<span style="line-height: 20.8px;">i</span><span style="line-height: 20.8px;">nitiated in Jaipur (Oct 2015)</span>
 
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent
 
|}
 
=== <span style="font-size:larger;">29190:2015 IS Privacy capability assessment model</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor
| Editor
| <span style="line-height: 20.7999992370605px">Alan Shipman</span><br/>
| <span style="line-height: 20.8px;">Alan Shipman</span><br/>
|-
|-
| Scope
| Scope
|  
|  
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6">In particular, it:</span>
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6;">In particular, it:</span>
<ul style="line-height: 18.9090900421143px;">
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
Line 315: Line 616:
|-
|-
| Documentation
| Documentation
| Must be purchased. [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html]<br/>
|-
|-
| Calendar
| Calendar
Line 324: Line 625:
|}
|}


=== <span style="font-size:larger">29191 IS Requirements for partially anonymous, partially unlinkable authentication</span> ===
=== <span style="font-size: larger;">29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor<br/>
| Editor<br/>
| <br/>
| Kazue Sako (NEC)
|-
|-
| Scope
| Scope
Line 343: Line 644:
|-
|-
| Documentation
| Documentation
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
|-
| Comments<br/>
| Comments<br/>
| <br/>
|  
Published in December 2012
 
Under pre-review
 
|}
 
== <span style="font-size: larger;">Standards in development</span> ==
 
=== <span style="font-size: 13px;">27006-2 TS Requirements for bodies providing audit and certification of information security management systems – Part 2:&nbsp; Privacy information management systems</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
 
Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.
 
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
 
|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html]<br/>
|-
| Calendar
|
Started in Paris October 2019
 
Further to Virtual meeting in April 2020, will move to 1st DTS
 
|}
|}


=== <span style="font-size: larger; line-height: 21.9024px;">29184 IS Guidelines for online privacy notices and consent</span> ===
=== <span style="font-size: larger;">27045 IS Big data security and privacy - processes</span> ===


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor<br/>
| <span style="line-height: 20.8px;">Nat Sakimura, Srinivas Poorsala</span><br/>
| Xiaoyuan Bai - Hongru Zhu - Vickey Hailey - Keith Fuller
|-
|-
| Scope
| Scope
| <span style="line-height: 20.8px;">Guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from a PII principals online</span><br/>
|  
This document defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes.
 
The processes include a set of indicators of process performance and process capability.The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. These processes are described in different terms, such as process purpose, outcomes, activities and tasks
 
|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/63929.html https://www.iso.org/standard/63929.html]<br/>
|-
|-
| Calendar
| Calendar
| <span style="line-height: 20.8px;">Further to Tampa, will go for 1st draft</span><br/>
|  
<span style="line-height: 20.8px;">1st WD was provided in January 2019</span>
 
<span style="line-height: 20.8px;">2nd WD was provided in April 2019</span>
 
<span style="line-height: 20.8px;">3rd WD was provided in October 2019</span>
 
<span style="line-height: 20.8px;">Further to virtual meeting of April 2020, will move to 4th WD</span>
 
|-
|-
| Comments
| Comments
|  
|  
<span style="line-height: 20.8px;">i</span><span style="line-height: 20.8px;">nitiated in Jaipur (Oct 2015)</span>
<span style="line-height: 20.8px;">Is a WG4 project</span>
 
|}
 
=== <span style="font-size: larger;">27046&nbsp;IS Big data security and privacy&nbsp;- Implementation guidelines</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Le Yu
|-
| Scope
|
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data
 
|-
| Documentation
| [https://www.iso.org/standard/78572.html https://www.iso.org/standard/78572.html]<br/>
|-
| Calendar
|
<span style="line-height: 20.8px;">1st WD was provided in&nbsp;</span>October 2019


Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent
<span style="line-height: 20.8px;">Further to virtual meeting of April 2020, will move to 2nd WD</span>


|-
| Comments
| Is a WG4 project
|}
|}


=== <span style="font-size: 18.252px; line-height: 21.9024px;">NWIP IS Enhancement to ISO/IEC 27001 for privacy management - Requirements</span> ===
=== <span style="font-size: larger;">27400&nbsp;IS Security and Privacy for the Internet of Things</span> ===


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor<br/>
| Matthieu Grall
| Faud Khan, Koji Nakao, Antonio Kung, Luc Poulin
|-
|-
| Scope
| Scope
|  
|  
This International Standard
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).
 
*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.
 
&nbsp;<span style="line-height: 20.8px;">This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication.</span>


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html]<br/>
|-
|-
| Calendar
| Calendar
| <br/>
|  
<span style="line-height: 20.8px;">Started in Wuhan April 2018</span>
 
<span style="line-height: 20.8px;">1st WD provided in June 2018</span>
 
<span style="line-height: 20.8px;">2nd WD provided in November 2018</span>
 
<span style="line-height: 20.8px;">3rd WD provided in June 2019</span>
 
<span style="line-height: 20.8px;">1st CD provided in December 2020</span>
 
<span style="line-height: 20.8px;">Further to virtual meeting in April 2020, will move to 2nd CD</span>
 
|-
|-
| Comments
| Comments
|  
|  
<span style="line-height: 20.8px;">Follow up of</span>


*<span style="line-height: 20.8px;">SP Privacy guidelines for IoT (WG5)</span>
*<span style="line-height: 20.8px;">SP Security guidelines for IoT (WG4)</span>
*<span style="line-height: 20.8px;">SP Security and privacy guidelines for IoT (WG4 with participation of WG5)</span>
<span style="line-height: 20.8px;">Aprll 2020: likely to be renamed 27400</span>


|}
|}


=== <span style="font-size: 18.252px; line-height: 21.9024px;">NWIP TR Privacy Engineering</span> ===
=== <span style="font-size: larger;">27402&nbsp;IS IoT&nbsp;security and privacy&nbsp;- Device baseline requirements</span> ===


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor
| <span style="line-height: 20.8px;">Antonio Kung. Additional co-editors will be nominated</span>
| Elaine Newton, Mahmoud Ghaddar, Amit Elazari Bar On
|-
|-
| Scope
| Scope
|  
|  
<span style="line-height: 20.8px;">This technical report provides guidelines to engineer capabilities for privacy:</span>
This document will provide the minimum-security requirements for IoT Devices
<ul style="line-height: 20.8px;">
<li>it describes the engineering competences and objectives for privacy</li>
<li>it covers the application of privacy in system engineering phases including requirement analysis, risk analysis, design and architecture process, and quality management taking into account the interest of the individuals</li>
<li>it defines interactions with other stakeholders (e.g. system product manager, privacy or data protection officer)</li>
<li>it provides a number of examples of practice in selected application domains such as health, smart grids, intelligent transport system, using examples of standards and practices.</li>
</ul>
 
<span style="line-height: 20.8px;">Target users are engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, operations or general.</span>


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html]<br/>
|-
|-
| Calendar
| Calendar
| <br/>
|  
1st WD was provided in May 2020
 
Further to September virtual meeting, 1st CD will be provided
 
|-
|-
| Comments
| Comments
| Is a WG4 project
|}
=== <span style="font-size: larger;">27403&nbsp;IS Security techniques - ioT security and privacy - Guidelines for&nbsp;IoT domotics</span> ===
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Qin QIu, Mahmoud Ghaddar
|-
| Scope
|
This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems
|-
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html]<br/>
|-
| Calendar
|  
|  
<span style="line-height: 20.8px;">This project is managed in WG4</span>
<span style="line-height: 20.8px;">Started in Paris October 2018 with a preliminary version</span>
<span style="line-height: 20.8px;">1st WD provided in October 2019</span>
<span style="line-height: 20.8px;">2nd WD provided in May 2020</span>


<span style="line-height: 20.8px;">Further to the September 2020 virtual meeting, will move to 3rd WD</span>


|-
| Comment
| Is a WG4 member<br/>
|}
|}


=== <span style="font-size: larger; line-height: 1.2;">NWIP IS Requirements for attribute-based unlinkable entity authentication</span> ===
=== <span style="font-size: larger;">27551 IS Requirements for attribute-based unlinkable entity authentication</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor<br/>
| Editor<br/>
| To be nominated
| Nat Sakimura,&nbsp;Jaehoon Na,&nbsp;Pascal Pailler
|-
|-
| Scope
| Scope
Line 454: Line 865:
|-
|-
| Documentation
| Documentation
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html]<br/>
|-
| Calendar<br/>
|
1st WD provided in April 2017
2nd WD provided in Dec 2017
3rd WD provided in July 2018
4th WD provided in February 2019
1st CD provided in October 2019
DIS provided in November 2019
Further to September virtual meeting will move to FDIS
|-
| Comments<br/>
| <br/>
| <br/>
|}
=== <span style="font-size: larger;">27555 IS Guidelines on Personally Identifiable Information Deletion</span> ===
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
|
Dorotea Alessandra de Marco, Yan Sun,&nbsp;Volker Hammer
|-
| Scope
|
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:
*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:
*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.
|-
| Documentation
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html]<br/>
|-
|-
| Calendar
| Calendar
| <br/>
|  
1st WD provided in March 2019
 
2nd WD provided in June 2019
 
1st CD provided in December 2019.&nbsp;&nbsp;Title changed (former title: establishing a PII deletion concept in organisations)
 
2nd CD was published in June 2020
 
Further to virtual meeting of Sept 2020, it will go to DIS.
 
|-
|-
| Comments
| Comments
| <br/>
| It is based on a German standard
|}
|}


== <span style="font-size:larger"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2000007629395px">Study Periods</span></span> ==
=== <span style="font-size: larger;">27556&nbsp;IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor<br/>
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|
This document presents a user-centric framework for PII handling based on privacy preferences and privacy preference administration, which
 
*defines the actors and roles in the PII handling,
*describes components, their relationships and procedures,
*describes role and properties of a privacy preference management within a privacy information management system, and
*provides requirements for privacy preference administration and PII handing based on privacy preference management.
 
|-
| Calendar
|
Established in Gjovik (October 2018)
 
1st WD provided In June 2019
 
2nd WD provided in December 2019


Study periods are the instruments through which new items of standardisation will be introduced. They typically last 6 months (until next meeting), after which, a NWIP (New Work Item Proposal) can be made<span style="line-height: 1.6">.</span>
1st CD provided in y 2020
 
Further to Sept 2020 meeting, will move to 2nd CD
 
|-
| Documentation
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html]<br/>
|-
| Comments<br/><br/>
|}


=== <span style="line-height: 1.2; font-size: larger;">Privacy Engineering Framework (Completed in April 2016)</span> ===
=== <span style="font-size: larger;">27557&nbsp;IS Organizational privacy risk management</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor
| <span style="line-height: 20.7999992370605px">Antonio Kung, Matthias Reinis</span><br/>
|  
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes
 
|-
|-
| Objective
| Scope
| Study the concept of privacy engineering and see whether new work items are needed
|  
Provides guidelines for organizational privacy risk management.&nbsp;
 
Designed to provide guidance to organizations processing personally identifiable&nbsp;information (PII) for integrating risks to the organization related to the processing of PII, including&nbsp;the privacy impact to individuals, as part of an organizational privacy risk management program.
 
Assists in the implementation of a risk-based privacy program which can be&nbsp;integrated in the overall risk management of the organization, and supports the requirement for risk&nbsp;management as specified in management systems (such as ISO/IEC 27701:2019).<br/>This document is applicable to all types and sizes of organizations, including public and private&nbsp;companies, government entities and not-for-profit organizations, which are organizations&nbsp;processing PII, or developing products and services that can be used to process PII.
 
|-
|-
| Documentation
| Documentation
| Slides presenting motivation for study period by Antonio Kung:&nbsp;[http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html]<br/>
|-
|-
| Timeline
| Calendar
| <div style="line-height: 20.7999992370605px">
|  
*Contributions by August 15th 2015.
1 st WD was published in May 2020
**<span style="line-height: 20.7999992370605px; background-color: rgb(255, 255, 0)">​</span><span style="line-height: 20.7999992370605px;">Contribution from PRIPARE.&nbsp;[http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]</span>
 
*Presentation in Jaipur October 2015
Further to virtual meeting (Sept 2020) will move to 2nd WD
**Summary made to PRIPARE project:&nbsp;[http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf <span style="background-color:#FFFF00;">http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf</span>]
 
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7&nbsp;Software and systems engineering
**Contribution made by PRIPARE&nbsp;[http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf]
*Presentation in Tampa April 2016
*Study period completed and proposal for a NWIP
</div>
|}
|}


=== <span style="font-size: larger; line-height: 1.2;">PII Protection Considerations for Smartphone App Providers (Started in October 2015)</span> ===
=== <span style="font-size: larger;">27559&nbsp;IS Privacy-enhancing data de-identification framework</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Malcolm Townsend
|-
| Scope
|
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.
 
&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"
|-
|-
| Leader
| Documentation
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri<br/>
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html]<br/>
|-
|-
| Objective
| Calendar
|  
|  
Study mobile application ecosystems from a privacy viewpoint
1st WD was provide in July 2020
 
Further to virtual meeting of Sept 2020, will move to 2nd WD
 
|}
 
=== <span style="font-size: larger;">27560&nbsp;TS Privacy technologies – Consent record information structure</span> ===


<span style="line-height: 20.7999992370605px;">Collect views of multiple stakeholders in the mobile applications space</span>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Christoph Stenuit, Andrew Hughes, Kelvin Magtalas
|-
| Scope
|
This document specifies an interoperable, open and extensible information structure for recording PII Principals'&nbsp;or data subjects'&nbsp;consent to data processing. This document&nbsp;further&nbsp;provides guidance on the use of consent receipts and consent records associated with a&nbsp;PII Principal's data processing&nbsp;consent&nbsp;to support&nbsp;the:


<span style="line-height: 20.7999992370605px;">Collect mobile apps privacy guidelines issued by various agencies</span>
—&nbsp;provision of&nbsp;a record of the&nbsp;consent&nbsp;to&nbsp;the PII Principal;


<span style="line-height: 20.7999992370605px;">Collate a report on the findings</span>
— exchange of consent information between information systems; and,


<span style="line-height: 20.7999992370605px;">Potentially provide a new work item proposal</span>
— management of the lifecycle of the&nbsp;recorded&nbsp;consent.&nbsp;&nbsp;


|-
|-
Line 516: Line 1,046:
| <br/>
| <br/>
|-
|-
| Comments
| Calendar
|  
|  
Initiated in Jaipur (October 2015)
1st WD was provided in May 2020
 
Further to virtual meeting of Sept 2020 will move to 2nd WD


|}
|}


=== <span style="font-size: larger;">Privacy-Preserving Attribute-based Entity Authentication (Completed in April 2016)</span> ===
=== <span style="font-size: larger;"><br/>31700 IS Consumer Protection - Privacy-by-design for consumer goods and services</span> ===


{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leader
| Editor
| <span style="line-height: 20.7999992370605px;">Pascal Pailler, Nat Sakimura, Jaz Hoon Nah</span><br/>
|  
Project leader: Michelle Chibba
 
|-
|-
| Objective
| Scope
| <br/>
|  
Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.
 
In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.
 
The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services
 
|-
|-
| Documentation
| Documentation
| <br/>
| See&nbsp;[https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
|-
|-
| Comments
| Calendar
|  
|  
Initiated in Jaipur (Oct 2015)
*Official start date: November 1 2018
*First meeting:&nbsp;November 1-2 2018, BSI London
*Adhoc meeting, February 24-24, 2019, DIN Berlin
*Second meeting&nbsp;: May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 Virtual


Replaces SP privacy-respecting identity management scheme using attribute-based credentials&nbsp;<span style="line-height: 20.7999992370605px;">(outcome of the ABC4trust FP7 project:&nbsp;</span>[https://abc4trust.eu/ https://abc4trust.eu]<span style="line-height: 20.7999992370605px;">,, initiated in April 2014 in Hong Kong), with an extended scope</span>
|-
| Versions
|
*1st WD provided in March 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*4th WD provided in June 2020


<span style="line-height: 20.7999992370605px;">Completed. Proposal for a NWIP: Requirementes for attribute-based unlinkable entity authentication</span>
|-
| Comments
|
Note that this an ISO standard


This standard is managed by the&nbsp;[https://www.iso.org/committee/6935430.html PC 317 technical committee]&nbsp;that is chaired by Jan Schallaboek
<div><br/></div>
|}
|}


=== <span style="font-size:larger">Privacy in Smart Cities (Started in October 2015)</span> ===
== New Work Items ==
 
<span style="font-size: larger;"></span>
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
=== <span style="font-size: larger;">27561 POMME Privacy operationalization model and method for engineering TS</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Saritha Nilesh Auti, Sanjeev Chhabra, Satish Katepalli Ksreenivasaiah, Antonio Kung<br/>
| John Sabo, Antonio Kung, Srinivas Poorsala
|-
|-
| Objective
| Objective
|  
|  
Connect with multiple stakeholders in the smart city space
This document describes a mPOMModel and method to operationalize privacy principles into sets of controls and functional capabilities.


Refer the existing work on smart cities
*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.
 
|-
| Documentation
|


Collate information, feedback, inputs from the stakeholders and draft the guidelines


Potentially provide (a) new work item proposal(s) that can translate in guidelines
|-
| Comments
|
It the result of the&nbsp;[https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]
<div><br/></div>
|}
</div>


=== <span style="font-size: larger;">27562 Privacy guidelines for Fintech services IS&nbsp;<span style="line-height: 18.24px;">(Under ballot</span></span><span style="font-size: 16px;">)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Documentation
| Leaders
| <br/>
| Heung Youl Youm,&nbsp;Heung Youl Youm,&nbsp;Gurshabad Grover
|-
|-
| Comments
| Objective
|  
|  
Initiated in Jaipur (October 2015)
This document provides guidelines on privacy for Fintech services.
 
It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to Fintech services. It also considers regulatory requirements, such as those from anti-money laundering,&nbsp; fraud detection, and countering terrorist financing. It provides privacy controls specific to Fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focussing a set of privacy requirements for each stakeholder.
 
This document can be applicable to all kinds of&nbsp;organisations such as regulators, Institutions, service providers and product providers in the Fintech service environment.&nbsp;


Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities)&nbsp;
|-
| Documentation
|


Presentation in Tampa (April 2016)


*Liaison with EIP-SCC mentioned (see [https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design]).&nbsp;
|-
| Comments
|
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]


|}
|}
</div>
== Preliminary Work Items ==


=== <span style="font-size:larger;">Editorial inconsistencies to 29100 (Started in April 2016)</span> ===
=== <span style="font-size:medium;">Impact of Artificial Intelligence on Security and Privacy (Started in September 2020)</span> ===
<div><br/></div><div>
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Nat Sakimura, Mathias Reinis, Elaine Newton
|  
Antonio Kung,&nbsp;<span style="background-color: transparent;">Srinivas Poosarla,&nbsp;</span><span style="background-color: transparent;">Peter Dickman,&nbsp;Gurshabad Grover, Peter Deussen, Heung Your Youm,&nbsp;</span>Zhao Yunwei
 
|-
|-
| Objective
| Objective
|  
|  
Collecting errors and correcting inconsistencies
The PWI has the objective to investigate the possibility to propose one or several documents
 
*Part 1: a TR providing
**guidance on how to assess the impact of security and privacy of AI use cases,
**providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases)
*Part 2: a TS providing
**an overview of privacy concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate
*Part 3: a TS providing
**an overview of security concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate
 
The following work will be carried out in the PWI:
 
*extend the content of the study period report with the following
**analysis of TR 24030 use cases from a security viewpoint,
**identification of standards for which specific recommendations concerning AI would be useful,
**identification of AI standards for which specific recommendations concerning security and privacy would be useful;
**identification of specific security controls; and
**whatever contributions that matches the intended content of part 1, part 2, and part 3.
*transform the report into a set of three documents that can be submitted as draft TR and TS;
*make a recommendation on the way to proceed concerning the three documents;
 
 


|-
|-
| Documentation
|  
| <br/>
Documentation
 
|  
 
 
|-
|-
| Comments<br/>
| Comments
| <br/>
|  
Is the continuation of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Impact_of_Artificial_Intelligence_on_Privacy_.28Started_in_October_2018.2C_Completed_in_September_2020.29 study period] that concluded in September 2028
 
|}
|}
</div>
</div></div>
=== <span style="font-size:larger;">Guidelines for privacy in Internet of Things (IoT) (Started in April 2016)</span> ===
 
=== <span style="font-size:medium;">Guidance on illustrative processes of a privacy information management system (Started in September 2020))</span> ===
<div>
<div>
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Heung Youl Youm,&nbsp;Srinivas Poorsala</span><br/>
|  
Michael Steiner, Vishnu Kanhere
 
|-
|-
| Objective
| Objective
|  
|  
*assess the viability of producing guidelines for Privacy in IoT within WG5;
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen
 
Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2<sup>nd</sup>&nbsp;WD of ISO/IEC 27022</li>
</ol>


|-
|-
| Documentation
|  
|  
Documentation


| <br/>
 
|-
|-
| Comments
| Comments
Line 621: Line 1,252:
|}
|}
</div>
</div>
&nbsp;
== <span style="font-size: larger;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2px;">Completed Preliminary Work Item or Study Periods</span></span> ==
[[Completed study periods and pwis]]

Revision as of 13:41, 25 February 2021

ISO red.jpgIEC logo.png

Introduction

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan SchallaböckWG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [1]

Some of the projects are also carried out in ISO/IEC JTC1/SC27/WG4.The convenor is Johann Amsenga, and the vice convenor is François Lorek

One project is carried out ​within ISO PC317. The convenor is Jan Schallaböck. ISO PC317 focuses on the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services)

Some conventions on ISO standards

The important things to know concerning ISO standards steps:

Standard
  • PWI: Preliminary work item (previously SP: Study period in SC27)
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • CD: Committee Draft
  • DIS: Draft International Standard
  • FDIS: Final Draft International Standard
  • IS: International Standard
Technical report

Former approach

  • PWI: Preliminary work item (previously SP: Study period in SC27)
  • NWIP: New work item proposal
  • NP: New work item
  • DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)
  • TR: Technical Report
Technical specification
  • PWI: Preliminary work item (previously SP: Study period in SC27)
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)
  • Technical Specification

Meetings

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

2014
  • April 7-15, 2014 Hong Kong
  • Oct 20-24, 2014 Mexico City, Mexico
2015
  • May 4-12, 2015 Kuching, Malaysia
  • Oct 26-30, 2015 Jaipur, India
2016
  • April 11-15, 2016  Tampa, USA
  • Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE
2017
  • April 18-22, 2017, Hamilton, New Zealand
  • Oct 30- Nov 3, 2017,  Berlin, Germany
2018
  • April, 16-20 Wuhan, China
  • Sept 30 - Oct 4 - Gjovik, Norway
2019
  • April 1-5, Tel-Aviv, Israel
  • October 14-18, Paris, France
  • 19 October, Paris (jointly with SC27)
2020
  • April 21-26, Virtual meeting
  • Sept 12-16, Virtual meeting

ISO 31700 is dealt with in another committee (PC317). Here is a list of meetings that took place or that will take place in PC317.

2018
  • Nov 1-2, 2018, London
2019
  • Feb 6-8, Berlin (adhoc group)
  • May 20-23, Toronto
  • 19 October, Paris (jointly with SC27)
  • 21-23 October, Paris (colocated with SC27)
2020
  • 17-20 March, Virtual meeting
  • 30 Sept - 2 Oct, Virtual meeting

Published standards

19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408

Editor
Naruki Kai
Scope

This Technical Report provides guidance for:

  • developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
  • selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
  • procedure to define both privacy and security functional requirements in a coordinated manner
Documentation https://www.iso.org/standard/65459.html
Calendar

has been moved from TR to TS

Published in October 2018

Comments


20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy

Editor Jinhua Min, Xuebin Zhou
ScopeS Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
Documentation

Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], ​[7]

https://www.iso.org/standard/71278.html

Calendar

1st WD provided in June 2016

2nd WD provided in May 2017

3rd WD provided in November 2017

4th WD provided in April 2018

1st CD provided in November 2018

2nd CD provided in October 2019

DIS published in October 2019

Further to virtual meeting in April 2020, will go for FDIS

Comments 

WG9 is working on the following

  • 20546 : big data overview and vocabulary
  • 20547 : big data reference architecture
    • Part 1: Framework and application process (TR)
    • Part 2: Use cases and derived requirements (TR)
    • Part 3: Reference architecture (IS)
    • Part 4: Security and privacy fabric (IS)
    • Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

  • contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
  • address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)


20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques

Editor
Chris Mitchell and Lionel Vodzislawsky
Scope This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing
and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.
In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their
characteristics, and their applicability for minimizing the risk of re-identification
Documentation

Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf

https://www.iso.org/fr/standard/69373.html

Calendar

1st WD December 2015

2nd WD June 2016

1st CD Devember 2016

2nd CD May 2017

1st DIS January 2018

FDIS August 2018

Published in November 2018

Comments

27018:2014 IS Code of practice for protection of PII in public clouds acting as PII processors

Editor

Scope

This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.

Documentation

https://www.iso.org/standard/61498.html

Comments

1st published in 2014

ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques


27550:2019 TR Privacy engineering for system lifecycle processes

Editor
Antonio Kung, Mathias Reinis
Scope

This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

  • it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
  • it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

Documentation

A youtube presentation on privacy engineering: https://www.youtube.com/watch?v=BymNvbmSr2E

https://www.iso.org/standard/72024.html

Calendar

1st WD provided in January 2017

2nd WD provided in June 2017

1st PDTR provided in January 2018

2nd PDTR provided in June 2018

3rd PDTR provided in October 2018

Version for publication provided in April 2019

Publication in September 2019

Comments

[Antonio Kung]

  • Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
  • Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

27570:2021 TS Privacy Guidelines for Smart Cities

Editor Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
Scope

The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

Documentation https://www.iso.org/standard/71678.html
Calendar

1st WD was provided in June 2018 further the Wuhan meeting.

2nd WD was provided in October 2018 further to the Gjovik meeting.

A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.

A 2nd PDTS was provided in November 2019 further to the Paris meeting

A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting

The document will go to publication further to the September 2020 virtual meeting.

The standard was published in January 2021 see following press release: https://www.iso.org/news/ref2631.html

Comments

First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

27701:2019 IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines

Editor
Alan Shipman, Oliver Weissmann, Srinivas Poosarla, Heung Youl Youm
Scope

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

Documentation https://www.iso.org/standard/71670.html
Calendar

1st WD provided in April 2017

2nd WD provided in June 2017

1st CD provided in April 2018

2nd CD provided in June 2018

DIS provided in March 2019

Publication in August 2019

Comments

Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

29100:2011 IS Privacy framework

Editor

Stefan Weiss

Revision : Nat Sakimura

Scope This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.
Documentation Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
Comments

In the Tampa meeting, a recommendation was made to go for a review (see below study period)

A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work

The amended version will be available further to the Berlin meeting

29101:2018 IS Privacy architecture framework

Editor

Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomote

Scope

This International Standard describes a privacy architecture framework that

  1. describes concerns for ICT systems that process PII;
  2. lists components for the implementation of such systems; and
  3. provides architectural views contextualizing these components.

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

Documentation https://www.iso.org/standard/75293.html
Comments Revision initiated in Berlin (November 2017)

29134:2017 IS Guidelines for Privacy impact assessment

Editor Mathias Reinis
Scope

This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).

It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.

In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.

It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.

This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.

For principles and guidelines on risk management, reference is made to ISO 31000:2009.

Documentation https://www.iso.org/standard/62289.html
Calendar Published in June 2017
Comments

29151:2017 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)

Editor Heung Youl Youm, Alan Shipman
Scope

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

Documentation

March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf

https://www.iso.org/standard/62726.html

Calendar Published in August 2017
Comments Also an ITU reference (ITU-T X.gpim)


29184:2020 IS Online privacy notices and consent

Editor
Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck
Scope

This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.

Documentation https://www.iso.org/standard/71678.html
Calendar

1st WD provided in June 2016

2nd WD provided in April 2017

3rd WD provided in June 2017

1nd CD provided in December 2017

2nd CD provided in July 2018

3rd CD provided in January 2019

DIS provided in April 2019

FDIS provided in May 2020

Published in June 2020

Comments

initiated in Jaipur (Oct 2015)

Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

29190:2015 IS Privacy capability assessment model

Editor Alan Shipman
Scope

This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:

  • specifies steps in assessing processes to determine privacy capability;
  • specifies a set of levels for privacy capability assessment;
  • provides guidance on the key process areas against which privacy capability can be assessed;
  • provides guidance for those implementing process assessment;
  • provides guidance on how to integrate the privacy capability assessment into organizations operations
Documentation https://www.iso.org/standard/45269.html
Calendar
Comments

29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication

Editor
Kazue Sako (NEC)
Scope

This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

Documentation https://www.iso.org/standard/45270.html
Comments

Published in December 2012

Under pre-review

Standards in development

27006-2 TS Requirements for bodies providing audit and certification of information security management systems – Part 2:  Privacy information management systems

Editor Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
Scope

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

Documentation https://www.iso.org/standard/71676.html
Calendar

Started in Paris October 2019

Further to Virtual meeting in April 2020, will move to 1st DTS

27045 IS Big data security and privacy - processes

Editor
Xiaoyuan Bai - Hongru Zhu - Vickey Hailey - Keith Fuller
Scope

This document defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes.

The processes include a set of indicators of process performance and process capability.The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. These processes are described in different terms, such as process purpose, outcomes, activities and tasks

Documentation https://www.iso.org/standard/63929.html
Calendar

1st WD was provided in January 2019

2nd WD was provided in April 2019

3rd WD was provided in October 2019

Further to virtual meeting of April 2020, will move to 4th WD

Comments

Is a WG4 project

27046 IS Big data security and privacy - Implementation guidelines

Editor Le Yu
Scope

This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data

Documentation https://www.iso.org/standard/78572.html
Calendar

1st WD was provided in October 2019

Further to virtual meeting of April 2020, will move to 2nd WD

Comments Is a WG4 project

27400 IS Security and Privacy for the Internet of Things

Editor
Faud Khan, Koji Nakao, Antonio Kung, Luc Poulin
Scope

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

Documentation https://www.iso.org/standard/44373.html
Calendar

Started in Wuhan April 2018

1st WD provided in June 2018

2nd WD provided in November 2018

3rd WD provided in June 2019

1st CD provided in December 2020

Further to virtual meeting in April 2020, will move to 2nd CD

Comments

Follow up of

  • SP Privacy guidelines for IoT (WG5)
  • SP Security guidelines for IoT (WG4)
  • SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: likely to be renamed 27400

27402 IS IoT security and privacy - Device baseline requirements

Editor Elaine Newton, Mahmoud Ghaddar, Amit Elazari Bar On
Scope

This document will provide the minimum-security requirements for IoT Devices

Documentation https://www.iso.org/standard/80136.html
Calendar

1st WD was provided in May 2020

Further to September virtual meeting, 1st CD will be provided

Comments Is a WG4 project

27403 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics

Editor

Qin QIu, Mahmoud Ghaddar

Scope

This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems

Documentation https://www.iso.org/standard/78702.html
Calendar

This project is managed in WG4

Started in Paris October 2018 with a preliminary version

1st WD provided in October 2019

2nd WD provided in May 2020

Further to the September 2020 virtual meeting, will move to 3rd WD

Comment Is a WG4 member

27551 IS Requirements for attribute-based unlinkable entity authentication

Editor
Nat Sakimura, Jaehoon Na, Pascal Pailler
Scope

This International Standard

 

  • Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
  • Specifies requirements for attribute-based unlinkable entity authentication implementations.

  This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

Documentation https://www.iso.org/standard/44373.html
Calendar

1st WD provided in April 2017

2nd WD provided in Dec 2017

3rd WD provided in July 2018

4th WD provided in February 2019

1st CD provided in October 2019

DIS provided in November 2019

Further to September virtual meeting will move to FDIS

Comments

27555 IS Guidelines on Personally Identifiable Information Deletion

Editor

Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

Scope

This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

  • a harmonised terminology for PII deletion,
  • an approach for defining deletion/de-identification rules in an efficient way,
  • a description of required documentation, and
  • a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

  • specific legal provision, as given by national law or specified in contracts,
  • specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
  • deletion mechanisms including those for cloud storage,
  • security of deletion mechanisms,
  • specific techniques for de-identification of data.
Documentation https://www.iso.org/fr/standard/71673.html
Calendar

1st WD provided in March 2019

2nd WD provided in June 2019

1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)

2nd CD was published in June 2020

Further to virtual meeting of Sept 2020, it will go to DIS.

Comments It is based on a German standard

27556 IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences

Editor
Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
Scope

This document presents a user-centric framework for PII handling based on privacy preferences and privacy preference administration, which

  • defines the actors and roles in the PII handling,
  • describes components, their relationships and procedures,
  • describes role and properties of a privacy preference management within a privacy information management system, and
  • provides requirements for privacy preference administration and PII handing based on privacy preference management.
Calendar

Established in Gjovik (October 2018)

1st WD provided In June 2019

2nd WD provided in December 2019

1st CD provided in y 2020

Further to Sept 2020 meeting, will move to 2nd CD

Documentation https://www.iso.org/standard/71674.html
Comments

27557 IS Organizational privacy risk management

Editor

Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

Scope

Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019).
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

Documentation https://www.iso.org/standard/71674.html
Calendar

1 st WD was published in May 2020

Further to virtual meeting (Sept 2020) will move to 2nd WD

27559 IS Privacy-enhancing data de-identification framework

Editor Malcolm Townsend
Scope

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

Documentation https://www.iso.org/standard/71677.html
Calendar

1st WD was provide in July 2020

Further to virtual meeting of Sept 2020, will move to 2nd WD

27560 TS Privacy technologies – Consent record information structure

Editor Christoph Stenuit, Andrew Hughes, Kelvin Magtalas
Scope

This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

Documentation
Calendar

1st WD was provided in May 2020

Further to virtual meeting of Sept 2020 will move to 2nd WD


31700 IS Consumer Protection - Privacy-by-design for consumer goods and services

Editor

Project leader: Michelle Chibba

Scope

Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

Documentation See https://www.iso.org/standard/76402.html
Calendar
  • Official start date: November 1 2018
  • First meeting: November 1-2 2018, BSI London
  • Adhoc meeting, February 24-24, 2019, DIN Berlin
  • Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
  • Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
  • Third meeting: October 21-23 2019 AFNOR Paris
  • Fourth meeting: March 17-20 2020 Virtual
  • Fifth meeting: Sep 30-Oct 2 Virtual
Versions
  • 1st WD provided in March 2019
  • 2nd WD provided in July 2019
  • 3rd WD provided in Dec 2019
  • 4th WD provided in June 2020
Comments

Note that this an ISO standard

This standard is managed by the PC 317 technical committee that is chaired by Jan Schallaboek


New Work Items

27561 POMME Privacy operationalization model and method for engineering TS

Leaders John Sabo, Antonio Kung, Srinivas Poorsala
Objective

This document describes a mPOMModel and method to operationalize privacy principles into sets of controls and functional capabilities.

  • the method is described as a process following ISO/IEC/IEEE 24774;
  • it operationalizes ISO/IEC 29100;
  • it is intended for engineers and other practitioners developing systems controlling or processing PII;
  • it is designed for use with other standards and privacy guidance;
  • it supports networked, interdependent applications and systems.
Documentation


Comments

It the result of the study period privacy engineering model


27562 Privacy guidelines for Fintech services IS (Under ballot)

Leaders Heung Youl Youm, Heung Youl Youm, Gurshabad Grover
Objective

This document provides guidelines on privacy for Fintech services.

It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to Fintech services. It also considers regulatory requirements, such as those from anti-money laundering,  fraud detection, and countering terrorist financing. It provides privacy controls specific to Fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focussing a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organisations such as regulators, Institutions, service providers and product providers in the Fintech service environment. 

Documentation


Comments

It the result of the study period privacy guidelines for Fintech services

Preliminary Work Items

Impact of Artificial Intelligence on Security and Privacy (Started in September 2020)

Leaders

Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei

Objective

The PWI has the objective to investigate the possibility to propose one or several documents

  • Part 1: a TR providing
    • guidance on how to assess the impact of security and privacy of AI use cases,
    • providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases)
  • Part 2: a TS providing
    • an overview of privacy concerns for AI,
    • guidance concerning AI-based systems
    • additional recommendations concerning standards where appropriate
  • Part 3: a TS providing
    • an overview of security concerns for AI,
    • guidance concerning AI-based systems
    • additional recommendations concerning standards where appropriate

The following work will be carried out in the PWI:

  • extend the content of the study period report with the following
    • analysis of TR 24030 use cases from a security viewpoint,
    • identification of standards for which specific recommendations concerning AI would be useful,
    • identification of AI standards for which specific recommendations concerning security and privacy would be useful;
    • identification of specific security controls; and
    • whatever contributions that matches the intended content of part 1, part 2, and part 3.
  • transform the report into a set of three documents that can be submitted as draft TR and TS;
  • make a recommendation on the way to proceed concerning the three documents;


Documentation


Comments

Is the continuation of the study period that concluded in September 2028

Guidance on illustrative processes of a privacy information management system (Started in September 2020))

Leaders

Michael Steiner, Vishnu Kanhere

Objective

Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:

  1. ISO/IEC 27001 and ISO/IEC 27003
  2. ISO/IEC 27701 (a.k.a. DIS 27552)
  3. ISO Handbook “The integrated use of management system standards”
  4. ISO/IEC 33004
  5. 2nd WD of ISO/IEC 27022
Documentation


Comments


 

Completed Preliminary Work Item or Study Periods

Completed study periods and pwis