Difference between revisions of "ISO"

From IPEN Wiki
Jump to navigation Jump to search
Line 224: Line 224:
|-
|-
| Editor<br/>
| Editor<br/>
| <span style="line-height: 20.8px;">To be nominated</span><br/>
| Proposed editor: Koji Nakao, Antonio Kung
|-
|-
| Scope
| Scope

Revision as of 05:56, 9 April 2018

ISO.png

Introduction

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in ISO/IEC JTC1/SC27

More info can be found on in the SC27 portal:

Note that the portal will in general contain more information that in this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.

WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [1]

Some conventions on ISO standards

The important things to know concerning ISO standards steps:

Standard
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • CD: Committee Draft
  • DIS: Draft International Standard
  • FDIS: Final Draft International Standard
  • IS: International Standard
Technical report
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • PDTR: Proposed Draft Technical Report
  • DTR: Draft Technical Report
  • TR: Technical Report
Technical specification
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • PDTS: Proposed Draft Technical Specification
  • DTS: Draft Technical Specification
  • Technical Specification

Progress is finalised in plenary meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.

2014
  • April 7-15, 2014 Hong Kong
  • Oct 20-24, 2014 Mexico City, Mexico
2015
  • May 4-12, 2015 Kuching, Malaysia
  • Oct 26-30, 2015 Jaipur, India
2016
  • April 11-15, 2016  Tampa, USA
  • Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE
2017
  • April 18-22, 2017, Hamilton, New Zealand
  • Oct 30- Nov 3, 2017,  Berlin, Germany
2018
  • April, 16-20 Wuhan, China
  • October, Norway
2019
  • Korea
  • France

Standards and Projects

19608 TS Guidance for developing security and privacy functional requirements based on 15408

Editor
Naruki Kai
Scope

This Technical Report provides guidance for:

  • developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
  • selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
  • procedure to define both privacy and security functional requirements in a coordinated manner
Documentation
Calendar has been moved from TR to TS
Comments

20547 IS Big data reference architecture - Part 4 - Security and privacy

Editor Jinhua Min, Xuebin Zhou
ScopeS Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
Documentation

Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], ​[7]

Calendar

First WD and annotated table of content provided in november 2016

2nd WD provided in May 2017

3rd WD to be provided

Comments 

WG9 is working on the following

  • 20546 : big data overview and vocabulary
  • 20547 : big data reference architecture
    • Part 1: Framework and application process (TR)
    • Part 2: Use cases and derived requirements (TR)
    • Part 3: Reference architecture (IS)
    • Part 4: Security and privacy fabric (IS)
    • Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

  • contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
  • address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

20889 IS Privacy enhancing de-identification techniques

Editor
Chris Mitchell and Lionel Vodzislawsky
Scope This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing
and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.
In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their
characteristics, and their applicability for minimizing the risk of re-identification
Documentation Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf
Calendar Further to Berlin, will for DIS
Comments

27018 IS Code of practice for protection of PII in public clouds acting as PII processors

Editor

Scope

This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.

Documentation Must be purchased.  http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp; (preview available)
Comments

1st published in 2014

ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques



27030 Security and Privacy for the Internet of Things

Editor
Proposed editor: Koji Nakao, Antonio Kung
Scope

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

Documentation
Calendar Will start in April 2018
Comments

Follow up of

  • SP Privacy guidelines for IoT (WG5)
  • SP Security guidelines for IoT (WG4)
  • SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

27550 TR Privacy engineering

Editor
Antonio Kung, Mathias Reinis
Scope

This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

  • it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
  • it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

Documentation
Calendar

1st WD provided in January 2017

2nd WD provided in June 2017

1st PDTR under ballot

Comments

[Antonio Kung]

  • Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
  • Integrates majore results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

27551 IS Requirements for attribute-based unlinkable entity authentication

Editor
Nat Sakimura, Jaehoon Na, Pascal Pailler
Scope

This International Standard

 

  • Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
  • Specifies requirements for attribute-based unlinkable entity authentication implementations.

  This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

Documentation
Calendar

1st WD provided in April 2017

2nd WD provided in June 2017

Comments

27552 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management - Requirements and guidelines

Editor
Alan Shipman, Angelika Eksteen, Srinivas Poosarla, Heung Youl Youm
Scope

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

Documentation
Calendar

1st WD provided in April 2017

2nd WD provided in June 2017

Intention is to go for 1st CD to be discussed in April 2018

Comments



27570 TS Privacy Guidelines for Smart Cities

Editor
Proposed editor: Antonio Kung, Heung Youl Youm
Scope

The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

Documentation
Calendar Will start in April 2018
Comments

Follow up of SP Privacy in Smart cities


29100 IS Privacy framework

Editor

Stefan Weiss

Revision : Nat Sakimura

Scope This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.
Documentation Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
Comments

In the Tampa meeting, a recommendation was made to go for a review (see below study period)

A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work

The amended version will be available further to the Berlin meeting

29101 IS Privacy architecture framework

Editor

Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomote

Scope

This International Standard describes a privacy architecture framework that

  1. describes concerns for ICT systems that process PII;
  2. lists components for the implementation of such systems; and
  3. provides architectural views contextualizing these components.

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

Documentation Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 (preview available)
Comments Revision initiated in Berlin (November 2017)

29134 IS Privacy impact assessment -- Methodology Privacy impact assessment - Guidelines

Editor Mathias Reinis
Scope

This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).

It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.

In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.

It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.

This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.

For principles and guidelines on risk management, reference is made to ISO 31000:2009.

Documentation
Calendar Published in June 2017
Comments

29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)

Editor Heung Youl Youm, Alan Shipman
Scope

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

Documentation March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf
Calendar Published in August 2017
Comments Also an ITU reference (ITU-T X.gpim)

29190 IS Privacy capability assessment model

Editor Alan Shipman
Scope

This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:

  • specifies steps in assessing processes to determine privacy capability;
  • specifies a set of levels for privacy capability assessment;
  • provides guidance on the key process areas against which privacy capability can be assessed;
  • provides guidance for those implementing process assessment;
  • provides guidance on how to integrate the privacy capability assessment into organizations operations
Documentation Must be purchased. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269
Calendar
Comments

29191 IS Requirements for partially anonymous, partially unlinkable authentication

Editor
Kazue Sako (NEC)
Scope

This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

Documentation Must be purchased.  http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 (preview available)
Comments

Published in December 2012

Under pre-review


29184 IS Online privacy notices and consent

Editor
Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck
Scope

This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.

Documentation
Calendar Further to Hamilton (April 2017)will go for 3rd draft
Comments

initiated in Jaipur (Oct 2015)

Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consen

Study Periods

Study periods are the instruments through which new items of standardisation will be introduced. They typically last 6 months (until next meeting), or 12 months (2 meetings) after which, a NWIP (New Work Item Proposal) can be made.

Privacy engineering framework (Started in April 2015. Completed in April 2016)

Leaders Antonio Kung, Matthias Reinis
Objective Study the concept of privacy engineering and see whether new work items are needed
Documentation Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf
Timeline

Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)

Leader Pascal Pailler, Nat Sakimura, Jaz Hoon Nah
Objective
Documentation
Comments
  • Initiated in Jaipur (Oct 2015)
  • Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: https://abc4trust.eu,, initiated in April 2014 in Hong Kong), with an extended scope
  • Completed.
  • Followed by new project : ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)

Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)

Leaders Nat Sakimura, Mathias Reinis, Elaine Newton
Objective

Collecting errors and correcting inconsistencies

Documentation
Comments
  • Completed, has led to a draft amendment (with limited scope)

Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)

Leaders Heung Youl Youm, Srinivas Poorsala, Antonio Kung
Objective
  • assess the viability of producing guidelines for Privacy in IoT within WG5;
  • to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen

Documentation


Comments

Initiated in Tampa (April 2016)

Initial contribution in Abu Dhabi (October 2016)

Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.

Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"


Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)

Start/Duration April 2017/6 months)
Leaders Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
Objective prepare the materials necessary to initiate an International Standard
coming out of the SC 27 meeting in Berlin (Oct-2017)

Documentation


Comments

Is an SC27/WG4 study periods involving WG4 and WG5.

Study period is completed and new work item has been proposed (https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things).

Kickoff expected in Wuhan in WG4

PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)

Leader Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri
Objective

Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal

Documentation
Comments

Initiated in Jaipur (October 2015)

Privacy in smart cities (Started in October 2015. Completed in November 2017)

Leaders Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari
Objective

Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines

Documentation
Comments

Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Presentation in Tampa (April 2016) of intermediate state

Presentation in Abu Dhabi (October 2016) of intermediate state

Presentation in Hamilton (April 2017) of intermediate state

Proposal for new work item in Berlin (Nov 2017)

Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)

Leaders Mathias Reinis, Heung Youl Youm
Objective

Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME

Documentation


Comments

Terminated due to lack of contributions

Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. 6 months)

Leaders David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
Objective

Documentation


Comments


David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm 

Identify assurance framework (Started in April 2017. 12 months)

Leaders Patrick Curry, Anthony Nadalin
Objective analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework.

Documentation


Comments


Application of ISO 31000 for identify-related risk (Started in April 2017. 6 months)

Leaders Christophe Stenuit, Joanne Knight
Objective Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks

Documentation


Comments

Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, 12 months)

Start/duration

April 2017 / 12 months

Leaders Shinzaku Kiyomoto, Antonio Kung
Objective define frameworks of user-centric PII handling based on privacy preferences of users

Documentation


Comments

Triggered by an initiative from ITU-T for such a framework applied to the IoT. See https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment

In Berlin (November 2017),  it was decided to consider 3 options

  • extension of 29101
  • definition of a generic model
  • defintion of specific models

Concept of PII Deletion (Started in November 2017. 6 Months)

Leaders Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman
Objective Stuty the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"

Documentation


Comments