Difference between revisions of "ISO"

From IPEN Wiki
Jump to navigation Jump to search
(Undo revision 982 by Antoniok (talk))
m (Reverted edits by Antoniok (talk) to last revision by IreneKamara)
Line 1: Line 1:
[[File:ISO red.jpg|200px|ISO red.jpg]][[File:IEC logo.png|200px|IEC logo.png]]
[[File:ISO.png]]


== <span style="font-size:larger">Introduction</span> ==
== <span style="font-size:larger">Introduction</span> ==


The objective of this page is to provide a high-level view of activities related to privacy standards in ISO
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in&nbsp;<span style="line-height: 1.6">'''ISO/IEC JTC1/SC27'''</span>


*within&nbsp;<span style="line-height: 1.6">'''ISO/IEC JTC1/SC27'''</span>
<span style="line-height: 1.6">More info can be found on in the SC27 portal:</span>
**<span style="line-height: 1.6">More info can be found on in the SC27 portal:</span>
***[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
***[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707]&nbsp;(set of slides)


<span style="line-height: 1.6">Note that the portal will in general contain more information that in this wiki, which</span><span style="line-height: 1.6">&nbsp;focuses mainly on work carried out in&nbsp;</span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is Kai Rannenberg, and the vice convenor is '''Jan Schallaböck'''.&nbsp;</span><span style="line-height: 1.6;">WG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in&nbsp;</span>[https://www.din.de/en/meta/jtc1sc27/downloads [1]]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en http://www.jtc1sc27.din.de/cmd?level=tpl-home&languageid=en]
*[http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707 http://www.jtc1sc27.din.de/cmd?level=tpl-bereich&menuid=220707&languageid=en&cmsareaid=220707]&nbsp;(set of slides)


Some of the projects are also carried out in&nbsp;'''ISO/IEC JTC1/SC27/WG4'''''<span style="line-height: 1.6;">.</span>''<span style="line-height: 1.6;">The convenor is Johann Amsenga, and the vice convenor is François Lorek</span>
<span style="line-height: 1.6">Note that the portal will in general contain more information that in this wiki, which</span><span style="line-height: 1.6">&nbsp;focuses mainly on work carried out in&nbsp;</span>'''ISO/IEC JTC1/SC27/WG5'''''<span style="line-height: 1.6">.</span>''<span style="line-height: 1.6">The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.</span>
 
*<span style="line-height: 1.6;">​wihtin ISO/PC 317&nbsp;</span>Consumer protection: privacy by design for consumer goods and services


== <span style="font-size:larger">Some conventions on ISO standards</span> ==
== <span style="font-size:larger">Some conventions on ISO standards</span> ==
Line 20: Line 16:
The important things to know concerning ISO standards steps:
The important things to know concerning ISO standards steps:


{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| <span style="line-height: 18.9090900421143px">Standard</span><br/>
| <span style="line-height: 18.9090900421143px">Standard</span><br/>
Line 37: Line 33:
| <span style="line-height: 20.7999992370605px">Technical report</span><br/>
| <span style="line-height: 20.7999992370605px">Technical report</span><br/>
| <ul style="line-height: 20.7999992370605px;">
| <ul style="line-height: 20.7999992370605px;">
<li>SP: Study period</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>PDTR: Proposed Draft Technical Report</li>
<li>PDTR: Proposed Draft Technical Report</li>
<li>DTR:&nbsp;Draft Technical Report</li>
<li>DTR:&nbsp;Draft Technical Report</li>
Line 48: Line 41:
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/>
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/>
| <ul style="line-height: 20.7999992370605px;">
| <ul style="line-height: 20.7999992370605px;">
<li>SP: Study period</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li>
<li>PDTS:&nbsp;Proposed Draft Technical Specification</li>
<li>DTS: Draft Technical Specification</li>
<li>DTS: Draft Technical Specification</li>
Line 60: Line 50:
Progress is finalised in plenary&nbsp;meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.
Progress is finalised in plenary&nbsp;meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.


{| style="width: 500px" cellpadding="1" cellspacing="1" border="1"
{| style="width: 500px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| 2014
| 2014
Line 76: Line 66:
| 2016
| 2016
|  
|  
*April 11-15, 2016 &nbsp;Tampa, USA
*April 11-15 Tampa, USA
*Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE
*Oct 23 (sunday) - 27 (thursday), UAE


|-
|-
| 2017
| 2017
|  
|  
*April 18-22, 2017, Hamilton, New Zealand
*April/May Hamilton, New Zealand
*Oct 30- Nov 3, 2017, &nbsp;Berlin, Germany
*Oct/Nov Crete, Greece
 
|-
| 2018
|
*April, 16-20 Wuhan, China
*Sept 30 - Oct 4 - Gjovik, Norway
 
|-
| 2019
|
*Israel, Tel-Aviv
*France


|}
|}
Line 101: Line 79:
== <span style="font-size:larger">Standards and Projects</span> ==
== <span style="font-size:larger">Standards and Projects</span> ==


=== <span style="font-size: larger;">19608 TS&nbsp;</span><span style="font-size: larger; line-height: 1.2;">Guidance for developing&nbsp;</span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> ===
=== <span style="font-size:larger">29100 IS Privacy framework</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| Editor<br/>
| Editor<br/>
| Naruki Kai
| <span style="line-height: 20.7999992370605px">Stefan Weiss</span><br/>
|-
|-
| Scope
| Scope
|  
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/>
Thi<span style="line-height: 20.8px;">s Technical Report provides guidance for:</span>
 
*developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
*selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
*procedure to define both privacy and security functional requirements in a coordinated manner
 
|-
|-
| Documentation
| Documentation
| <br/>
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/>
|-
| Calendar
| has been moved from TR to TS
|-
|-
| Comments
| Comments
Line 127: Line 96:
|}
|}


=== <span style="font-size: larger; line-height: 1.2;">20547 IS Big data reference architecture - Part 4 - Security and privacy</span> ===
=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| Editor
| Editor
| Jinhua Min, Xuebin Zhou<br/>
| <span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov</span><br/>
|-
|-
| ScopeS
| Scope
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|  
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>
 
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.
 
|-
|-
| Documentation
| Documentation
|  
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/>
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there:&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]],&nbsp;​[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]
 
|-
|-
| Calendar
| Comments
|  
| <br/>
1st WD provided in June 2016
|}


2nd WD provided in May 2017
=== <span style="font-size:larger">29134 Privacy impact assessment -- Methodology&nbsp;Privacy impact assessment - Guidelines</span> ===
 
3rd WD provided in November 2017
 
4th WD to be provided


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
| Editor
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/>
|-
|-
| Comments&nbsp;
| Scope
|  
|  
WG9 is working on the following
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).


*20546&nbsp;: big data overview and vocabulary
It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.
*20547&nbsp;: big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)


Part 4 is transferred to SC27 for development, with close liaison with WG 9
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.


[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.


*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.
*address the 5 Vs concern (volume, velocity, variety, veracity, value)


Further to Berlin meeting, decision to change title (term fabric is removed)
For principles and guidelines on risk management, reference is made to ISO 31000:2009.
 
|}
 
=== <span style="font-size: larger;">20889 IS Privacy enhancing de-identification techniques</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
| Editor<br/>
| Chris Mitchell and&nbsp;Lionel Vodzislawsky<br/>
|-
| Scope
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing<br/>and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.<br/>In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their<br/>characteristics, and their applicability for minimizing the risk of re-identification<br/>
|-
|-
| Documentation
| Documentation
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
| <br/>
|-
|-
| Calendar
| Calendar
|  
| <span style="line-height: 1.6">Currently CD</span><br/>
1st WD December 2015
 
2nd WD June 2016
 
1st CD Devember 2016
 
2nd CD May 2017
 
1st DIS January 2018
 
Further to Wuhan, will go for FDIS
 
|-
|-
| Comments
| Comments
| <br/><br/>
| <br/>
|}
|}
<div></div>
=== <span style="font-size:larger">29151 Code of Practice for PII Protection</span> ===


=== <span style="font-size: larger;">27018 IS Code of practice for protection of PII in public clouds acting as PII processors</span> ===
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
 
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor
| <br/>
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/>
|-
|-
| Scope
| Scope
|  
|  
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).
 
In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).


It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.
This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.


|-
|-
| Documentation
| Documentation
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/>
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]
|-
| Calendar
| <span style="line-height: 20.7999992370605px">Currently CD</span><br/>
|-
|-
| Comments
| Comments
|  
| Also an ITU reference (ITU-T X.gpim)
1st published in 2014
 
ISO/IEC JTC&nbsp;1,&nbsp;''Information technology'', Subcommittee SC&nbsp;27,&nbsp;''IT Security techniques''
<div><br/></div>
|}
|}


=== <span style="font-size:larger">29190 Privacy capability assessment model</span> ===


 
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
=== 27030&nbsp;Security and Privacy for the Internet of Things ===
 
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor
| Faud Khan, Koji Nakao, Antonio Kung, Luc Poulain
| <span style="line-height: 20.7999992370605px">Alan Shipman</span><br/>
|-
|-
| Scope
| Scope
|  
|  
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6">In particular, it:</span>
<ul style="line-height: 18.9090900421143px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>


|-
|-
| Documentation
| Documentation
| <br/>
| Must be purchased. [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]
|-
|-
| Calendar
| Calendar
|  
| <br/>
<span style="line-height: 20.8px;">Started in Wuhan April 2018</span>
 
<span style="line-height: 20.8px;">First draft planned in July 2018</span>
 
|-
|-
| Comments
| Comments
|  
| <br/>
<span style="line-height: 20.8px;">Follow up of</span>
 
*<span style="line-height: 20.8px;">SP Privacy guidelines for IoT (WG5)</span>
*<span style="line-height: 20.8px;">SP Security guidelines for IoT (WG4)</span>
*<span style="line-height: 20.8px;">SP Security and privacy guidelines for IoT (WG4 with participation of WG5)</span>
 
|}
|}


=== <span style="font-size: larger;">27550&nbsp;</span><span style="font-size: 18.252px; line-height: 21.9024px;">TR Privacy engineering</span> ===
=== <span style="font-size:larger">29191 Requirements for partially anonymous, partially unlinkable authentication</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| Editor<br/>
| Editor<br/>
| <span style="line-height: 20.8px;">Antonio Kung, Mathias Reinis</span>
| <br/>
|-
|-
| Scope
| Scope
|  
|  
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.
 
This document provides guidance to the use of group signatures for data minimization and user convenience.


*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
This guideline is applicable in use cases where authentication or authorization is needed.
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;


The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations
It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.


|-
|-
| Documentation
| Documentation
| <br/>
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)
|-
| Calendar
|
1st WD provided in January 2017
 
2nd WD provided in June 2017
 
1st PDTR provided in January 2018
 
2nd PDTR to be provided in June 2018
 
|-
|-
| Comments<br/>
| Comments<br/>
|  
| <br/>
[Antonio Kung]
 
*Follows ISO/IEC 15288&nbsp;Systems and software engineering -- System life cycle processes
*Integrates majore results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies
 
|}
|}


=== <span style="font-size: larger; line-height: 1.2;">27551 IS Requirements for attribute-based unlinkable entity authentication</span> ===
=== <span style="font-size:larger">27018 Code of practice for protection of PII in public clouds acting as PII processors</span> ===


{| style="width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| border="1" cellpadding="1" cellspacing="1"
|-
|-
| Editor<br/>
| Editor<br/>
| Nat Sakimura,&nbsp;Jaehoon Na,&nbsp;Pascal Pailler
| <br/>
|-
|-
| Scope
| Scope
|  
|  
This International Standard
This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.


&nbsp;
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.
 
*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
*Specifies requirements for attribute-based unlinkable entity authentication implementations.
 
&nbsp; This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication


|-
|-
| Documentation
| Documentation
| <br/>
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.7999992370605px">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/>
|-
|-
| Calendar<br/>
| Comments
|  
|  
1st WD provided in April 2017
1st published in 2014


2nd WD provided in Dec 2017
ISO/IEC JTC&nbsp;1, ''Information technology'', Subcommittee SC&nbsp;27, ''IT Security techniques''


|-
| Comments<br/>
| <br/>
|}
|}


=== <span style="font-size: 18.252px; line-height: 21.9024px;">27552&nbsp;IS Extension&nbsp;to ISO/IEC 27001 and ISO/IEC 27002 for privacy management - Requirements and guidelines</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
 
=== <span style="font-size: larger;">20889&nbsp;Privacy Enhancing De-identification Techniques</span> ===
 
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"
|-
|-
| Editor<br/>
| Editor<br/>
| Alan Shipman, Oliver Weissmann,&nbsp;Srinivas Poosarla,&nbsp;Heung Youl Youm
| Chris Mitchell and&nbsp;Lionel Vodzislawsky<br/>
|-
|-
| Scope
| Scope
|  
| This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing<br/>and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.<br/>In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their<br/>characteristics, and their applicability for minimizing the risk of re-identification<br/>
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
 
In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
 
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
 
Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.
 
|-
|-
| Documentation
| Documentation
| <br/>
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
|-
|-
| Calendar
| Calendar
|  
| Working draft status
1st WD provided in April 2017
 
2nd WD provided in June 2017
 
1st CD provided in April 2018
 
2nd CD to be discussed in October 2018
 
|-
|-
| Comments
| Comments
|  
| Was proposed in the Kuching meeting (May 2015).
 
 
|}
|}


=== <span style="font-size: larger; line-height: 21.9024px;">27570&nbsp;TS&nbsp;Privacy Guidelines for Smart Cities</span> ===
=== <span style="font-size:larger">NWIP Guidelines for online privacy notices and consent</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| Editor<br/>
| Editor<br/>
| Proposed editor: Antonio Kung, Heung Youl Youm
| Nat Sakimura, Srinivas Poorsala<br/>
|-
|-
| Scope
| Scope
|  
| Guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from a PII principals online<br/>
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens
 
&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments
 
|-
|-
| Documentation
| Documentation
Line 396: Line 295:
|-
|-
| Calendar
| Calendar
| <span style="line-height: 20.8px;">A first preliminary draft will be provider in early June 2018</span><br/>
| <br/>
|-
|-
| Comments
| Comments
|  
|  
<span style="line-height: 20.8px;">Follow up of SP Privacy in Smart cities</span>
Initiated in Jaipur (Oct 2015)
 
Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent


<span style="line-height: 20.8px;">Liaison will take place with WG11 (smart cities), SC40 (</span>IT Service Management and IT Governance), TC268 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)
<div><br/></div>
|}
|}


=== <span style="font-size: larger;">29100 IS Privacy framework</span> ===
== <span style="font-size:larger"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2000007629395px">Study Periods</span></span> ==


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
Study periods are the instruments through which new items of standardisation will be introduced. They typically last 6 months (until next meeting), after which, a NWIP (New Work Item Proposal) can be made<span style="line-height: 1.6">.</span>
|-
| Editor<br/>
|
<span style="line-height: 20.7999992370605px">Stefan Weiss</span>


<span style="line-height: 20.7999992370605px">Revision&nbsp;: Nat Sakimura</span>
=== <span style="line-height: 1.2; font-size: larger;">Privacy Engineering Framework</span> ===


{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| Scope
| Leaders
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/>
| <span style="line-height: 20.7999992370605px">Antonio Kung, Matthias Reinis</span><br/>
|-
| Objective
| Study the concept of privacy engineering and see whether new work items are needed
|-
|-
| Documentation
| Documentation
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/>
| Slides presenting motivation for study period by Antonio Kung:&nbsp;[http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
|-
|-
| Comments
| Comments
|  
| <div style="line-height: 20.7999992370605px"><span style="line-height: 20.7999992370605px">Intended calendar</span><br/></div><div style="line-height: 20.7999992370605px">
In the Tampa meeting, a recommendation was made to go for a review (see below study period)
*Contributions by August 15th 2015.
 
**<span style="line-height: 20.7999992370605px; background-color: rgb(255, 255, 0)">​</span><span style="line-height: 20.7999992370605px;">Contribution from PRIPARE.&nbsp;[http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]</span>
A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work
*Presentation in Jaipur October 2015
 
**<span style="background-color:#FFFF00;">Summary made to PRIPARE project:&nbsp;</span>[http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf <span style="background-color:#FFFF00;">http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf</span>]
The amended version will be available further to the Berlin meeting
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7&nbsp;Software and systems engineering
 
*Presentation in Tampa April 2016
</div>
|}
|}
<div>=</div><div></div>
=== <span style="font-size: larger;">PII Protection Considerations for Smartphone App Providers</span> ===


=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"
 
|-
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
| Leader
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri<br/>
|-
|-
| Editor
| Objective
|  
|  
<span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov,</span>
Study mobile application ecosystems from a privacy viewpoint
 
<span style="line-height: 20.7999992370605px;">Collect views of multiple stakeholders in the mobile applications space</span>


<span style="line-height: 20.7999992370605px">For revision: Nat Sakimura, Shinsaku Kiyomote</span>
<span style="line-height: 20.7999992370605px;">Collect mobile apps privacy guidelines issued by various agencies</span>


|-
<span style="line-height: 20.7999992370605px;">Collate a report on the findings</span>
| Scope
|
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>


This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.
<span style="line-height: 20.7999992370605px;">Potentially provide a new work item proposal</span>


|-
|-
| Documentation
| Documentation
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/>
| <br/>
|-
|-
| Comments
| Comments
| Revision initiated in Berlin (November 2017)
|  
Initiated in Jaipur (October 2015)
 
|}
|}


=== <span style="font-size:larger">29134 IS Privacy impact assessment -- Methodology&nbsp;Privacy impact assessment - Guidelines</span> ===
=== <span style="font-size: larger;">Privacy-Preserving Attribute-based Entity Authentication</span> ===


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.7999992370605px; width: 900px;"
|-
|-
| Editor
| Leader
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/>
| <span style="line-height: 20.7999992370605px;">Pascal Pailler, Nat Sakimura, Jaz Hoon Nah</span><br/>
|-
|-
| Scope
| Objective
|  
| <br/>
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).
 
It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.
 
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.
 
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.
 
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.
 
For principles and guidelines on risk management, reference is made to ISO 31000:2009.
 
|-
|-
| Documentation
| Documentation
| <br/>
| <br/>
|-
| Calendar
| <span style="line-height: 1.6">Published in June 2017</span><br/>
|-
|-
| Comments
| Comments
| <br/>
|  
Initiated in Jaipur (Oct 2015)
 
Replaces SP privacy-respecting identity management scheme using attribute-based credentials&nbsp;<span style="line-height: 20.7999992370605px;">(outcome of the ABC4trust FP7 project:&nbsp;</span>[https://abc4trust.eu/ https://abc4trust.eu]<span style="line-height: 20.7999992370605px;">,, initiated in April 2014 in Hong Kong), with an extended scope</span>
 
|}
|}
<div></div>
<div style="line-height: 20.7999992370605px;"><br/></div>
=== <span style="font-size:larger">29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)</span> ===
=== <span style="font-size:larger">Privacy in Smart Cities</span> ===


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
{| style="width: 900px" border="1" cellpadding="1" cellspacing="1"
|-
|-
| Editor
| Leaders
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/>
| Saritha Nilesh Auti, Sanjeev Chhabra, Satish Katepalli Ksreenivasaiah, Antonio Kung<br/>
|-
|-
| Scope
| Objective
|  
|  
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).
Connect with multiple stakeholders in the smart city space
 
Refer the existing work on smart cities


In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).
Collate information, feedback, inputs from the stakeholders and draft the guidelines


This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.
Potentially provide (a) new work item proposal(s) that can translate in guidelines


|-
|-
| Documentation
| Documentation
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]
| <br/>
|-
| Calendar
| Published in August 2017
|-
|-
| Comments
| Comments
| Also an ITU reference (ITU-T X.gpim)
|  
|}
Initiated in Jaipur (October 2015)


Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities)&nbsp;


 
|}
=== <span style="font-size: 16px; line-height: 21.9px;">29184 IS Online privacy notices and consent</span> ===

Revision as of 11:27, 15 June 2018

ISO.png

Introduction

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO, in particular in ISO/IEC JTC1/SC27

More info can be found on in the SC27 portal:

Note that the portal will in general contain more information that in this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan Schallaböck.

Some conventions on ISO standards

The important things to know concerning ISO standards steps:

Standard
  • SP: Study period
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • CD: Committee Draft
  • DIS: Draft International Standard
  • FDIS: Final Draft International Standard
  • IS: International Standard
Technical report
  • PDTR: Proposed Draft Technical Report
  • DTR: Draft Technical Report
  • TR: Technical Report
Technical specification
  • PDTS: Proposed Draft Technical Specification
  • DTS: Draft Technical Specification
  • Technical Specification

Progress is finalised in plenary meetings (taking place every 6 months). Here is a list of meetings that took place or that will take place.

2014
  • April 7-15, 2014 Hong Kong
  • Oct 20-24, 2014 Mexico City, Mexico
2015
  • May 4-12, 2015 Kuching, Malaysia
  • Oct 26-30, 2015 Jaipur, India
2016
  • April 11-15 Tampa, USA
  • Oct 23 (sunday) - 27 (thursday), UAE
2017
  • April/May Hamilton, New Zealand
  • Oct/Nov Crete, Greece

Standards and Projects

29100 IS Privacy framework

Editor
 Stefan Weiss
Scope This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.
Documentation Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
Comments

29101 IS Privacy architecture framework

Editor Stefan Weiss and Dan Bogdanov
Scope

This International Standard describes a privacy architecture framework that

  1. describes concerns for ICT systems that process PII;
  2. lists components for the implementation of such systems; and
  3. provides architectural views contextualizing these components.

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

Documentation Must be purchased. http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 (preview available)
Comments

29134 Privacy impact assessment -- Methodology Privacy impact assessment - Guidelines

Editor Mathias Reinis
Scope

This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).

It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.

In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.

It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.

This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.

For principles and guidelines on risk management, reference is made to ISO 31000:2009.

Documentation
Calendar Currently CD
Comments

29151 Code of Practice for PII Protection

Editor Heung Youl Youm, Alan Shipman
Scope

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

Documentation March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf
Calendar Currently CD
Comments Also an ITU reference (ITU-T X.gpim)

29190 Privacy capability assessment model

Editor Alan Shipman
Scope

This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:

  • specifies steps in assessing processes to determine privacy capability;
  • specifies a set of levels for privacy capability assessment;
  • provides guidance on the key process areas against which privacy capability can be assessed;
  • provides guidance for those implementing process assessment;
  • provides guidance on how to integrate the privacy capability assessment into organizations operations
Documentation Must be purchased. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269
Calendar
Comments

29191 Requirements for partially anonymous, partially unlinkable authentication

Editor
Scope

This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

Documentation Must be purchased.  http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 (preview available)
Comments

27018 Code of practice for protection of PII in public clouds acting as PII processors

Editor
Scope

This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.

Documentation Must be purchased.  http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp; (preview available)
Comments

1st published in 2014

ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques


20889 Privacy Enhancing De-identification Techniques

Editor
 Chris Mitchell and Lionel Vodzislawsky
Scope This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing
and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.
In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their
characteristics, and their applicability for minimizing the risk of re-identification
Documentation Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf
Calendar Working draft status
Comments Was proposed in the Kuching meeting (May 2015).

NWIP Guidelines for online privacy notices and consent

Editor
 Nat Sakimura, Srinivas Poorsala
Scope Guidelines for the content and the structure of online privacy notices as well as documents asking for consent to collect and process personally identifiable information (PII) from a PII principals online
Documentation
Calendar
Comments

Initiated in Jaipur (Oct 2015)

Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

Study Periods

Study periods are the instruments through which new items of standardisation will be introduced. They typically last 6 months (until next meeting), after which, a NWIP (New Work Item Proposal) can be made.

Privacy Engineering Framework

Leaders Antonio Kung, Matthias Reinis
Objective Study the concept of privacy engineering and see whether new work items are needed
Documentation Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf
Comments
Intended calendar
=

PII Protection Considerations for Smartphone App Providers

Leader Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri
Objective

Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal

Documentation
Comments

Initiated in Jaipur (October 2015)

Privacy-Preserving Attribute-based Entity Authentication

Leader Pascal Pailler, Nat Sakimura, Jaz Hoon Nah
Objective
Documentation
Comments

Initiated in Jaipur (Oct 2015)

Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: https://abc4trust.eu,, initiated in April 2014 in Hong Kong), with an extended scope


Privacy in Smart Cities

Leaders Saritha Nilesh Auti, Sanjeev Chhabra, Satish Katepalli Ksreenivasaiah, Antonio Kung
Objective

Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines

Documentation
Comments

Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Retrieved from "https://ipen.trialog.com/?title=ISO&oldid=984"