Difference between revisions of "ISO"

From IPEN Wiki
Jump to navigation Jump to search
 
(458 intermediate revisions by the same user not shown)
Line 3: Line 3:
== <span style="font-size:larger">Introduction</span> ==
== <span style="font-size:larger">Introduction</span> ==


The objective of this page is to provide a high-level view of activities related to privacy standards in ISO
The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).


Most projects are developed within&nbsp;<span style="line-height: 1.6">ISO/IEC JTC1/SC27.&nbsp;</span>More info can be found on in the SC27 portal:
Most projects are developed within&nbsp;<span style="line-height: 1.6">ISO/IEC JTC1/SC27.&nbsp;</span>More info can be found on in the SC27 portal:
Line 24: Line 24:
| <span style="line-height: 18.9090900421143px">Standard</span><br/>
| <span style="line-height: 18.9090900421143px">Standard</span><br/>
| <ul style="line-height: 18.9090900421143px;">
| <ul style="line-height: 18.9090900421143px;">
<li>SP: Study period</li>
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>NP: New Work Item</li>
Line 36: Line 36:
|-
|-
| <span style="line-height: 20.7999992370605px">Technical report</span><br/>
| <span style="line-height: 20.7999992370605px">Technical report</span><br/>
|  
| <ul style="line-height: 20.7999992370605px;">
Former approach
<li>PWI: Preliminary work item (previously SP: Study period in SC27)</li>
<ul style="line-height: 20.7999992370605px;">
<li>SP: Study period</li>
<li>NWIP: New work item proposal</li>
<li>NWIP: New work item proposal</li>
<li>NP: New work item</li>
<li>NP: New work item</li>
Line 49: Line 47:
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/>
| <span style="line-height: 20.7999992370605px">Technical specification</span><br/>
| <ul style="line-height: 20.7999992370605px;">
| <ul style="line-height: 20.7999992370605px;">
<li>SP: Study period</li>
<li>PWI: Preliminary work item (previously&nbsp;SP: Study period in SC27)</li>
<li>NWIP: New Work Item Proposal</li>
<li>NWIP: New Work Item Proposal</li>
<li>NP: New Work Item</li>
<li>NP: New Work Item</li>
Line 107: Line 105:
|  
|  
*April 21-26, Virtual meeting
*April 21-26, Virtual meeting
*Sept 12-16, Virtual meeting
|-
| 2021
|
*April 12-15, Virtual meeting
*October 19-29, Virtual meeting
|-
| 2022
|
*March 29 - April 8, Virtual meeting
*Sept 26-30, Hybrid meeting - Luxembourg -&nbsp;
|-
| 2023
|
*April 17-21, Hybrid meeting - Redmond, US
*October 16-20, Hybrid meeting - Seoul, Korea


|}
|}
Line 130: Line 147:
|  
|  
*17-20 March, Virtual meeting
*17-20 March, Virtual meeting
*30 Sept - 2 Oct, Virtual meeting
|-
| 2021
|
*19-22 March, Virtual meeting
*13-17 September, Virtual meeting
|-
| 2022
|
*16-20 May, Virtual meeting
|}
== <span style="font-size: larger;">Privacy references lists</span> ==
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Scope
|
The WG5 Standing Document 2 contains references with relevant descriptions to privacy-related:
*Privacy regulatory authorities and regulations.
*Standards.
*Guidelines.
*Newsletters and forums.
*Organisations and associations.
*Projects.
*Data retention periods.
The WG5 Standing Document 2 shall not be considered as:
*Legal interpretations.
*Having been legally validated by a global law firm or relevant lawyers.
|-
| Documentation
| [https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf]<br/>
|-
| Calendar
|
This document is regularly updated


|}
|}
Line 135: Line 195:
== <span style="font-size:larger">Published standards</span> ==
== <span style="font-size:larger">Published standards</span> ==


=== <span style="font-size: larger;">19608 TS&nbsp;</span><span style="font-size: larger; line-height: 1.2;">Guidance for developing&nbsp;</span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> ===
=== <span style="font-size: larger;">19608:2018 TS&nbsp;</span><span style="font-size: larger; line-height: 1.2;">Guidance for developing&nbsp;</span><span style="font-size: larger; line-height: 1.2;">security and privacy functional requirements based on 15408</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
Line 152: Line 212:
|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/65459.html https://www.iso.org/standard/65459.html]<br/>
|-
|-
| Calendar
| Calendar
Line 165: Line 225:
|}
|}


=== <span style="font-size: larger;">20889 IS </span><span style="font-size: larger;">Privacy enhancing de-identification terminology and classification of techniques</span> ===
=== <span style="font-size: larger;">20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Jinhua Min, Xuebin Zhou<br/>
|-
| ScopeS
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
|-
| Documentation
|
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there:&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]],&nbsp;​[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]
 
[https://www.iso.org/standard/71278.html https://www.iso.org/standard/71278.html]
 
|-
| Calendar
|
1st WD provided in June 2016
 
2nd WD provided in May 2017
 
3rd WD provided in November 2017
 
4th WD provided in April 2018
 
1st CD provided in November 2018
 
2nd CD provided in October 2019
 
DIS published in October 2019
 
Further to virtual meeting in April 2020, will go for FDIS
 
|-
| Comments&nbsp;
|
WG9 is working on the following
 
*20546&nbsp;: big data overview and vocabulary
*20547&nbsp;: big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)
 
Part 4 is transferred to SC27 for development, with close liaison with WG 9
 
[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore
 
*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)
 
Further to Berlin meeting, decision to change title (term fabric is removed)
 
|}
 
=== <span style="font-size: larger;">20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
Line 176: Line 295:
|-
|-
| Documentation
| Documentation
| Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
|  
Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015):&nbsp;[http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf]
 
[https://www.iso.org/fr/standard/69373.html https://www.iso.org/fr/standard/69373.html]
 
|-
|-
| Calendar
| Calendar
Line 199: Line 322:
|}
|}


=== <span style="font-size: larger;">27006-2:2021&nbsp;TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
|-
| Scope
|
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
|-
| Documentation
| [https://www.iso.org/standard/71676.html https://www.iso.org/standard/71676.html]<br/>
|-
| Calendar
|
Started in Paris October 2019
1st DTS published in July&nbsp; 2020,
2nd DTS published in October 2020
Publication in February 2021
Further to the March 2022 meeting, a revision is underway, at CD level
|-
| Comments
| <br/>
|}


=== <span style="font-size: larger;">27018 IS Code of practice for protection of PII in public clouds acting as PII processors</span> ===
=== <span style="font-size: larger;">27018:2014 - Revision underway - IS Code of practice for protection of PII in public clouds acting as PII processors</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
|  
| <br/>
Editor
|  
Revision: Ramaswamy Chandramouli, Hendrik Decroos
|-
|-
| Scope
| Scope
Line 216: Line 375:
|-
|-
| Documentation
| Documentation
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&nbsp http://www.iso.org/iso/catalogue_detail.htm?csnumber=61498&amp;nbsp]; (preview available)<br/>
|  
[https://www.iso.org/standard/61498.html https://www.iso.org/standard/61498.html]
 
|-
|-
| Comments
| Comments
Line 222: Line 383:
1st published in 2014
1st published in 2014


ISO/IEC JTC&nbsp;1,&nbsp;''Information technology'', Subcommittee SC&nbsp;27,&nbsp;''IT Security techniques''
Revision underway
<div><br/></div>
 
Further to the April 2023, discussion is taking place for a revision
|}
|}


=== <span style="font-size: larger;">27550&nbsp;</span><span style="font-size: 18.252px; line-height: 21.9024px;">TR Privacy engineering for system lifecycle processes</span> ===
=== <span style="font-size: larger;">27400:2022  IS Security and Privacy for the Internet of Things</span> ===


{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor<br/>
| <span style="line-height: 20.8px;">Antonio Kung, Mathias Reinis</span>
| Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
|-
|-
| Scope
| Scope
|  
|  
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).
 
*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;
 
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations


|-
|-
| Documentation
| Documentation
| A youtube presentation on privacy engineering:&nbsp;[https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html]<br/>
|-
|-
| Calendar
| Calendar
|  
|  
1st WD provided in January 2017
<span style="line-height: 20.8px;">Started in Wuhan April 2018</span>
 
<span style="line-height: 20.8px;">1st WD provided in June 2018</span>
 
<span style="line-height: 20.8px;">2nd WD provided in November 2018</span>


2nd WD provided in June 2017
<span style="line-height: 20.8px;">3rd WD provided in June 2019</span>


1st PDTR provided in January 2018
<span style="line-height: 20.8px;">1st CD provided in December 2019</span>


2nd PDTR provided in June 2018
<span style="line-height: 20.8px;">2nd CD provided in May 2020</span>


3rd PDTR provided in October 2018
<span style="line-height: 20.8px;">3rd CD provided in March 2021</span>


Version for publication provided in April 2019
<span style="line-height: 20.8px;">DIS provided in April 2021</span>


Publication in September 2019
<span style="line-height: 20.8px;">FDIS provided in January 2022</span>


<span style="line-height: 20.8px;">Published in June 2022</span>
|-
|-
| Comments<br/>
| Comments
|  
|  
[Antonio Kung]
<span style="line-height: 20.8px;">Follow up of</span>
 
*<span style="line-height: 20.8px;">SP Privacy guidelines for IoT (WG5)</span>
*<span style="line-height: 20.8px;">SP Security guidelines for IoT (WG4)</span>
*<span style="line-height: 20.8px;">SP Security and privacy guidelines for IoT (WG4 with participation of WG5)</span>


*Follows ISO/IEC 15288&nbsp;Systems and software engineering -- System life cycle processes
<span style="line-height: 20.8px;">Aprll 2020: Renamed from 27030 to 27400</span>
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies


|}
|}


 
=== <span style="font-size: larger;">27402:2023&nbsp;IS IoT&nbsp;security and privacy&nbsp;- Device baseline requirements</span> ===
 
=== <span style="font-size: 18.252px;">27701&nbsp;IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor
| Alan Shipman, Oliver Weissmann,&nbsp;Srinivas Poosarla,&nbsp;Heung Youl Youm
| Elaine Newton, Amit Elazari Bar On, Faud Khan
|-
|-
| Scope
| Scope
|  
|  
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
This document provides baseline ICT requirements for IoT devices to support security and privacy controls
 
In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
 
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
 
Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/80136.html https://www.iso.org/standard/80136.html]<br/>
|-
|-
| Calendar
| Calendar
|  
|  
1st WD provided in April 2017
1st WD was provided in May 2020


2nd WD provided in June 2017
1st CD was provided in November 2020


1st CD provided in April 2018
2nd CD was provided in July 2021


2nd CD provided in June 2018
DIS was provided in December 2022


DIS provided in March 2019
FDIS was provided in October 2023


Publication in August 2019
Publication in November 2023


|-
|-
| Comments
| Comments
|  
| Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019
 
|}
|}
=== <span style="font-size: larger;">27550:2019&nbsp;</span><span style="font-size: 18.252px; line-height: 21.9024px;">TR Privacy engineering for system lifecycle processes</span> ===


=== <span style="font-size: larger;">29100 IS Privacy framework</span> ===
{| style="line-height: 20.8px; width: 900px;" cellpadding="1" cellspacing="1" border="1"
 
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
| <span style="line-height: 20.8px;">Antonio Kung, Mathias Reinis</span>
|-
| Scope
|  
|  
<span style="line-height: 20.7999992370605px">Stefan Weiss</span>
This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:
 
*it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
*it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;


<span style="line-height: 20.7999992370605px">Revision&nbsp;: Nat Sakimura</span>
The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations


|-
| Scope
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/>
|-
|-
| Documentation
| Documentation
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/>
|  
A youtube presentation on privacy engineering:&nbsp;[https://www.youtube.com/watch?v=BymNvbmSr2E https://www.youtube.com/watch?v=BymNvbmSr2E]
 
[https://www.iso.org/standard/72024.html https://www.iso.org/standard/72024.html]
 
|-
|-
| Comments
| Calendar
|  
|  
In the Tampa meeting, a recommendation was made to go for a review (see below study period)
1st WD provided in January 2017


A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work
2nd WD provided in June 2017


The amended version will be available further to the Berlin meeting
1st PDTR provided in January 2018


|}
2nd PDTR provided in June 2018


=== <span style="font-size:larger">29101 IS Privacy architecture framework</span> ===
3rd PDTR provided in October 2018


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
Version for publication provided in April 2019
|-
| Editor
|
<span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov,</span>


<span style="line-height: 20.7999992370605px">For revision: Nat Sakimura, Shinsaku Kiyomote</span>
Publication in September 2019


|-
|-
| Scope
| Comments<br/>
|  
|  
This International Standard describes a privacy architecture framework that
[Antonio Kung]
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>


This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.
*Follows ISO/IEC 15288&nbsp;Systems and software engineering -- System life cycle processes
*Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies


|-
| Documentation
| <span style="line-height: 20.7999992370605px">Must be purchased. [http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45124]&nbsp;(preview available)</span><br/>
|-
| Comments
| Revision initiated in Berlin (November 2017)
|}
|}


=== <span style="font-size:larger">29134 IS Guidelines for Privacy impact assessment</span> ===
=== <span style="font-size: larger;">27551:2021 IS Requirements for attribute-based unlinkable entity authentication</span> ===


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| Editor
| Editor<br/>
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/>
| Nat Sakimura,&nbsp;Jaehoon Na,&nbsp;Pascal Pailler
|-
|-
| Scope
| Scope
|  
|  
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).
This International Standard


It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.
*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
 
*Specifies requirements for attribute-based unlinkable entity authentication implementations.
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.
 
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.
 
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.


For principles and guidelines on risk management, reference is made to ISO 31000:2009.
This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/44373.html https://www.iso.org/standard/44373.html]<br/>
|-
|-
| Calendar
| Calendar<br/>
| <span style="line-height: 1.6">Published in June 2017</span><br/>
|  
|-
1st WD provided in April 2017
| Comments
 
| <br/>
2nd WD provided in Dec 2017
|}
<div></div>
=== <span style="font-size:larger">29151 IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)</span> ===


{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
3rd WD provided in July 2018
|-
| Editor
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/>
|-
| Scope
|
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).


In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).
4th WD provided in February 2019


This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.
1st CD provided in October 2019


|-
DIS provided in November 2019
| Documentation
| March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]
|-
| Calendar
| Published in August 2017
|-
| Comments
| Also an ITU reference (ITU-T X.gpim)
|}


=== <span style="font-size:larger;">29190 IS Privacy capability assessment model</span> ===
FDIS provided in September 2020


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
Published in September 2021
|-
| Editor
| <span style="line-height: 20.8px;">Alan Shipman</span><br/>
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6;">In particular, it:</span>
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>


|-
|-
| Documentation
| Comments<br/>
| Must be purchased.&nbsp;[http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45269]
|-
| Calendar
| <br/>
|-
| Comments
| <br/>
| <br/>
|}
|}


=== <span style="font-size: larger;">29191 IS Requirements for partially anonymous, partially unlinkable authentication</span> ===
=== <span style="font-size: larger;">27555:2021 IS Guidelines on Personally Identifiable Information Deletion</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor
| Kazue Sako (NEC)
|  
Dorotea Alessandra de Marco, Yan Sun,&nbsp;Volker Hammer
 
|-
|-
| Scope
| Scope
|  
|  
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:


This document provides guidance to the use of group signatures for data minimization and user convenience.
*a harmonised terminology for PII deletion,
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.


This guideline is applicable in use cases where authentication or authorization is needed.
This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:


It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.
*specific legal provision, as given by national law or specified in contracts,
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.


|-
|-
| Documentation
| Documentation
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Must be purchased.&nbsp;</span>&nbsp;[http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270 http://www.iso.org/iso/catalogue_detail.htm?csnumber=45270]&nbsp;(preview available)
| [https://www.iso.org/fr/standard/71673.html https://www.iso.org/fr/standard/71673.html]<br/>
|-
|-
| Comments<br/>
| Calendar
|  
|  
Published in December 2012
1st WD provided in March 2019
 
2nd WD provided in June 2019
 
1st CD provided in December 2019.&nbsp;&nbsp;Title changed (former title: establishing a PII deletion concept in organisations)


Under pre-review
2nd CD was published in June 2020


|}
DIS was provided in January 2021


== <span style="font-size: larger;">Standards in development</span> ==
FDIS was provided in April 2021


=== <br/><span style="font-size: larger;">20547 IS Big data reference architecture - Part 4 - Security and privacy</span> ===
Publication in October 2021


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Comments
| Jinhua Min, Xuebin Zhou<br/>
| It is based on a German standard
|}
 
=== <span style="font-size: larger;">27556:2022&nbsp;IS User-centric privacy preferences management framework</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
|-
| ScopeS
| Editor<br/>
| Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
|-
| Documentation
| Scope
|  
|  
Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there:&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1.pdf [1]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-2.pdf [2]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-3.pdf [3]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf [4]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-5.pdf [5]],&nbsp;[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-6.pdf [6]],&nbsp;​[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-7.pdf [7]]
This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.


|-
|-
| Calendar
| Calendar
|  
|  
1st WD provided in June 2016
Established in Gjovik (October 2018)
 
1st WD provided In June 2019


2nd WD provided in May 2017
2nd WD provided in December 2019


3rd WD provided in November 2017
1st CD provided in May 2020


4th WD provided in April 2018
2nd CD provided in October 2020


1st CD provided in November 2018
3rd CD provided in April 2021


2nd CD provided in October 2019
DIS provided in October 2021


DIS published in October 2019
FDIS provided in May 2022


Further to virtual meeting in April 2020, will go for FDIS
Publication in October 2022


|-
|-
| Comments&nbsp;
| Documentation
|  
| <span style="font-size: 10pt; line-height: 107%; font-family: Arial, sans-serif;">[https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html]</span><br/>
WG9 is working on the following
|-
 
| Comments
*20546&nbsp;: big data overview and vocabulary
| Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"
*20547&nbsp;: big data reference architecture
**Part 1: Framework and application process (TR)
**Part 2: Use cases and derived requirements (TR)
**Part 3: Reference architecture (IS)
**Part 4: Security and privacy fabric (IS)
**Part 5: Standards roadmap (TR)
 
Part 4 is transferred to SC27 for development, with close liaison with WG 9
 
[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore
 
*contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
*address the 5 Vs concern (volume, velocity, variety, veracity, value)
 
Further to Berlin meeting, decision to change title (term fabric is removed)
 
|}
|}


=== <br/><span style="font-size: larger;">23491&nbsp;IS Security techniques - Guidelines for IoT domotics security and privacy</span> ===
=== <span style="font-size: larger;">27557:2022&nbsp;IS Organizational privacy risk management</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
Line 554: Line 660:
| Editor
| Editor
|  
|  
Qin QIu, Mahmoud Ghaddar
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes


|-
|-
| Scope
| Scope
|  
|  
This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems
Provides guidelines for organizational privacy risk management.&nbsp;
 
Designed to provide guidance to organizations processing personally identifiable&nbsp;information (PII) for integrating risks to the organization related to the processing of PII, including&nbsp;the privacy impact to individuals, as part of an organizational privacy risk management program.
 
Assists in the implementation of a risk-based privacy program which can be&nbsp;integrated in the overall risk management of the organization, and supports the requirement for risk&nbsp;management as specified in management systems (such as ISO/IEC 27701:2019).<br/>This document is applicable to all types and sizes of organizations, including public and private&nbsp;companies, government entities and not-for-profit organizations, which are organizations&nbsp;processing PII, or developing products and services that can be used to process PII.


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/71674.html https://www.iso.org/standard/71674.html]<br/>
|-
|-
| Calendar
| Calendar
|  
|  
<span style="line-height: 20.8px;">This project in managed in WG4</span>
1 st WD was published in May 2020


<span style="line-height: 20.8px;">Started in Paris October 2018 with a preliminary version</span>
2nd WD was published in October 2020


<span style="line-height: 20.8px;">1st WD provided in October 2019</span>
1st CD was published in April 2021
 
DIS was provided in October 2021


<span style="line-height: 20.8px;">Further to virtual meeting in April 2020, will move to 1nd WD</span>
FDIS was provided in June 2022


Published in November 2022
|}
|}


=== <span style="font-size: larger;">27006-2 (formerly 27558&nbsp;IS) TS Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001</span> ===
=== <span style="font-size: larger;">27559:2022&nbsp;IS Privacy-enhancing data de-identification framework</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
| Helge Kreutzmann&nbsp;
| Malcolm Townsend, Santa Borel
|-
|-
| Scope
| Scope
|  
|  
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.


Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.
&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.
 
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/71677.html https://www.iso.org/standard/71677.html]<br/>
|-
|-
| Calendar
| Calendar
|  
|  
Started in Paris October 2019
1st WD was provided in July 2020
 
2nd WD was provided in February 2021
 
1st CD was prrovided in April 2021
 
DIS was provided in October 2021
 
FDIS was provided in June 2022


Further to Virtual meeting in April 2020, will move to 1st DTS
Published in November 2022


|}
|}


=== <span style="font-size: larger;">27030 IS Security and Privacy for the Internet of Things</span> ===
=== <span style="font-size: larger;">27560:2023&nbsp;TS Privacy technologies – Consent record information structure</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Editor
| Faud Khan, Koji Nakao, Antonio Kung, Luc Poulin
| Jan LIndquist, Andrew Hughes, Kelvin Magtalas
|-
|-
| Scope
| Scope
|  
|  
This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).
This document specifies an interoperable, open and extensible information structure for recording PII Principals'&nbsp;or data subjects'&nbsp;consent to data processing. This document&nbsp;further&nbsp;provides guidance on the use of consent receipts and consent records associated with a&nbsp;PII Principal's data processing&nbsp;consent&nbsp;to support&nbsp;the:
 
—&nbsp;provision of&nbsp;a record of the&nbsp;consent&nbsp;to&nbsp;the PII Principal;
 
— exchange of consent information between information systems; and,
 
— management of the lifecycle of the&nbsp;recorded&nbsp;consent.&nbsp;&nbsp;


|-
|-
| Documentation
| Documentation
| <br/>
| https://www.iso.org/standard/80392.html
|-
|-
| Calendar
| Calendar
|  
|  
<span style="line-height: 20.8px;">Started in Wuhan April 2018</span>
1st WD was provided in May 2020
 
<span style="line-height: 20.8px;">1st WD provided in June 2018</span>


<span style="line-height: 20.8px;">2nd WD provided in November 2018</span>
2nd WD was provided in January 2021


<span style="line-height: 20.8px;">3rd WD provided in June 2019</span>
3rd WD was provided in April 2021


<span style="line-height: 20.8px;">1st CD provided in December 2020</span>
4th WD was provided in October 2021


<span style="line-height: 20.8px;">Further to virtual meeting in April 2020, will move to 2nd CD</span>
5th WD was provided in June 2022


|-
DTS was provided in October 2022
| Comments
|
<span style="line-height: 20.8px;">Follow up of</span>


*<span style="line-height: 20.8px;">SP Privacy guidelines for IoT (WG5)</span>
Publication in August 2023
*<span style="line-height: 20.8px;">SP Security guidelines for IoT (WG4)</span>
*<span style="line-height: 20.8px;">SP Security and privacy guidelines for IoT (WG4 with participation of WG5)</span>


|}
|}
 
=== <span style="font-size: larger;">27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices</span> ===
=== <span style="font-size: larger;">27045 IS Big data security and privacy - processes</span> ===
<div>
 
{| border="1" cellpadding="1" cellspacing="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor<br/>
| Leaders
| Xiaoyuan Bai - Alastair Walker -&nbsp;Hongru Zhu
| Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
|-
|-
| Scope
| Objective
|  
|  
This document defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes.
This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)
 
The processes include a set of indicators of process performance and process capability.The indicators are used as a basis for collecting the objective evidence that enables an assessor to assign ratings. These processes are described in different terms, such as process purpose, outcomes, activities and tasks


|-
|-
| Documentation
| Documentation
| <br/>
| https://www.iso.org/standard/80396.html
 
ISO/IEC 24030 covers&nbsp;132 use cases that are described here:&nbsp;&nbsp;https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf
 
ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here:&nbsp;https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf
 
|-
|-
| Calendar
| Calendar
|  
|  
<span style="line-height: 20.8px;">1st WD was provided in January 2019</span>
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Established in October 2021</span>
 
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Draft TR was provided in December 2021</span>


<span style="line-height: 20.8px;">2nd WD was provided in April 2019</span>
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Further to March 2022 meeting, title is changed from ''Impact of security and privacy in AI use cases'' to ''security and privacy in AI use cases'', and 2nd Draft TR was provided in May 2022</span>


<span style="line-height: 20.8px;">3rd WD was provided in October 2019</span>
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">3rd draft DTR was provided in September 2022</span>


<span style="line-height: 20.8px;">Further to virtual meeting of April 2020, will move to 4th WD</span>
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Further to April 2023 meeting, publication was mede in May 2023</span>


|-
|-
| Comments
| Comments
|  
|  
<span style="line-height: 20.8px;">Is a WG4 project</span>
It is the result of phase 1 of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of AI on security and privacy]


|}
|}
</div>


=== <span style="font-size: larger;">27046&nbsp;IS Big data security and privacy&nbsp;- Implementation guidelines</span> ===
=== <span style="font-size: larger;">27570:2021 TS&nbsp;Privacy Guidelines for Smart Cities</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
| Le Yu
| Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
|-
|-
| Scope
| Scope
|  
|  
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens
 
&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments


|-
|-
| Documentation
| Documentation
| <br/>
| <font color="#333333">[https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]</font><br/>
|-
|-
| Calendar
| Calendar
|  
|  
|-
<span style="line-height: 20.8px;">1st WD was provided in June 2018 further the Wuhan meeting.</span>
| Comments
 
| <br/>
<span style="line-height: 20.8px;">2nd WD was provided in October 2018 further to the Gjovik meeting.</span>
|}


<span style="font-size: larger;">27551 IS Requirements for attribute-based unlinkable entity authentication</span>
<span style="line-height: 20.8px;">A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.</span>


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
<span style="line-height: 20.8px;">A 2nd PDTS was provided in November 2019 further to the Paris meeting</span>
|-
| Editor<br/>
| Nat Sakimura,&nbsp;Jaehoon Na,&nbsp;Pascal Pailler
|-
| Scope
|
This International Standard


&nbsp;
<span style="line-height: 20.8px;">A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting</span>


*Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
<span style="line-height: 20.8px;">The document will go to publication further to the September 2020 virtual meeting.</span>
*Specifies requirements for attribute-based unlinkable entity authentication implementations.


&nbsp; This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication
<span style="line-height: 20.8px;">The standard was published in January 2021 see following press release:&nbsp;</span>[https://www.iso.org/news/ref2631.html https://www.iso.org/news/ref2631.html]


|-
|-
| Documentation
| Comments
| <br/>
|-
| Calendar<br/>
|  
|  
1st WD provided in April 2017
First ecosystem oriented standard for privacy


2nd WD provided in Dec 2017
<span style="line-height: 20.8px;">Follow up of SP Privacy in Smart cities</span>


3rd WD provided in July 2018
<span style="line-height: 20.8px;">Liaison will take place with WG11 (smart cities), SC40 (</span>IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)
 
4th WD provided in February 2019
 
1st CD provided in October 2019
 
Further to the Paris meeting (October 2019), 27551 will move to DIS


|-
| Comments<br/>
| <br/>
|}
|}


 
=== <span style="font-size: 18.252px;">27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines</span> ===
<span style="font-size: larger;"></span>
=== <span style="font-size: larger;">27555 IS Guidelines on Personally Identifiable Information Deletion</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor<br/>
|  
| Alan Shipman, Oliver Weissmann,&nbsp;Srinivas Poosarla,&nbsp;Heung Youl Youm
Dorotea Alessandra de Marco, Yan Sun,&nbsp;Volker Hammer
 
|-
|-
| Scope
| Scope
|  
|  
This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:
This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.


*a harmonised terminology for PII deletion,
In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
*an approach for defining deletion/de-identification rules in an efficient way,
*a description of required documentation, and
*a definition of roles, responsibilities and processes.


This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.


*specific legal provision, as given by national law or specified in contracts,
Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.
*specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
*deletion mechanisms including those for cloud storage,
*security of deletion mechanisms,
*specific techniques for de-identification of data.


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/71670.html https://www.iso.org/standard/71670.html]<br/>
|-
|-
| Calendar
| Calendar
|  
|  
1st WD provided in March 2019
1st WD provided in April 2017
 
2nd WD provided in June 2017
 
1st CD provided in April 2018
 
2nd CD provided in June 2018
 
DIS provided in March 2019
 
Publication in August 2019


2nd WD provided in June 2019
A revision has been initiated in 2022-10


Further to Paris meeting (October 2019), it will go for 1st CD. Title changed (former title: establishing a PII deletion concept in organisations)
Further to April 2023 mode, a Final Draft International Standard (FDIS) will be provided


|-
|-
| Comments
| Comments
| It is based on a German standard
|  
Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019
 
|}
|}


=== <span style="font-size: larger;">27556&nbsp;IS User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences</span> ===
=== <span style="font-size: larger;">29100:2011 IS Privacy framework</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor<br/>
| Editor<br/>
| Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Scope
|  
|  
This document presents a user-centric framework for PII handling based on privacy preferences and privacy preference administration, which
<span style="line-height: 20.7999992370605px">Stefan Weiss</span>


*defines the actors and roles in the PII handling,
<span style="line-height: 20.7999992370605px">Revision&nbsp;: Nat Sakimura</span>
*describes components, their relationships and procedures,
*describes role and properties of a privacy preference management within a privacy information management system, and
*provides requirements for privacy preference administration and PII handing based on privacy preference management.


|-
|-
| Calendar
| Scope
| <span style="line-height: 20.7999992370605px">This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.</span><span style="line-height: 1.6">This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.</span><br/>
|-
| Documentation
| <span style="line-height: 20.7999992370605px">Is a free standard&nbsp;: see&nbsp;</span>[http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html]<br/>
|-
| Comments
|  
|  
Established in Gjovik (October 2018)
In the Tampa meeting, a recommendation was made to go for a review (see below study period)


1st WD provided In June 2019
A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work


2nd WD provided in December 2019
The amended version will be available further to the Berlin meeting
 
Further to April 2020 meeting, will move to 1st CD


|-
| Documentation
| <br/>
|-
| Comments<br/><br/>
|}
|}


=== <span style="font-size: larger;">27557&nbsp;IS Organizational privacy risk management</span> ===
=== <span style="font-size:larger">29101:2018 IS Privacy architecture framework</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor
| Editor
|  
|  
Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes
<span style="line-height: 20.7999992370605px">Stefan Weiss and Dan Bogdanov,</span>
 
<span style="line-height: 20.7999992370605px">For revision: Nat Sakimura, Shinsaku Kiyomoto</span>


|-
|-
| Scope
| Scope
|  
|  
Provides guidelines for organizational privacy risk management.&nbsp;
This International Standard describes a privacy architecture framework that
<ol style="line-height: 18.9090900421143px;">
<li>describes concerns for ICT systems that process PII;</li>
<li>lists components for the implementation of such systems; and</li>
<li>provides architectural views contextualizing these components.</li>
</ol>


Designed to provide guidance to organizations processing personally identifiable&nbsp;information (PII) for integrating risks to the organization related to the processing of PII, including&nbsp;the privacy impact to individuals, as part of an organizational privacy risk management program.
This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.
 
Assists in the implementation of a risk-based privacy program which can be&nbsp;integrated in the overall risk management of the organization, and supports the requirement for risk&nbsp;management as specified in management systems (such as ISO/IEC 27701:2019).<br/>This document is applicable to all types and sizes of organizations, including public and private&nbsp;companies, government entities and not-for-profit organizations, which are organizations&nbsp;processing PII, or developing products and services that can be used to process PII.


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/75293.html https://www.iso.org/standard/75293.html]<br/>
|-
|-
| Calendar
| Comments
| Revision initiated in Berlin (November 2017)
|}
|}


=== <span style="font-size: larger;">27559&nbsp;IS Privacy-enhancing data de-identification framework</span> ===
=== <span style="font-size:larger">29134:2017 IS Guidelines for Privacy impact assessment</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
|-
|-
| Editor
| Editor
| Malcom Townsend
| <span style="line-height: 20.7999992370605px">Mathias Reinis</span><br/>
|-
|-
| Scope
| Scope
|  
|  
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.
This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).
 
It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.
 
In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.
 
It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.
 
This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.


&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.
For principles and guidelines on risk management, reference is made to ISO 31000:2009.


|-
|-
| Documentation
| Documentation
| <br/>
| [https://www.iso.org/standard/62289.html https://www.iso.org/standard/62289.html]<br/>
|-
|-
| Calendar
| Calendar
|  
| <span style="line-height: 1.6">Published in June 2017</span><br/>
|-
| Comments
| <br/>
|}
|}
<div></div>
=== <span style="font-size:larger">29151:2017 - Revision underway - IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)</span> ===


<span style="font-size: larger;">27560&nbsp;TS Privacy technologies – Consent record information structure</span>
{| style="width: 900px" cellpadding="1" cellspacing="1" border="1"
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Editor
| Editor
| Andrew Hughes
| <span style="line-height: 20.7999992370605px">Heung Youl Youm, Alan Shipman</span><br/>
 
Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park
|-
|-
| Scope
| Scope
|  
|  
This document specifies an interoperable, open and extensible information structure for recording PII Principals'&nbsp;or data subjects'&nbsp;consent to data processing. This document&nbsp;further&nbsp;provides guidance on the use of consent receipts and consent records associated with a&nbsp;PII Principal's data processing&nbsp;consent&nbsp;to support&nbsp;the:
This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).


—&nbsp;provision of&nbsp;a record of the&nbsp;consent&nbsp;to&nbsp;the PII Principal;
In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).


— exchange of consent information between information systems; and,
This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.
 
— management of the lifecycle of the&nbsp;recorded&nbsp;consent.&nbsp;&nbsp;


|-
|-
| Documentation
| Documentation
| <br/>
|-
| Calendar<br/><br/>
|}
=== <span style="font-size: larger;">27570&nbsp;TS&nbsp;Privacy Guidelines for Smart Cities</span> ===
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Editor
| Antonio Kung, Heung Youl Youm
|-
| Scope
|  
|  
The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens
March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE):&nbsp;[http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf]


&nbsp;This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments
[https://www.iso.org/standard/62726.html https://www.iso.org/standard/62726.html]


|-
| Documentation
| <br/>
|-
|-
| Calendar
| Calendar
|  
| Published in August 2017
<span style="line-height: 20.8px;">1st WD was provided in June 2018 further the Wuhan meeting.</span>
 
<span style="line-height: 20.8px;">2nd WD was provided in October 2018 further to the Gjovik meeting.</span>
 
<span style="line-height: 20.8px;">A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.</span>
 
<span style="line-height: 20.8px;">A 2nd PDTS will be provided further to the Paris meeting (October 2019).</span>


A revision is underway
|-
|-
| Comments
| Comments
|  
| Also an ITU reference (ITU-T X.gpim)
<span style="line-height: 20.8px;">Follow up of SP Privacy in Smart cities</span>
 
<span style="line-height: 20.8px;">Liaison will take place with WG11 (smart cities), SC40 (</span>IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)
<div><br/></div>
|}
|}


=== <span style="font-size: larger;"><span style="line-height: 21.9px;">29184 IS Online privacy notices and consent</span></span> ===
=== <span style="font-size: larger;"><span style="line-height: 21.9px;">29184:2020 IS Online privacy notices and consent</span></span> ===


{| cellpadding="1" cellspacing="1" border="1" style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
{| cellpadding="1" cellspacing="1" border="1" style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
Line 940: Line 1,029:
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Documentation
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Documentation
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | <br/>
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | [https://www.iso.org/standard/71678.html https://www.iso.org/standard/71678.html]<br/>
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Calendar
| style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;" | Calendar
Line 958: Line 1,047:
<span style="line-height: 20.8px;">DIS provided in April 2019</span>
<span style="line-height: 20.8px;">DIS provided in April 2019</span>


<span style="line-height: 20.8px;">Further to Paris meeting (october 2019) will go for FDIS</span>
<span style="line-height: 20.8px;">FDIS provided in May 2020</span>
 
<span style="line-height: 20.8px;">Published in June 2020</span>


|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
|- style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"
Line 969: Line 1,060:
|}
|}


=== <span style="font-size: larger;">31700 IS Consumer Protection - Privacy-by-design for consumer goods and services</span> ===
=== <span style="font-size:larger;">29190:2015 IS Privacy capability assessment model</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor
| <span style="line-height: 20.8px;">Alan Shipman</span><br/>
|-
| Scope
|
This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes.&nbsp;<span style="line-height: 1.6;">In particular, it:</span>
<ul style="line-height: 18.9091px;">
<li>specifies steps in assessing processes to determine privacy capability;</li>
<li>specifies a set of levels for privacy capability assessment;</li>
<li>provides guidance on the key process areas against which privacy capability can be assessed;</li>
<li>provides guidance for those implementing process assessment;</li>
<li>provides guidance on how to integrate the privacy capability assessment into organizations operations</li>
</ul>
 
|-
| Documentation
| [https://www.iso.org/standard/45269.html https://www.iso.org/standard/45269.html]<br/>
|-
| Calendar
| <br/>
|-
| Comments
| <br/>
|}
 
=== <span style="font-size: larger;">29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
|-
| Editor<br/>
| Kazue Sako (NEC)
|-
| Scope
|
This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.
 
This document provides guidance to the use of group signatures for data minimization and user convenience.
 
This guideline is applicable in use cases where authentication or authorization is needed.
 
It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.
 
|-
| Documentation
| [https://www.iso.org/standard/45270.html https://www.iso.org/standard/45270.html]
|-
| Comments<br/>
|
Published in December 2012
 
Under pre-revie
 
|}
=== <span style="font-size: larger;">31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
Line 997: Line 1,145:
*Second meeting&nbsp;: May 21-23 2018, Toronto, where 1st working draft will be discussed
*Second meeting&nbsp;: May 21-23 2018, Toronto, where 1st working draft will be discussed
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
*Third meeting: October 21-23 AFNOR Paris
*Third meeting: October 21-23 2019 AFNOR Paris
*Fourth meeting: March 17-20 2020 Virtual
*Fifth meeting: Sep 30-Oct 2 2020 Virtual
*Sixth meeting: April 19-22 2021 Virtual
*Seventh meeting September 13-17 2021 Virtual
*Eight meeting May 16-19 2022 Virtual


|-
|-
Line 1,005: Line 1,158:
*2nd WD provided in July 2019
*2nd WD provided in July 2019
*3rd WD provided in Dec 2019
*3rd WD provided in Dec 2019
 
*4th WD provided in June 2020
*1st CD provided in March 2021
*2nd CD provided in May 2021
*DIS provided in January 2022
*FDIS provided in June 2022
*Publication in February 2023
|-
|-
| Comments
| Comments
|  
|  
Note that this an ISO standard
Note that this is an ISO standard managed by the&nbsp;[https://www.iso.org/committee/6935430.html PC 317 technical committee]&nbsp;that is chaired by Jan Schallaboek
 
<div>Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard</div><div>ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements</div><div>ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases<br/></div>
This standard is managed by the&nbsp;[https://www.iso.org/committee/6935430.html PC 317 technical committee]&nbsp;that will be chaired by Jan Schallaboek
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
<div><br/></div>
|}
|}


== <span style="font-size: larger;">New work item proposals proposed in April 2020<br/></span> ==
=== <span style="font-size: larger;">31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases</span> ===
 
== On-going study periods ==


=== Privacy consideration in practical workflows&nbsp;<span style="font-size: 13px; line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2018)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor
| Mickey Cohen<br/>
|-
| Objective
|  
|  
The scope of this study period is to collect contributions:
Project leader: Michelle Chibba
 
<font color="#000000"><span lang="EN-US">(1) On workflows describing&nbsp;'''use-cases'''&nbsp;where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole</span></font>


<span lang="EN-US">(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy</span>
Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco


|-
|-
| Documentation
| Scope
|  
|  
This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.


The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.


|-
|-
| Comments
| Documentation
|  
| See&nbsp;[https://www.iso.org/standard/76402.html https://www.iso.org/standard/76402.html]
 
 
|}
</div>
=== <span style="font-size: 13px;">Use case for identity assurance (</span><font size="3" style="line-height: 19.2px;">Started in October 2018)</font> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Calendar
|  
|  
Andrew Hughes,&nbsp;<span style="background-color: transparent;">Tony Nadalin,&nbsp;</span><span style="background-color: transparent;">Patrick Curry</span>
*May 2019&nbsp;: request for use cases
 
*March 2020: creation of AhG on use cases
 
*April 2021: continuation of AhG on use cases
 
*September 2021: approval to create 31700-2Official start date: November 1 2018
|-
*June 2022: Draft technical report
| Objective
*February 2023: Publication
|
To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.&nbsp; These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115


|-
|-
| Versions
|  
|  
Documentation
*1st intenal draft provided in September 2021
*Draft TR provided in June 2022


| <br/>
|-
|-
| Comments
| Comments
|  
|  
 
Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases
 
<div></div>
see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127
|}
|}
</div></div>
=== <span style="font-size: 13px;">Impact of Artificial Intelligence on Privacy (</span><font size="3" style="line-height: 19.2px;">Started in October 2018)</font> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
Antonio Kung,&nbsp;<span style="background-color: transparent;">Srinivas Poosarla,&nbsp;</span><span style="background-color: transparent;">Peter Dickman,&nbsp;Gurshabad Grover, Peter Deussen, Heung Your Youm,&nbsp;</span>Zhao Yunwei


|-
== <span style="font-size: larger;">Standards in development</span> ==
| Objective
|
<span style="background-color: transparent;">Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period</span>


*to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
*to review the new threats to privacy which AI can create,
*to review how AI can be used by deploying improved privacy controls, and
*to provide recommendations for standardization work.


Is extended for 6 months
=== <span style="font-size: larger;">5181 IS Security and privacy - Data provenance</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
|  
| Editor
Documentation
| Ryan Ko, Jan de Meer, Yi Zhang
 
|  
In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:
 
{| border="1" cellspacing="1" cellpadding="1" style="width: 900px;"
|-
|-
| Scope
|  
|  
IEEE Ethically Aligned AI
This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data.
 
|
<span style="font-size:xx-small;">[https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/industry-connections/ec/autonomous-systems.html] [https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf]</span>


The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not.
|-
|-
| Ethics guidelines for trustworthy AI<br/>
| Documentation
| <span style="font-size:xx-small;">[https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112 https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112]</span><br/>
|https://www.iso.org/standard/80971.html
|-
| Privacy Commissioners declaration&nbsp;<br/>
| <span style="font-size:xx-small;">[https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf]</span><br/>
|-
| AI as a Disruptive Opportunity and Challenge for Security<br/>
| <span style="font-size:xx-small;">[https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf]</span><br/>
|-
| The impact of AI on life cycle processes<br/>
| <span style="font-size:xx-small;">[https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf]</span><br/>
|-
| Asilomar principles
| <span style="font-size:xx-small;">[https://futureoflife.org/ai-principles https://futureoflife.org/ai-principles]</span><br/>
|-
| Malicious AI report
| <span style="font-size:xx-small;">[https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&amp;nbsp];</span><br/>
|-
| Privacy and Freedom of Expression In the Age of Artificial Intelligence&nbsp;<br/>
| <span style="font-size:xx-small;">[https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence]</span><br/>
|-
|-
| UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?<br/>
|
<span style="font-size:xx-small;">[https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf]</span>


|-
| Calendar
| Australian Human Rights Commission report on Human Rights and Technology<br/>
|Started in February 2023
| <span style="font-size:xx-small;">[https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf]</span><br/>
|-  
|}


|-
|-
| Comments
| Comments
|  
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_5181_Information_technology_-_Security_and_privacy_-_Data_provenance_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 5181 Data provenance]
Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence
1st WD was provided in March 2023


An intermediate report was provided in Tel-Aviv (April 2019).
2nd WD was provided in August 2023


A second report was provided in Paris (October 2019)
|}


A further study of SC42 ISO/IEC 24030 on AI use cases will be carried out
=== <span style="font-size: larger;">27006-2&nbsp;IS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems</span> ===


|}
</div></div>
=== Consent receipts and records&nbsp;<span style="line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor
| Collin Wallis, Andrew Hughes<br/>
| Kimberly Lucy, Fuki Azetsu, Gigi Robinson
|-
|-
| Objective
| Scope
|  
|  
The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
 
The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
 
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.


|-
|-
| Documentation
| Documentation
| [https://www.iso.org/standard/82894.html https://www.iso.org/standard/82894.html]<br/>
|-
| Calendar
|  
|  
1st CD was provided in May 2022
2nd CD was provided in November 2022
DIS was provided in May 2023


Further to October 2023 meeting, FDIS to be provided


|-
|-
| Comments
| Comments
|  
|
Follow-up of ISO/IEC 27006-2 TS
| <br/>
|}


=== <span style="font-size: larger;">27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection</span> ===


|}
</div>
=== Privacy engineering model&nbsp;<span style="line-height: 18.24px;">(Started in&nbsp;</span><span style="font-size: 16px;">April 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor
| John Sabo, Antonio Kung, Srinivas Poorsala
| Lenora Zimmerman, Antonio Kung, Byoung-Moon Chin
 
|-
|-
| Objective
| Scope
| Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
|  
This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.
|-
|-
| Documentation
| Documentation
|  
| https://www.iso.org/standard/56582.html
|-


| Calendar
|Project started in February 2023
|-


|-
|-
| Comments
| Comments
|  
| Follow-up of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_6089_Impact_of_Artificial_Intelligence_on_Security_and_Privacy_.28Started_in_September_2020.2C_Completed_in_October_2022.29 PWI 6089 Impact of Artificial Intelligence on Security and Privacy]
 
Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)


1st WD was provided in May 2023


Further to October 2023 meeting, 2nd WD will be provided
|}
|}


=== <span style="font-size: larger;">27403&nbsp;IS Security techniques - ioT security and privacy - Guidelines for&nbsp;IoT domotics</span> ===


=== Guidance on processes of a privacy information management system (<span style="font-size: 16px;">Started in October 2019)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor
|  
|  
Michael Steiner, Alan Shipman
Qin QIu, Yanghuichen Lin, Luc Poulin


|-
|-
| Objective
| Scope
|  
|  
Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.
This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems
 
Consider the following:
<ol style="list-style-type: lower-roman;">
<li>ISO/IEC 27001 and ISO/IEC 27003</li>
<li>ISO/IEC 27701 (a.k.a. DIS 27552)</li>
<li>ISO Handbook “The integrated use of management system standards”</li>
<li>ISO/IEC 33004</li>
<li>2<sup>nd</sup>&nbsp;WD of ISO/IEC 27022</li>
</ol>


|-
|-
| Documentation
| Documentation
| [https://www.iso.org/standard/78702.html https://www.iso.org/standard/78702.html]<br/>
|-
| Calendar
|  
|  
Started in Paris October 2018 with a preliminary version
<span style="line-height: 20.8px;">1st WD provided in October 2019</span>
<span style="line-height: 20.8px;">2nd WD provided in May 2020</span>


<span style="line-height: 20.8px;">3rd WD and 4th WD provided in March 2021</span>


|-
<span style="line-height: 20.8px;">4th WD was provided in April 2021</span>
| Comments
 
|
<span style="line-height: 20.8px;">5th WD was provided in May 2021</span>
 
<span style="line-height: 20.8px;">6th WD was provided in July 2021</span>
 
<span style="line-height: 20.8px;">1st CD was provided in January 2022</span>
 
<span style="line-height: 20.8px;">2nd CD war provided in June 2022</span>
 
<span style="line-height: 20.8px;">DIS was provided in October 2022</span>
 
<span style="line-height: 20.8px;">2nd DIS was provided in April 2023</span>


Further to the October meeting, a FDIS version will be provided


|-
| Comment
| Is a WG4 project<br/>
|}
|}
</div>
 
=== Privacy for Fintech services&nbsp;<span style="font-size: 16px;">(Started in October 2019)</span> ===
=== <span style="font-size: larger;">27561 IS POMME Privac</span><span style="font-size: larger;">y operationalization model and method for engineering</span> ===
<div>
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
|  
| John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco,&nbsp;Aswathy KUMAR&nbsp, Michele Drgon;
Heung Youl Youm, Gurshabad Grover, Janssen Esguerra
 
|-
|-
| Objective
| Objective
|  
|  
Objectives
This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.
 
*Apply privacy principles described in ISO/IEC 29100:2011
*Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
*Consider privacy risks related to providing Fintech services
*Consider regulatory requirements that impact privacy of customers
*Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
*Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment


Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.
*the method is described as a process following ISO/IEC/IEEE 24774;
*it operationalizes ISO/IEC 29100;
*it is intended for engineers and other practitioners developing systems controlling or processing PII;
*it is designed for use with other standards and privacy guidance;
*it supports networked, interdependent applications and systems.


|-
|-
| Documentation
| Documentation
|  
| https://www.iso.org/standard/80394.html
 
 
|-
|-
| Comments
| Calendar
|  
|  
1st WD was published in April 2021


2nd WD was published in October 2021


|}
1st CD was published in May 2022
</div></div>
== <span style="font-size: larger;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2px;">Completed Study Periods</span></span> ==
 
The following study periods have been completed.&nbsp;


=== <span style="line-height: 1.2; font-size: larger;">Privacy engineering framework (Started in April 2015. Completed in April 2016)</span> ===
2nd CD was published in November 2022


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
DIS was published in May 2023
|-
| Leaders
| <span style="line-height: 20.8px;">Antonio Kung, Matthias Reinis</span><br/>
|-
| Objective
| Study the concept of privacy engineering and see whether new work items are needed
|-
| Documentation
| Slides presenting motivation for study period by Antonio Kung:&nbsp;[http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf]
|-
| Timeline
| <div style="line-height: 20.8px;">
*Contributions by August 15th 2015.
**<span style="line-height: 20.8px; background-color: rgb(255, 255, 0);">​</span><span style="line-height: 20.8px;">Contribution from PRIPARE.&nbsp;[http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf http://ipen.trialog.com/wiki/File:WG5_N94_PRIPARE_Contribution_SP_Priv_engineer_frmwk_v2.pdf]</span>
*Presentation in Jaipur October 2015
**Summary made to PRIPARE project:&nbsp;[http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf http://ipen.trialog.com/wiki/File:Status_SP_Privacy_Engineering_Framework_October_30th_2015.pdf]
*Contribution in 2016 with liaison to be established with ISO/IEC JTC1/SC7&nbsp;Software and systems engineering
**Contribution made by PRIPARE&nbsp;[http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf http://ipen.trialog.com/wiki/File:SP_Privacy_Engineering_Framework_Report_Tampa.pdf]
*Presentation in Tampa April 2016
*Study period completed
*Followed by ISO/IEC 27550: Privacy engineering, see above
</div>
|}


=== <span style="font-size: larger;">Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)</span> ===
Further to October 2023 plenary, FDIS to be provided


{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leader
| <span style="line-height: 20.8px;">Pascal Pailler, Nat Sakimura, Jaz Hoon Nah</span><br/>
|-
| Objective
| <br/>
|-
| Documentation
| <br/>
|-
|-
| Comments
| Comments
|  
|  
*Initiated in Jaipur (Oct 2015)
It the result of the&nbsp;[https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_engineering_model.C2.A0.28Started_in.C2.A0April_2019.2C_Completed_in_September_2020.29 study period privacy engineering model]
*Replaces SP privacy-respecting identity management scheme using attribute-based credentials&nbsp;<span style="line-height: 20.8px;">(outcome of the ABC4trust FP7 project:&nbsp;</span>[https://abc4trust.eu/ https://abc4trust.eu]<span style="line-height: 20.8px;">,, initiated in April 2014 in Hong Kong), with an extended scope</span>
*<span style="line-height: 20.8px;">Completed.</span>
*<span style="line-height: 20.8px;">Followed by new project&nbsp;: ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)</span>


It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html
|}
|}
</div>


=== <span style="font-size: larger;">Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)</span> ===
=== <span style="font-size: larger;">27562 IS Privacy guidelines for Fintech services</span> ===
<div>
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Nat Sakimura, Mathias Reinis, Elaine Newton
| Heung Youl Youm, Janssen Esguerra
|-
|-
| Objective
| Objective
|  
|  
Collecting errors and correcting inconsistencies
This document provides guidelines on privacy for Fintech services.
 
It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to Fintech services. It also considers regulatory requirements, such as those from anti-money laundering,&nbsp; fraud detection, and countering terrorist financing. It provides privacy controls specific to Fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focussing a set of privacy requirements for each stakeholder.
 
This document can be applicable to all kinds of&nbsp;organisations such as regulators, Institutions, service providers and product providers in the Fintech service environment.&nbsp;


|-
|-
| Documentation
| Documentation
| <br/>
| https://www.iso.org/standard/80395.html
|-
|-
| Comments<br/>
| Calendar
|  
|  
*Completed, has led to a draft amendment (with limited scope)
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">1st WD was provided in April 2021</span>
 
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">2nd WD was provided in October 2021</span>
 
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">3rd WD was provided in May 2022</span>
 
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">1st CD was provided in November 2023</span>


|}
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">2nd CD was provided in May 2023</span>
</div>
=== <span style="font-size: larger;">Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| <span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px; line-height: 20.8px;">Heung Youl Youm,&nbsp;Srinivas Poorsala, Antonio Kung</span><br/>
|-
| Objective
|
*assess the viability of producing guidelines for Privacy in IoT within WG5;
*to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen


|-
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">DIS was provided in November 2023</span>
|
Documentation


| <br/>
|-
|-
| Comments
| Comments
|  
|  
Initiated in Tampa (April 2016)
It the result of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Privacy_for_Fintech_services.C2.A0.28Started_in_October_2019.2C_completed_in_September_2020.29 study period privacy guidelines for Fintech services]


Initial contribution in Abu Dhabi (October 2016)
|}
</div>


Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.
=== <span style="font-size: larger;">27565 IS Guidance on privacy preservation based on zero-knowledge proofs</span> ===


Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"
{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
<div><br/></div>
|}
</div>
=== <span style="font-size: larger;">Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Start/Duration
| April 2017/6 months)
|-
|-
| Leaders
| Leaders
| Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
|-
| Objective
| prepare the materials necessary to initiate an International Standard<br/>coming out of the SC 27 meeting in Berlin (Oct-2017)
|-
|  
|  
Documentation
Bingsheng Zhang, Patrick Curry, Srinivas Poosarla


| <br/>
|-
|-
| Comments
| Objective
|  
|  
Is an SC27/WG4 study periods involving WG4 and WG5.
This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP<br/>functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.
 
Study period is completed and new work item has been proposed ([https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things]).
 
Kickoff expected in Wuhan in WG4
 
|}
</div>
=== <span style="font-size: larger; line-height: 1.2;">PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leader
| Documentation
| Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri<br/>
| https://www.iso.org/standard/80398.html
|-
|-
| Objective
| Calendar
|  
|  
Study mobile application ecosystems from a privacy viewpoint
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">Established in October 2021</span>
 
<span style="line-height: 20.8px;">Collect views of multiple stakeholders in the mobile applications space</span>


<span style="line-height: 20.8px;">Collect mobile apps privacy guidelines issued by various agencies</span>
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">1st WD provided in June 2022</span>


<span style="line-height: 20.8px;">Collate a report on the findings</span>
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">2nd WD provided in November 2022</span>


<span style="line-height: 20.8px;">Potentially provide a new work item proposal</span>
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">3rd WD provided in May 2023</span>


|-
<span style="color: rgb(37, 37, 37); font-family: sans-serif; font-size: 14px;">1st CD provided in Devember 2023</span>
| Documentation
| <br/>
|-
|-
| Comments
| Comments
|  
|  
Initiated in Jaipur (October 2015)
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7748_Guidance_and_practices_for_privacy_preservation_based_on_zero-knowledge_proofs_.28Started_in_April_2021.2C_completed_in_October_2021.29 PWI 7758 Guidance on privacy preservation based on zero knowledge proofs]


|}
|}
<div class="_"></div>
<span style="font-size: larger;"></span>


=== <span style="font-size: larger;">Privacy in smart cities (Started in October 2015. Completed in November 2017)</span> ===
=== <span style="font-size: larger;">27566 IS Age assurance - Framework</span> ===


{| cellpadding="1" cellspacing="1" border="1" style="width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="font-size: 13px; line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari<br/>
|  
Tony Allen
 
|-
|-
| Objective
| Scope
|  
|  
Connect with multiple stakeholders in the smart city space
This document establishes core principles, including privacy, for the purpose of enabling age related eligibility decisions, by setting out a framework for indicators of confidence about age or an age range of a natural person.
 
Refer the existing work on smart cities
 
Collate information, feedback, inputs from the stakeholders and draft the guidelines
 
Potentially provide (a) new work item proposal(s) that can translate in guidelines


|-
|-
| Documentation
| Documentation
| <br/>
| https://www.iso.org/standard/80399.html
|-
|-
| Comments
| Calendar
|  
|  
Initiated in Jaipur (October 2015)
Started in February 2023


Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities)&nbsp;
1st working draft provided in May 2023


Presentation in Tampa (April 2016) of intermediate state
|-
 
| Comments
*Liaison with EIP-SCC mentioned (see&nbsp;[https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design https://eu-smartcities.eu/content/citizen-centric-approach-data-privacy-design]).&nbsp;
|
 
It the result of [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#PWI_7732_Age_verification_.28Started_in_April_2021.2C_completed_in_October_2022.29 PWI 7732 Age verification]
Presentation in Abu Dhabi (October 2016) of intermediate state


*Includes contribution from pripare:&nbsp;[https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf https://eu-smartcities.eu/sites/all/files/PRIPARE%20recommendations%20for%20Smart%20cities.pdf]
Further to the October 2023 meeting, the project will be subdivided into 3 parts:


Presentation in Hamilton (April 2017) of intermediate state
*Part 1: Framework


*Includes contribution from pripare&nbsp;[https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf https://ipen.trialog.com/wiki/File:PRIPARE_contribution_to_SP_Privacy_in_Smart_Cities_2017.pdf]
*Part 2: Benchmarks for benchmarking analysis
*Liaison to take place with ISO/IEC WG11 Smart cities in order to discuss the needs for privacy management guidelines
 
Proposal for new work item in Berlin (Nov 2017)


*Part 3: Interoperability, technical architecture and guidelines for use
|}
|}
<div class="_"></div>


<span style="font-size: larger;"></span>


== Active Preliminary Work Items ==


=== <span style="font-size: 16px;">Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)</span> ===
=== <span style="font-size: medium;">PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining&nbsp;&nbsp;(Started in April 2021)</span> ===
<div>
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| <font face="sans-serif" color="#252525"><span style="font-size: 14px;">Mathias Reinis,&nbsp;</span></font>Heung Youl Youm<br/>
|-
| Objective
|  
|  
Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME
Xiaoyuan Bai, Jin Peng


|-
|-
| Objective
|  
|  
Documentation
This document provides the followings:


| <br/>
* a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
* a framework to mitigate the security challenges and concerns.
* detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
* mappings between security challenges and controls.
|-
|-
| Comments
| Documentation
|  
|  
Terminated due to lack of contributions


|}
</div>
=== <span style="font-size: 16px;">Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
|-
| Objective
| <br/>
|-
|-
| Calendar
|  
|  
Documentation
* 1st PWI in June 2021
 
* 2nd PWI in September 2021
| <br/>
* 3rd PWI in January 2022
* 4th PWI in March 2022
* 5th PWI in June 2022
|-
|-
| Comments
| Comments
|  
|  
Has resulted in a NWIP
Is a WG4 project


|}
|}
</div>
</div>
=== <span style="font-size: 16px;">Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018)</span> ===
 
<div>
=== <span style="font-size:medium;">PWI 27045 Big data security and privacy - guidelines for data security management framework&nbsp;(Started in April 2021)</span> ===
 
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor<br/>
| Christophe Stenuit, Joanne Knight
| Xiaoyuan Bai - Hongru Zhu - Vicky Hailey - Shiqi Li - Liu Dapeng
|-
| Objective
| Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks<br/>
|-
|-
| Scope
|  
|  
Documentation
This document provides a data security management framework that helps organizations to build the data security capabilities in the context of big data including guidelines to develop security measures.
 
This document is applicable to all organizations, regardless of type, size or nature, that develop or use big data systems.


| <br/>
|-
|-
| Comments<br/>
| Documentation
| New work item proposal
| [https://www.iso.org/standard/63929.html https://www.iso.org/standard/63929.html]<br/>
|}
</div>
=== <span style="font-size: 16px;">Concept of PII Deletion (Started in November 2017. Completed in April 2018)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman<br/>
|-
| Objective
| Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"<br/>
|-
|-
| Calendar
|  
|  
Documentation
*<span style="line-height: 20.8px;">1st PWI was provided in May 2022</span>


| <br/>
|-
|-
| Comments
| Comments
|  
|  
<span style="line-height: 20.8px;">Is a WG4 project. An initial projects was started in October 2018 on processes with a different scope:</span>
*<span style="line-height: 20.8px;">1st WD was provided in January 2019</span>
*<span style="line-height: 20.8px;">2nd WD was provided in April 2019</span>
*<span style="line-height: 20.8px;">3rd WD was provided in October 2019</span>
*<span style="line-height: 20.8px;">4th WD was provided in May 2020</span>
*<span style="line-height: 20.8px;">5th WD was provided in November 2020</span>
*<span style="line-height: 20.8px;">6th WG was provided in March 2021</span>
*<span style="line-height: 20.8px;">Project was restarted as a PWI in April 2021 with a new scope</span>


It seems that the project will focus on security only


|}
|}
</div>
=== <span style="font-size: medium;">PWI 27046&nbsp;Big data security and privacy&nbsp;- Implementation guidelines (restarted in April 2023)</span> ===
=== Development of Identify standards landscape standing document (<font size="3" style="line-height: 19.2px;">Started in&nbsp; April 2018, Completed in October 2018)</font> ===
 
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Editor
| Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm,<br/>
| Le Yu, Victoria Hailey, Jinghua Min
|-
|-
| Objective
| Scope
|  
|  
<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Create an initial draft of a new SD that would provide:</font></span></font>
This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data
 
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">The scope of the identity standards landscape</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="font-family: Symbol; margin: 0px;"><span style="margin: 0px;">&nbsp;</span></span><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">A register of alignment issues that have been accepted as needing to be resolve</font></span></font>
*<font color="#000000"><span lang="EN-NZ" style="margin: 0px;"><font face="Calibri" size="3">Develop a proposal for the process of maintaining the standing document that includes:</font></span></font>


|-
|-
| Documentation
| [https://www.iso.org/standard/78572.html https://www.iso.org/standard/78572.html]<br/>
|-
| Calendar
|  
|  
Documentation
<span style="line-height: 20.8px;">1st WD was provided in&nbsp;</span>October 2019
 
2nd WD was provided in June 2020
 
3rd WD was provided in November 2020
 
4th WD was provided in April 2021
 
5th WD was provided in April 2022
 
1st CD was provided in October 2022
 
Further to April 2023 meeting, this project will be reverted to preliminary work item (PWI)
 


| <br/>
|-
|-
| Comments
| Comments
|  
| Is a WG4 project
|}


 
=== <span style="font-size: medium;">PWI 27564 Privacy models (Started in October 2021)</span> ===
|}
<div>
</div></div>
=== <span style="font-size: 16px;">Identify assurance framework (Started in April 2017. Completed in October 2018)</span> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Patrick Curry, Anthony Nadalin
|  
Yod Samuel Martin, Antonio Kung, Jonathan Fox, Michelle Chibba
 
|-
|-
| Objective
| Objective
| analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next&nbsp;steps towards developing an International Standard (or other mechanisms) for an Identity Assurance&nbsp;Framework.<br/>
|-
|  
|  
Documentation
Scope: PWI will study the value of specifying and maintaining privacy models
 
Tasks:
 
*Study use cases, e.g., connected vehicles, data spaces
*Define models of interest, e.g., protection models, engineering models, ecosystem models.
*Provide guidance on the lifecycle of models. Take into account ISO/IEC/IEEE 24641 (MBSSE), and liaise with SC7
*Provide guidance for the design of models ensuring a common vision with different viewpoints: citizen, policy, governance, compliance, engineering
*Explain the relationship with other standards; SC7, SC27, SC41, SC42, PC317…


| <br/>
|-
|-
| Comments
| Documentation
|  
|  




|}
</div>
=== <span style="font-size: 16px;">Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)</span> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 1112.79px;"
|-
|-
| Start/duration
| Calendar
|  
|  
April 2017 / 18 months


|-
| Leaders
| Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
|-
| Objective
| define frameworks of user-centric PII handling based on privacy preferences of users
|-
|
Documentation


| <br/>
|-
|-
| Comments
| Comments
|  
|  
Triggered by an initiative from ITU-T for such a framework applied to the IoT. See&nbsp;[https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment]
Initiated as a result of the H2020 project [https://www.pdp4e-project.eu/ PDP4E]
 
In Berlin (November 2017),&nbsp; it was decided to consider 3 options


*extension of 29101
*A report was provided at the April 2023 meeting.
*definition of a generic model
*defintion of specific models


In Wuhan (May 2018), it was decided to prepare a NWIP
*A énd report was provide at the Ocober 2023 meeting


In Gjovik (October 2018), the NWIP was finalised
*A proposal for a technical specification is underway


|}
|}
</div>
</div>
=== <span style="font-size: 16px;">Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)</span> ===
 
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
=== <span style="font-size: medium;">PWI 27568 Security and privacy of digital twins (Started in October 2022)</span> ===
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Leaders
| Malcom Townsend, Heung Youl Youm
|-
| Scope
|  
|  
<span lang="EN-GB" style="margin: 0px;"><font face="Calibri" color="#000000" size="3">This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.</font></span>
Antonio Kung, Srinivas Poosarla, Heung Youl Youm, Mark Lizar, Vitor Jesus, Vishnu Kanhere, Patrick Curry, Karim Tobich


|-
|-
| Objective
|  
|  
Documentation


| <br/>
The PWI will monitor the progress in standardisation work on digital twins and investigate stakeholders concerns on the security and privacy of digital twins.
|-
| Comments
|


A call for contributions will circulated to SC 27/WG 5, and liaison will take place with SC41. A report and recommendation for further work will be prepared for discussion in the next meeting.


|}
</div></div>
=== Identity Standards Landscape Document Update (<font size="3" style="line-height: 19.2px;">Started in October 2018. Completed in October 2019)</font> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
|-
| Leaders
| Documentation
|  
|  
Andrew Hughes,&nbsp;<span style="background-color: transparent;">Christophe Stenuit,&nbsp;</span><span style="background-color: transparent;">Kai Rannenberg</span>




|-
|-
| Objective
| Calendar
|
<font color="#000000">''S''</font>olicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document
 
|-
|  
|  
Documentation
A first report was provided at the April 2023 meeting.


| <br/>
A second report was provided at the October 2023 meeting.
|-
|-
| Comments
| Comments
|  
|  
 
Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins


|}
|}
</div>


=== <span style="background-color: transparent;">Review of requirements for accredited certification for sector specific ISMS standards (S</span><span style="background-color: transparent; line-height: 18.24px;">tarted in&nbsp;</span><span style="background-color: transparent; font-size: 16px;">April 2019. Completed in October 2019)</span> ===
== <span style="font-size: larger;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; line-height: 19.2px;">Completed Preliminary Work Items or Study Periods</span></span> ==
<div>
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
| Hans Hedbom, Alan Shipman<br/>
|-
| Objective
|
The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.
 
|-
| Comments
|
 


|}
[[Completed study periods and pwis]]
</div></div></div>

Latest revision as of 19:48, 13 December 2023

ISO red.jpgIEC logo.png

Introduction

The objective of this page is to provide a high-level view of activities related to privacy standards in ISO. It does not cover security standards (but it does cover standards that cover both security and privacy).

Most projects are developed within ISO/IEC JTC1/SC27. More info can be found on in the SC27 portal:

Note that the portal will in general contain more information than this wiki, which focuses mainly on work carried out in ISO/IEC JTC1/SC27/WG5.The convenor is Kai Rannenberg, and the vice convenor is Jan SchallaböckWG5 regularly publishes a document a standing document (SG1) on WG5 roadmap. It can be found in [1]

Some of the projects are also carried out in ISO/IEC JTC1/SC27/WG4.The convenor is Johann Amsenga, and the vice convenor is François Lorek

One project is carried out ​within ISO PC317. The convenor is Jan Schallaböck. ISO PC317 focuses on the development of ISO 31700 (Consumer protection: privacy by design for consumer goods and services)

Some conventions on ISO standards

The important things to know concerning ISO standards steps:

Standard
  • PWI: Preliminary work item (previously SP: Study period in SC27)
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • CD: Committee Draft
  • DIS: Draft International Standard
  • FDIS: Final Draft International Standard
  • IS: International Standard
Technical report
  • PWI: Preliminary work item (previously SP: Study period in SC27)
  • NWIP: New work item proposal
  • NP: New work item
  • DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)
  • TR: Technical Report
Technical specification
  • PWI: Preliminary work item (previously SP: Study period in SC27)
  • NWIP: New Work Item Proposal
  • NP: New Work Item
  • WD: Working Draft
  • DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)
  • Technical Specification

Meetings

Progress is finalised in plenary meetings (taking place every 6 months).

Here is a list of meetings that took place or that will take place in SC27.

2014
  • April 7-15, 2014 Hong Kong
  • Oct 20-24, 2014 Mexico City, Mexico
2015
  • May 4-12, 2015 Kuching, Malaysia
  • Oct 26-30, 2015 Jaipur, India
2016
  • April 11-15, 2016  Tampa, USA
  • Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE
2017
  • April 18-22, 2017, Hamilton, New Zealand
  • Oct 30- Nov 3, 2017,  Berlin, Germany
2018
  • April, 16-20 Wuhan, China
  • Sept 30 - Oct 4 - Gjovik, Norway
2019
  • April 1-5, Tel-Aviv, Israel
  • October 14-18, Paris, France
  • 19 October, Paris (jointly with SC27)
2020
  • April 21-26, Virtual meeting
  • Sept 12-16, Virtual meeting
2021
  • April 12-15, Virtual meeting
  • October 19-29, Virtual meeting
2022
  • March 29 - April 8, Virtual meeting
  • Sept 26-30, Hybrid meeting - Luxembourg - 
2023
  • April 17-21, Hybrid meeting - Redmond, US
  • October 16-20, Hybrid meeting - Seoul, Korea

ISO 31700 is dealt with in another committee (PC317). Here is a list of meetings that took place or that will take place in PC317.

2018
  • Nov 1-2, 2018, London
2019
  • Feb 6-8, Berlin (adhoc group)
  • May 20-23, Toronto
  • 19 October, Paris (jointly with SC27)
  • 21-23 October, Paris (colocated with SC27)
2020
  • 17-20 March, Virtual meeting
  • 30 Sept - 2 Oct, Virtual meeting
2021
  • 19-22 March, Virtual meeting
  • 13-17 September, Virtual meeting
2022
  • 16-20 May, Virtual meeting

Privacy references lists

Scope

The WG5 Standing Document 2 contains references with relevant descriptions to privacy-related:

  • Privacy regulatory authorities and regulations.
  • Standards.
  • Guidelines.
  • Newsletters and forums.
  • Organisations and associations.
  • Projects.
  • Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

  • Legal interpretations.
  • Having been legally validated by a global law firm or relevant lawyers.
Documentation https://www.din.de/resource/blob/78924/5ced65e40dcbe6e503c2392c75f3dd1e/sc27wg5-sd2-data.pdf
Calendar

This document is regularly updated

Published standards

19608:2018 TS Guidance for developing security and privacy functional requirements based on 15408

Editor
Naruki Kai
Scope

This Technical Report provides guidance for:

  • developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
  • selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
  • procedure to define both privacy and security functional requirements in a coordinated manner
Documentation https://www.iso.org/standard/65459.html
Calendar

has been moved from TR to TS

Published in October 2018

Comments

20547-4:2020 IS Big data reference architecture - Part 4 - Security and privacy

Editor Jinhua Min, Xuebin Zhou
ScopeS Specifies security and privacy aspects of the big data reference architecture including governance, collection, processing, exchange, storage and identification
Documentation

Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], ​[7]

https://www.iso.org/standard/71278.html

Calendar

1st WD provided in June 2016

2nd WD provided in May 2017

3rd WD provided in November 2017

4th WD provided in April 2018

1st CD provided in November 2018

2nd CD provided in October 2019

DIS published in October 2019

Further to virtual meeting in April 2020, will go for FDIS

Comments 

WG9 is working on the following

  • 20546 : big data overview and vocabulary
  • 20547 : big data reference architecture
    • Part 1: Framework and application process (TR)
    • Part 2: Use cases and derived requirements (TR)
    • Part 3: Reference architecture (IS)
    • Part 4: Security and privacy fabric (IS)
    • Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

  • contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
  • address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

20889:2018 IS Privacy enhancing de-identification terminology and classification of techniques

Editor
Chris Mitchell and Lionel Vodzislawsky
Scope This international standard provides a description of privacy enhancing data de-identification techniques, to be used for describing
and designing de-identification measures in accordance with the privacy principles in ISO/IEC 29100.
In particular, this International Standard specifies terminology, a classification of de-identification techniques according to their
characteristics, and their applicability for minimizing the risk of re-identification
Documentation

Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf

https://www.iso.org/fr/standard/69373.html

Calendar

1st WD December 2015

2nd WD June 2016

1st CD Devember 2016

2nd CD May 2017

1st DIS January 2018

FDIS August 2018

Published in November 2018

Comments

27006-2:2021 TS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems

Editor Helge Kreutzmann, Fuki Azetsu, Hans Hedbom, Alan Shipman
Scope

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

Documentation https://www.iso.org/standard/71676.html
Calendar

Started in Paris October 2019

1st DTS published in July  2020,

2nd DTS published in October 2020

Publication in February 2021

Further to the March 2022 meeting, a revision is underway, at CD level

Comments

27018:2014 - Revision underway - IS Code of practice for protection of PII in public clouds acting as PII processors

Editor

Revision: Ramaswamy Chandramouli, Hendrik Decroos

Scope

This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.

Documentation

https://www.iso.org/standard/61498.html

Comments

1st published in 2014

Revision underway

Further to the April 2023, discussion is taking place for a revision

27400:2022 IS Security and Privacy for the Internet of Things

Editor
Faud Khan, Koji Nakao, Luc Poulin, Antonio Kung (initial stages)
Scope

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

Documentation https://www.iso.org/standard/44373.html
Calendar

Started in Wuhan April 2018

1st WD provided in June 2018

2nd WD provided in November 2018

3rd WD provided in June 2019

1st CD provided in December 2019

2nd CD provided in May 2020

3rd CD provided in March 2021

DIS provided in April 2021

FDIS provided in January 2022

Published in June 2022

Comments

Follow up of

  • SP Privacy guidelines for IoT (WG5)
  • SP Security guidelines for IoT (WG4)
  • SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

27402:2023 IS IoT security and privacy - Device baseline requirements

Editor Elaine Newton, Amit Elazari Bar On, Faud Khan
Scope

This document provides baseline ICT requirements for IoT devices to support security and privacy controls

Documentation https://www.iso.org/standard/80136.html
Calendar

1st WD was provided in May 2020

1st CD was provided in November 2020

2nd CD was provided in July 2021

DIS was provided in December 2022

FDIS was provided in October 2023

Publication in November 2023

Comments Is a WG4 project. Delay between 2nd CD and DIS was due to discussions on requirements conformance (e.g. 27402 focuses on device requirements rather than device developer requirements)

27550:2019 TR Privacy engineering for system lifecycle processes

Editor
Antonio Kung, Mathias Reinis
Scope

This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

  • it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
  • it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

Documentation

A youtube presentation on privacy engineering: https://www.youtube.com/watch?v=BymNvbmSr2E

https://www.iso.org/standard/72024.html

Calendar

1st WD provided in January 2017

2nd WD provided in June 2017

1st PDTR provided in January 2018

2nd PDTR provided in June 2018

3rd PDTR provided in October 2018

Version for publication provided in April 2019

Publication in September 2019

Comments

[Antonio Kung]

  • Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
  • Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

27551:2021 IS Requirements for attribute-based unlinkable entity authentication

Editor
Nat Sakimura, Jaehoon Na, Pascal Pailler
Scope

This International Standard

  • Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
  • Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

Documentation https://www.iso.org/standard/44373.html
Calendar

1st WD provided in April 2017

2nd WD provided in Dec 2017

3rd WD provided in July 2018

4th WD provided in February 2019

1st CD provided in October 2019

DIS provided in November 2019

FDIS provided in September 2020

Published in September 2021

Comments

27555:2021 IS Guidelines on Personally Identifiable Information Deletion

Editor

Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

Scope

This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

  • a harmonised terminology for PII deletion,
  • an approach for defining deletion/de-identification rules in an efficient way,
  • a description of required documentation, and
  • a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

  • specific legal provision, as given by national law or specified in contracts,
  • specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
  • deletion mechanisms including those for cloud storage,
  • security of deletion mechanisms,
  • specific techniques for de-identification of data.
Documentation https://www.iso.org/fr/standard/71673.html
Calendar

1st WD provided in March 2019

2nd WD provided in June 2019

1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)

2nd CD was published in June 2020

DIS was provided in January 2021

FDIS was provided in April 2021

Publication in October 2021

Comments It is based on a German standard

27556:2022 IS User-centric privacy preferences management framework

Editor
Shinsaku Kiyomoto, Antonio Kung, Heung Youl Youm
Scope

This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

Calendar

Established in Gjovik (October 2018)

1st WD provided In June 2019

2nd WD provided in December 2019

1st CD provided in May 2020

2nd CD provided in October 2020

3rd CD provided in April 2021

DIS provided in October 2021

FDIS provided in May 2022

Publication in October 2022

Documentation https://www.iso.org/standard/71674.html
Comments Project named changed from "User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences" to "User-centric privacy preferences management framework"

27557:2022 IS Organizational privacy risk management

Editor

Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

Scope

Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019).
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

Documentation https://www.iso.org/standard/71674.html
Calendar

1 st WD was published in May 2020

2nd WD was published in October 2020

1st CD was published in April 2021

DIS was provided in October 2021

FDIS was provided in June 2022

Published in November 2022

27559:2022 IS Privacy-enhancing data de-identification framework

Editor Malcolm Townsend, Santa Borel
Scope

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

Documentation https://www.iso.org/standard/71677.html
Calendar

1st WD was provided in July 2020

2nd WD was provided in February 2021

1st CD was prrovided in April 2021

DIS was provided in October 2021

FDIS was provided in June 2022

Published in November 2022

27560:2023 TS Privacy technologies – Consent record information structure

Editor Jan LIndquist, Andrew Hughes, Kelvin Magtalas
Scope

This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

Documentation https://www.iso.org/standard/80392.html
Calendar

1st WD was provided in May 2020

2nd WD was provided in January 2021

3rd WD was provided in April 2021

4th WD was provided in October 2021

5th WD was provided in June 2022

DTS was provided in October 2022

Publication in August 2023

27563:2023 TR Security and privacy in artificial intelligence use cases - Best practices

Leaders Antonio Kung, Peter Dickman, Heung Youl Youm, Yunwei Zhao, Volker Smoljko, Kelvin Magtalas, Srinivas Poorsala
Objective

This document provides information on how to assess the impact of security and privacy in AI use cases, covering in particular those published in ISO/IEC TR 24030 (Information technology – Artificial Intelligence (AI) – use cases)

Documentation https://www.iso.org/standard/80396.html

ISO/IEC 24030 covers 132 use cases that are described here:  https://standards.iso.org/iso-iec/tr/24030/ed-1/en/Use+cases-v05_electronic_attachment_022021.pdf

ISO/IEC 27563 covers the security of privacy of the 132 use cases, described here: https://standards.iso.org/iso-iec/tr/27563/ed-1/en/Security-privacy-AI-use-cases.pdf

Calendar

Established in October 2021

Draft TR was provided in December 2021

Further to March 2022 meeting, title is changed from Impact of security and privacy in AI use cases to security and privacy in AI use cases, and 2nd Draft TR was provided in May 2022

3rd draft DTR was provided in September 2022

Further to April 2023 meeting, publication was mede in May 2023

Comments

It is the result of phase 1 of PWI 6089 Impact of AI on security and privacy

27570:2021 TS Privacy Guidelines for Smart Cities

Editor Antonio Kung, Heung Youl Youm, Clotilde Cochinaire
Scope

The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

Documentation https://www.iso.org/standard/71678.html
Calendar

1st WD was provided in June 2018 further the Wuhan meeting.

2nd WD was provided in October 2018 further to the Gjovik meeting.

A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.

A 2nd PDTS was provided in November 2019 further to the Paris meeting

A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting

The document will go to publication further to the September 2020 virtual meeting.

The standard was published in January 2021 see following press release: https://www.iso.org/news/ref2631.html

Comments

First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

27701:2019 IS Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines

Editor
Alan Shipman, Oliver Weissmann, Srinivas Poosarla, Heung Youl Youm
Scope

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

Documentation https://www.iso.org/standard/71670.html
Calendar

1st WD provided in April 2017

2nd WD provided in June 2017

1st CD provided in April 2018

2nd CD provided in June 2018

DIS provided in March 2019

Publication in August 2019

A revision has been initiated in 2022-10

Further to April 2023 mode, a Final Draft International Standard (FDIS) will be provided

Comments

Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

29100:2011 IS Privacy framework

Editor

Stefan Weiss

Revision : Nat Sakimura

Scope This International Standard provides a framework for defining privacy control requirements related to personally identifiable information within an information and communication technology environment.This International Standard is designed for those individuals who are involved in specifying, procuring, architecting, designing, developing, testing, administering and operating ICT systems.
Documentation Is a free standard : see http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
Comments

In the Tampa meeting, a recommendation was made to go for a review (see below study period)

A number of limited modifications have been identified in the Abu Dhabi that will lead to an amendment work

The amended version will be available further to the Berlin meeting

29101:2018 IS Privacy architecture framework

Editor

Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

Scope

This International Standard describes a privacy architecture framework that

  1. describes concerns for ICT systems that process PII;
  2. lists components for the implementation of such systems; and
  3. provides architectural views contextualizing these components.

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

Documentation https://www.iso.org/standard/75293.html
Comments Revision initiated in Berlin (November 2017)

29134:2017 IS Guidelines for Privacy impact assessment

Editor Mathias Reinis
Scope

This Standard establishes guidelines for the conduct of privacy impact assessments that are used for the protection of personally identifiable information (PII).

It should be used by organizations that are establishing or operating programs or systems that involve the processing of PII, or that are making significant changes to existing programs or systems. This International Standard also provides guidance on privacy risk treatment options. Privacy Impact Assessments can be conducted at various stages in the life cycle of a programme or systems ranging from the prelaunch phase and decommissioning.

In particular, it will provide a framework for privacy safeguarding and specific method for privacy impact assessment.

It will be applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations and will be relevant to any staff involved in designing or implementing projects which will have an impact on privacy within an organization, including operating data processing systems and services and, where appropriate, external parties supporting such activities.

This Standard describes privacy risk assessment as introduced by ISO/IEC 29100:2011. For the basic elements of the privacy framework and the privacy principles, reference is made to ISO/IEC 29100:2011.

For principles and guidelines on risk management, reference is made to ISO 31000:2009.

Documentation https://www.iso.org/standard/62289.html
Calendar Published in June 2017
Comments

29151:2017 - Revision underway - IS Code of Practice for PII Protection (also a ITU document - ITU-T X.1058)

Editor Heung Youl Youm, Alan Shipman

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park

Scope

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

Documentation

March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf

https://www.iso.org/standard/62726.html

Calendar Published in August 2017

A revision is underway

Comments Also an ITU reference (ITU-T X.gpim)

29184:2020 IS Online privacy notices and consent

Editor
Nat Sakimura, Srinivas Poorsala, Jan Schallaboeck
Scope

This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.

Documentation https://www.iso.org/standard/71678.html
Calendar

1st WD provided in June 2016

2nd WD provided in April 2017

3rd WD provided in June 2017

1nd CD provided in December 2017

2nd CD provided in July 2018

3rd CD provided in January 2019

DIS provided in April 2019

FDIS provided in May 2020

Published in June 2020

Comments

initiated in Jaipur (Oct 2015)

Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

29190:2015 IS Privacy capability assessment model

Editor Alan Shipman
Scope

This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:

  • specifies steps in assessing processes to determine privacy capability;
  • specifies a set of levels for privacy capability assessment;
  • provides guidance on the key process areas against which privacy capability can be assessed;
  • provides guidance for those implementing process assessment;
  • provides guidance on how to integrate the privacy capability assessment into organizations operations
Documentation https://www.iso.org/standard/45269.html
Calendar
Comments

29191:2012 IS Requirements for partially anonymous, partially unlinkable authentication

Editor
Kazue Sako (NEC)
Scope

This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

Documentation https://www.iso.org/standard/45270.html
Comments

Published in December 2012

Under pre-revie

31700-1:2023 IS Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements

Editor

Project leader: Michelle Chibba

Scope

Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

Documentation See https://www.iso.org/standard/76402.html
Calendar
  • Official start date: November 1 2018
  • First meeting: November 1-2 2018, BSI London
  • Adhoc meeting, February 24-24, 2019, DIN Berlin
  • Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
  • Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
  • Third meeting: October 21-23 2019 AFNOR Paris
  • Fourth meeting: March 17-20 2020 Virtual
  • Fifth meeting: Sep 30-Oct 2 2020 Virtual
  • Sixth meeting: April 19-22 2021 Virtual
  • Seventh meeting September 13-17 2021 Virtual
  • Eight meeting May 16-19 2022 Virtual
Versions
  • 1st WD provided in March 2019
  • 2nd WD provided in July 2019
  • 3rd WD provided in Dec 2019
  • 4th WD provided in June 2020
  • 1st CD provided in March 2021
  • 2nd CD provided in May 2021
  • DIS provided in January 2022
  • FDIS provided in June 2022
  • Publication in February 2023
Comments

Note that this is an ISO standard managed by the PC 317 technical committee that is chaired by Jan Schallaboek

Further to the Seventh meeting, a proposal was made to provide a technical report on use cases. 31700 would be changed into a multipart standard
ISO 31700-1 Privacy-by-design for consumer goods and servives - high level requirements
ISO 31700-2 Privacy-by-design for consumer goods and servives - use cases

see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127

31700-2:2023 TR Consumer Protection - Privacy-by-design for consumer goods and services - Use cases

Editor

Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

Scope

This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

Documentation See https://www.iso.org/standard/76402.html
Calendar
  • May 2019 : request for use cases
  • March 2020: creation of AhG on use cases
  • April 2021: continuation of AhG on use cases
  • September 2021: approval to create 31700-2Official start date: November 1 2018
  • June 2022: Draft technical report
  • February 2023: Publication
Versions
  • 1st intenal draft provided in September 2021
  • Draft TR provided in June 2022
Comments

Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases

see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127

Standards in development

5181 IS Security and privacy - Data provenance

Editor Ryan Ko, Jan de Meer, Yi Zhang
Scope

This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data.

The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not.

Documentation https://www.iso.org/standard/80971.html
Calendar Started in February 2023
Comments Follow-up of PWI 5181 Data provenance

1st WD was provided in March 2023

2nd WD was provided in August 2023

27006-2 IS Requirements for bodies providing audit and certification of information security management systems – Part 2: Privacy information management systems

Editor Kimberly Lucy, Fuki Azetsu, Gigi Robinson
Scope

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

Documentation https://www.iso.org/standard/82894.html
Calendar

1st CD was provided in May 2022

2nd CD was provided in November 2022

DIS was provided in May 2023

Further to October 2023 meeting, FDIS to be provided

Comments

Follow-up of ISO/IEC 27006-2 TS


27091 IS Cybersecurity and privacy - Artificial Intelligence - Privacy Protection

Editor Lenora Zimmerman, Antonio Kung, Byoung-Moon Chin
Scope

This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.

Documentation https://www.iso.org/standard/56582.html
Calendar Project started in February 2023
Comments Follow-up of PWI 6089 Impact of Artificial Intelligence on Security and Privacy

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

1st WD was provided in May 2023

Further to October 2023 meeting, 2nd WD will be provided

27403 IS Security techniques - ioT security and privacy - Guidelines for IoT domotics

Editor

Qin QIu, Yanghuichen Lin, Luc Poulin

Scope

This proposal provides guidelines to analyse security and privacy risks and identifies controls that need to be implemented in IoT domotis systems

Documentation https://www.iso.org/standard/78702.html
Calendar

Started in Paris October 2018 with a preliminary version

1st WD provided in October 2019

2nd WD provided in May 2020

3rd WD and 4th WD provided in March 2021

4th WD was provided in April 2021

5th WD was provided in May 2021

6th WD was provided in July 2021

1st CD was provided in January 2022

2nd CD war provided in June 2022

DIS was provided in October 2022

2nd DIS was provided in April 2023

Further to the October meeting, a FDIS version will be provided

Comment Is a WG4 project

27561 IS POMME Privacy operationalization model and method for engineering

Leaders John Sabo, Antonio Kung, Srinivas Poorsala, Dorotea Alessandra de Marco, Aswathy KUMAR&nbsp, Michele Drgon;
Objective

This document describes a model and method to operationalize privacy principles into sets of controls and functional capabilities.

  • the method is described as a process following ISO/IEC/IEEE 24774;
  • it operationalizes ISO/IEC 29100;
  • it is intended for engineers and other practitioners developing systems controlling or processing PII;
  • it is designed for use with other standards and privacy guidance;
  • it supports networked, interdependent applications and systems.
Documentation https://www.iso.org/standard/80394.html
Calendar

1st WD was published in April 2021

2nd WD was published in October 2021

1st CD was published in May 2022

2nd CD was published in November 2022

DIS was published in May 2023

Further to October 2023 plenary, FDIS to be provided

Comments

It the result of the study period privacy engineering model

It is based on OASIS-PMRM http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html

27562 IS Privacy guidelines for Fintech services

Leaders Heung Youl Youm, Janssen Esguerra
Objective

This document provides guidelines on privacy for Fintech services.

It identifies all relevant business models and roles in consumer-to-business relation as well as in business-to-business relation, privacy risks, and privacy requirements, which are related to Fintech services. It also considers regulatory requirements, such as those from anti-money laundering,  fraud detection, and countering terrorist financing. It provides privacy controls specific to Fintech services to address the privacy risks, taking in consideration the legal context of the respective business role. The principles are based on the ones described in ISO/IEC 29100 and ISO/IEC 27701 and privacy impact assessment framework described in ISO/IEC 29134 and ISO 31000. It also provides guidelines focussing a set of privacy requirements for each stakeholder.

This document can be applicable to all kinds of organisations such as regulators, Institutions, service providers and product providers in the Fintech service environment. 

Documentation https://www.iso.org/standard/80395.html
Calendar

1st WD was provided in April 2021

2nd WD was provided in October 2021

3rd WD was provided in May 2022

1st CD was provided in November 2023

2nd CD was provided in May 2023

DIS was provided in November 2023

Comments

It the result of the study period privacy guidelines for Fintech services

27565 IS Guidance on privacy preservation based on zero-knowledge proofs

Leaders

Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

Objective

This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP
functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.

Documentation https://www.iso.org/standard/80398.html
Calendar

Established in October 2021

1st WD provided in June 2022

2nd WD provided in November 2022

3rd WD provided in May 2023

1st CD provided in Devember 2023

Comments

It the result of PWI 7758 Guidance on privacy preservation based on zero knowledge proofs

27566 IS Age assurance - Framework

Leaders

Tony Allen

Scope

This document establishes core principles, including privacy, for the purpose of enabling age related eligibility decisions, by setting out a framework for indicators of confidence about age or an age range of a natural person.

Documentation https://www.iso.org/standard/80399.html
Calendar

Started in February 2023

1st working draft provided in May 2023

Comments

It the result of PWI 7732 Age verification

Further to the October 2023 meeting, the project will be subdivided into 3 parts:

  • Part 1: Framework
  • Part 2: Benchmarks for benchmarking analysis
  • Part 3: Interoperability, technical architecture and guidelines for use

Active Preliminary Work Items

PWI 7709 Security and privacy reference architecture for multi-party data fusion and mining  (Started in April 2021)

Leaders

Xiaoyuan Bai, Jin Peng

Objective

This document provides the followings:

  • a typical model of multi-sourced data processing and the stakeholders, and analysis the security concerns, challenges and objectives.
  • a framework to mitigate the security challenges and concerns.
  • detailed guidelines of the “security and privacy controls” which is one of the elements of the framework.
  • mappings between security challenges and controls.
Documentation
Calendar
  • 1st PWI in June 2021
  • 2nd PWI in September 2021
  • 3rd PWI in January 2022
  • 4th PWI in March 2022
  • 5th PWI in June 2022
Comments

Is a WG4 project

PWI 27045 Big data security and privacy - guidelines for data security management framework (Started in April 2021)

Editor
Xiaoyuan Bai - Hongru Zhu - Vicky Hailey - Shiqi Li - Liu Dapeng
Scope

This document provides a data security management framework that helps organizations to build the data security capabilities in the context of big data including guidelines to develop security measures.

This document is applicable to all organizations, regardless of type, size or nature, that develop or use big data systems.

Documentation https://www.iso.org/standard/63929.html
Calendar
  • 1st PWI was provided in May 2022
Comments

Is a WG4 project. An initial projects was started in October 2018 on processes with a different scope:

  • 1st WD was provided in January 2019
  • 2nd WD was provided in April 2019
  • 3rd WD was provided in October 2019
  • 4th WD was provided in May 2020
  • 5th WD was provided in November 2020
  • 6th WG was provided in March 2021
  • Project was restarted as a PWI in April 2021 with a new scope

It seems that the project will focus on security only

PWI 27046 Big data security and privacy - Implementation guidelines (restarted in April 2023)

Editor Le Yu, Victoria Hailey, Jinghua Min
Scope

This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data

Documentation https://www.iso.org/standard/78572.html
Calendar

1st WD was provided in October 2019

2nd WD was provided in June 2020

3rd WD was provided in November 2020

4th WD was provided in April 2021

5th WD was provided in April 2022

1st CD was provided in October 2022

Further to April 2023 meeting, this project will be reverted to preliminary work item (PWI)


Comments Is a WG4 project

PWI 27564 Privacy models (Started in October 2021)

Leaders

Yod Samuel Martin, Antonio Kung, Jonathan Fox, Michelle Chibba

Objective

Scope: PWI will study the value of specifying and maintaining privacy models

Tasks:

  • Study use cases, e.g., connected vehicles, data spaces
  • Define models of interest, e.g., protection models, engineering models, ecosystem models.
  • Provide guidance on the lifecycle of models. Take into account ISO/IEC/IEEE 24641 (MBSSE), and liaise with SC7
  • Provide guidance for the design of models ensuring a common vision with different viewpoints: citizen, policy, governance, compliance, engineering
  • Explain the relationship with other standards; SC7, SC27, SC41, SC42, PC317…
Documentation


Calendar


Comments

Initiated as a result of the H2020 project PDP4E

  • A report was provided at the April 2023 meeting.
  • A énd report was provide at the Ocober 2023 meeting
  • A proposal for a technical specification is underway

PWI 27568 Security and privacy of digital twins (Started in October 2022)

Leaders

Antonio Kung, Srinivas Poosarla, Heung Youl Youm, Mark Lizar, Vitor Jesus, Vishnu Kanhere, Patrick Curry, Karim Tobich

Objective

The PWI will monitor the progress in standardisation work on digital twins and investigate stakeholders concerns on the security and privacy of digital twins.

A call for contributions will circulated to SC 27/WG 5, and liaison will take place with SC41. A report and recommendation for further work will be prepared for discussion in the next meeting.

Documentation


Calendar

A first report was provided at the April 2023 meeting.

A second report was provided at the October 2023 meeting.

Comments

Needs to liaise with on-going work in ISO/IEC JTC 1/SC 41 IoT and digital twins

Completed Preliminary Work Items or Study Periods

Completed study periods and pwis