ISO

• PWI: Preliminary work item (previously SP: Study period in SC27)
• NWIP: New Work Item Proposal
• NP: New Work Item
• WD: Working Draft
• CD: Committee Draft
• DIS: Draft International Standard
• FDIS: Final Draft International Standard
• IS: International Standard

• PWI: Preliminary work item (previously SP: Study period in SC27)
• NWIP: New work item proposal
• NP: New work item
• DTR: Draft Technical Report (formerly PDTR: Preliminary Draft Technical Report)
• TR: Technical Report

• PWI: Preliminary work item (previously SP: Study period in SC27)
• NWIP: New Work Item Proposal
• NP: New Work Item
• WD: Working Draft
• DTS: Draft Technical Specification  (formerly PDTS: Preliminary Draft Technical Specification)
• Technical Specification

• April 7-15, 2014 Hong Kong
• Oct 20-24, 2014 Mexico City, Mexico

• May 4-12, 2015 Kuching, Malaysia
• Oct 26-30, 2015 Jaipur, India

• April 11-15, 2016  Tampa, USA
• Oct 23 (sunday) - 27 (thursday), 2016, Abu Dhabi, UAE

• April 18-22, 2017, Hamilton, New Zealand
• Oct 30- Nov 3, 2017,  Berlin, Germany

• April, 16-20 Wuhan, China
• Sept 30 - Oct 4 - Gjovik, Norway

• April 1-5, Tel-Aviv, Israel
• October 14-18, Paris, France
• 19 October, Paris (jointly with SC27)

• April 21-26, Virtual meeting
• Sept 12-16, Virtual meeting

• April 12-15, Virtual meeting
• October 19-29, Virtual meeting

• March 29 - April 8, Virtual meeting
• Sept 26-30, Hybrid meeting - Luxembourg - 

• April 17-21, Hybrid meeting - Redmond, US
• October 16-20, Hybrid meeting - Seoul, Korea

• April 8-12, Hybrid meeting - Manchester, UK
• September 26 - October 5, Virtual

• March 10-14, Hybrid meeting - Fairfax USA

• Nov 1-2, 2018, London

• Feb 6-8, Berlin (adhoc group)
• May 20-23, Toronto
• 19 October, Paris (jointly with SC27)
• 21-23 October, Paris (colocated with SC27)

• 17-20 March, Virtual meeting
• 30 Sept - 2 Oct, Virtual meeting

• 19-22 March, Virtual meeting
• 13-17 September, Virtual meeting

• 16-20 May, Virtual meeting

The WG5 Standing Document 2 contains references with relevant descriptions to privacy-related:

• Privacy regulatory authorities and regulations.
• Standards.
• Guidelines.
• Newsletters and forums.
• Organisations and associations.
• Projects.
• Data retention periods.

The WG5 Standing Document 2 shall not be considered as:

• Legal interpretations.
• Having been legally validated by a global law firm or relevant lawyers.

This document is regularly updated

This Technical Report provides guidance for:

• developing privacy functional requirements as extended components based on privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2
• selecting and specifying Security Functional Requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII)
• procedure to define both privacy and security functional requirements in a coordinated manner

has been moved from TR to TS

Published in October 2018

Is the follow-up of the NIST initiative for a big data interoperability framework. Reports are available there: [1], [2], [3], [4], [5], [6], ​[7]

https://www.iso.org/standard/71278.html

• 1st WD provided in June 2016
• 2nd WD provided in May 2017
• 3rd WD provided in November 2017
• 4th WD provided in April 2018
• 1st CD provided in November 2018
• 2nd CD provided in October 2019
• DIS published in October 2019
• FDIS publised in May 2020
• Published in September 2020

WG9 is working on the following

• 20546 : big data overview and vocabulary
• 20547 : big data reference architecture
  • Part 1: Framework and application process (TR)
  • Part 2: Use cases and derived requirements (TR)
  • Part 3: Reference architecture (IS)
  • Part 4: Security and privacy fabric (IS)
  • Part 5: Standards roadmap (TR)

Part 4 is transferred to SC27 for development, with close liaison with WG 9

[Antonio Kung] The 20547 reference architecture should be instantiated into domain specific real architectures (e.g. health, transport, energy...). 20547-4 should therefore

• contain the generic elements that could be the starting point to derive a domain specific security and privacy fabric
• address the 5 Vs concern (volume, velocity, variety, veracity, value)

Further to Berlin meeting, decision to change title (term fabric is removed)

Slides presented by Chris Mitchel during IPEN workshop (June 5th 2015): http://ipen.trialog.com/wiki/File:CM_slide_for_150605.pdf

https://www.iso.org/fr/standard/69373.html

• 1st WD December 2015
• 2nd WD June 2016
• 1st CD Devember 2016
• 2nd CD May 2017
• 1st DIS January 2018
• FDIS August 2018
• Published in November 2018

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

Conformance to the requirements contained in this document needs to be demonstrated in terms of competence and reliability by certification body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for certification body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

• Started in Paris October 2019
• 1st DTS published in July 2020,
• 2nd DTS published in October 2020
• Publication in February 2021
• Further to the March 2022 meeting, a revision is underway. This project has been renumbered to 27706 and renamed to Requirements for bodies providing audit and certification of

privacy information management systems (see link below)

Editor

Revision: Ramaswamy Chandramouli, Hendrik Decroos

This International Standard establishes control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. The standard concerns public cloud only and cloud service providers acting as PII processors.

https://www.iso.org/standard/61498.html

• published in 2014
• Revision underway
• Further to the April 2023 meeting, discussion is taking place for a revision

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).

• Started in Wuhan April 2018
• 1st WD provided in June 2018
• 2nd WD provided in November 2018
• 3rd WD provided in June 2019
• 1st CD provided in December 2019
• 2nd CD provided in May 2020
• 3rd CD provided in March 2021
• DIS provided in April 2021
• FDIS provided in January 2022
• Published in June 2022

Follow up of

• SP Privacy guidelines for IoT (WG5)
• SP Security guidelines for IoT (WG4)
• SP Security and privacy guidelines for IoT (WG4 with participation of WG5)

Aprll 2020: Renamed from 27030 to 27400

This document provides baseline ICT requirements for IoT devices to support security and privacy controls

• 1st WD provided in May 2020
• 1st CD provided in November 2020
• 2nd CD provided in July 2021
• DIS provided in December 2022
• FDIS provided in October 2023
• Publication in November 2023

Qin QIu, Yanghuichen Lin, Luc Poulin

This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.

Started in Paris October 2018 with a preliminary version

• 1st WD provided in October 2019
• 2nd WD provided in May 2020
• 3rd WD provided in March 2021
• 4th WD provided in April 2021
• 5th WD provided in May 2021
• 6th WD provided in July 2021
• 1st CD provided in January 2022
• 2nd CD provided in June 2022
• DIS provided in October 2022
• 2nd DIS provided in April 2023
• FDIS provided in January 2024
• Publication in June 20é4

This technical report provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into their engineering practices:

• it describes the relationship between privacy engineering and other engineering viewpoints (system engineering, security engineering, risk management);
• it describes privacy engineering activities in key engineering processes such as knowledge management, risk management, requirement analysis, architecture design;

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organisations responsible for privacy, development, product management, marketing, and operations

A youtube presentation on privacy engineering: https://www.youtube.com/watch?v=BymNvbmSr2E

https://www.iso.org/standard/72024.html

• 1st WD provided in January 2017
• 2nd WD provided in June 2017
• 1st PDTR provided in January 2018
• 2nd PDTR provided in June 2018
• 3rd PDTR provided in October 2018
• Version for publication provided in April 2019
• Publication in September 2019

[Antonio Kung]

• Follows ISO/IEC 15288 Systems and software engineering -- System life cycle processes
• Integrates major results from NIST 8062, CNIL PIA, ULD proposal on privacy protection goals (unlinkability, transparency, intervenabilty), LINDDUN threat analysis and mitigation taxonomy, Radboud university design strategies

This International Standard

• Defines a framework including terms, entity roles and interactions for attribute-based unlinkable entity authentication, and
• Specifies requirements for attribute-based unlinkable entity authentication implementations.

This International Standard is applicable to any information system that performs attribute-based unlinkable entity authentication

• 1st WD provided in April 2017
• 2nd WD provided in Dec 2017
• 3rd WD provided in July 2018
• 4th WD provided in February 2019
• 1st CD provided in October 2019
• DIS provided in November 2019
• FDIS provided in September 2020
• Published in September 2021

Dorotea Alessandra de Marco, Yan Sun, Volker Hammer

This document specifies the conceptual framework for deletion of PII. It gives guidelines for establishing organizational policies that embrace concepts presented by specifying:

• a harmonised terminology for PII deletion,
• an approach for defining deletion/de-identification rules in an efficient way,
• a description of required documentation, and
• a definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII and other personal data is being stored or processed. This document does not address:

• specific legal provision, as given by national law or specified in contracts,
• specific deletion rules for particular types of PII as are to be defined by PII controllers for processing????
• deletion mechanisms including those for cloud storage,
• security of deletion mechanisms,
• specific techniques for de-identification of data.

• 1st WD provided in March 2019
• 2nd WD provided in June 2019
• 1st CD provided in December 2019.  Title changed (former title: establishing a PII deletion concept in organisations)
• 2nd CD was published in June 2020
• DIS was provided in January 2021
• FDIS was provided in April 2021
• Publication in October 2021

This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

• Established in Gjovik (October 2018)
• 1st WD provided In June 2019
• 2nd WD provided in December 2019
• 1st CD provided in May 2020
• 2nd CD provided in October 2020
• 3rd CD provided in April 2021
• DIS provided in October 2021
• FDIS provided in May 2022
• Publication in October 2022

Kimberly Lucy, Markus Gierschmann, Kelvin Magtalas, Carlo Harpes

Provides guidelines for organizational privacy risk management. 

Designed to provide guidance to organizations processing personally identifiable information (PII) for integrating risks to the organization related to the processing of PII, including the privacy impact to individuals, as part of an organizational privacy risk management program.

Assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization, and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701:2019).
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are organizations processing PII, or developing products and services that can be used to process PII.

• 1st WD was published in May 2020
• 2nd WD was published in October 2020
• 1st CD was published in April 2021
• DIS was provided in October 2021
• FDIS was provided in June 2022
• Published in November 2022

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations implementing data de-identification processes for privacy enhancing purposes.

• 1st WD was provided in July 2020
• 2nd WD was provided in February 2021
• 1st CD was prrovided in April 2021
• DIS was provided in October 2021
• FDIS was provided in June 2022
• Published in November 2022

This document specifies an interoperable, open and extensible information structure for recording PII Principals' or data subjects' consent to data processing. This document further provides guidance on the use of consent receipts and consent records associated with a PII Principal's data processing consent to support the:

— provision of a record of the consent to the PII Principal;

— exchange of consent information between information systems; and,

— management of the lifecycle of the recorded consent.  

• 1st WD was provided in May 2020
• 2nd WD was provided in January 2021
• 3rd WD was provided in April 2021
• 4th WD was provided in October 2021
• 5th WD was provided in June 2022
• DTS was provided in October 2022
• Publication in August 2023

The document takes into account a multiple agency as well as a citizen centric viewpoint, and provides guidance on how privacy standards can be used at a global level and at an organisational level for the benefit of citizens

 This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that provides service in the smart city environments

• 1st WD was provided in June 2018 further the Wuhan meeting.
• 2nd WD was provided in October 2018 further to the Gjovik meeting.
• A 1st PDTS was provided in May 2019 further to the Tel Aviv meeting.
• A 2nd PDTS was provided in November 2019 further to the Paris meeting
• A 3rd PDTS was provided in May 2020 further to the April 2020 virtual meeting
• The document will go to publication further to the September 2020 virtual meeting.
• The standard was published in January 2021 see following press release: https://www.iso.org/news/ref2631.html
• The standard was confimed in October 2024

First ecosystem oriented standard for privacy

Follow up of SP Privacy in Smart cities

Liaison will take place with WG11 (smart cities), SC40 (IT Service Management and IT Governance), TC268/SC1/WG4 (sustainable cities and communities), EIP-SCC (European Innovation Platform - Smart Cities and Communities)

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

In particular, this document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Excluding any of the requirements specified in clause 5 of this document is not acceptable when an organization claims conformity to this document.

• 1st WD provided in April 2017
• 2nd WD provided in June 2017
• 1st CD provided in April 2018
• 2nd CD provided in June 2018
• DIS provided in March 2019
• Publication in August 2019
• A revision has been initiated in October 2022

Was initially ISO/IEC 27552. Was renamed to ISO/IEC 27701 in August 2019

A second version is underway since Mid 2023 with a title change: Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

Stefan Weiss

Revision : Nat Sakimura, Jan Schallaboeck

• Revision published in February 2024

Stefan Weiss and Dan Bogdanov,

For revision: Nat Sakimura, Shinsaku Kiyomoto

This International Standard describes a privacy architecture framework that

1. describes concerns for ICT systems that process PII;
2. lists components for the implementation of such systems; and
3. provides architectural views contextualizing these components.

This International Standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principals.

• 1st edition published in april 2013
• Current edition confirmed in May 2024

This document gives guidelines for:

• a process on privacy impact assessments, and
• a structure and content of a PIA report.

It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.

This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

• Is the second edition. First edition was published in 2017

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

March 3rd presentation made by editor during an informal confcall with Dawn Jutla (OASIS) and Antonio Kung (PRIPARE): http://ipen.trialog.com/wiki/File:X.gpim-29151_oasis.pdf

https://www.iso.org/standard/62726.html

• Published in August 2017
• PWI 8888 to prepare revision in March 2023
• 1st CD of revision provided in October 2023
• 2nd CD of revision to be provided in Apri 2924

This document is a specification for the content and the structure of online privacy notices as well as the process of requesting consent to collect and process PII from a PII principal.

This document is applicable to all situations, where a PII controller or any other entity processing PII interacts with PII principals in any online context.

https://www.iso.org/standard/71678.html

• 1st WD provided in June 2016
• 2nd WD provided in April 2017
• 3rd WD provided in June 2017
• 1st CD provided in December 2017
• 2nd CD provided in July 2018
• 3rd CD provided in March 2019
• DIS provided in may 2019
• FDIS provide in march 2020
• Publication in June 2020

Initiated in Jaipur (Oct 2015) Follows Study Period initiated in Kuching (May 2015) User friendly online privacy notice and consent

This International Standard provides organizations with high-level guidance about how to assess their capability to manage privacy-related processes. In particular, it:

• specifies steps in assessing processes to determine privacy capability;
• specifies a set of levels for privacy capability assessment;
• provides guidance on the key process areas against which privacy capability can be assessed;
• provides guidance for those implementing process assessment;
• provides guidance on how to integrate the privacy capability assessment into organizations operations

This International Standard defines requirements on relative anonymity with identity escrow based on the model of authentication and authorization using group signature techniques.

This document provides guidance to the use of group signatures for data minimization and user convenience.

This guideline is applicable in use cases where authentication or authorization is needed.

It allows the users to control their anonymity within a group of registered users by choosing designated escrow agents.

• Published in December 2012
• Minor revision for FDIS in July 2024

Project leader: Michelle Chibba

Specification of the design process to provide consumer goods and services that meet consumers’ domestic processing privacy needs as well as the personal privacy requirements of Data Protection.

In order to protect consumer privacy the functional scope includes security in order to prevent unauthorized access to data as fundamental to consumer privacy, and consumer privacy control with respect to access to a person’s data and their authorized use for specific purposes.

The process is to be based on the ISO 9001 continuous quality improvement process and ISO 10377 product safety by design guidance, as well as incorporating privacy design JTC1 security and privacy good practices, in a manner suitable for consumer goods and services

• Official start date: November 1 2018
• First meeting: November 1-2 2018, BSI London
• Adhoc meeting, February 24-24, 2019, DIN Berlin
• Second meeting : May 21-23 2018, Toronto, where 1st working draft will be discussed
• Joint JTC1/SC27/WG5 and PC317/WG1 meeting: October 19th 2019, Paris
• Third meeting: October 21-23 2019 AFNOR Paris
• Fourth meeting: March 17-20 2020 Virtual
• Fifth meeting: Sep 30-Oct 2 2020 Virtual
• Sixth meeting: April 19-22 2021 Virtual
• Seventh meeting September 13-17 2021 Virtual
• Eight meeting May 16-19 2022 Virtual

• 1st WD provided in March 2019
• 2nd WD provided in July 2019
• 3rd WD provided in Dec 2019
• 4th WD provided in June 2020
• 1st CD provided in March 2021
• 2nd CD provided in May 2021
• DIS provided in January 2022
• FDIS provided in June 2022
• Publication in February 2023

Note that this is an ISO standard managed by the PC 317 technical committee that is chaired by Jan Schallaboek

see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127

Project leader: Michelle Chibba

Draft provided by AhG use cases: Antonio Kung (Ahg Convenor), Rae Dulmage, Peter Esisenegger, Gail Magnusson, Rusne Juozapaitene, Dorotea de Marco

This document provides suggestions on how to use ISO 31700-1 as well as use cases illustrating the application of ISO 31700-1.

The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

• May 2019 : request for use cases
• March 2020: creation of AhG on use cases
• April 2021: continuation of AhG on use cases
• September 2021: approval to create 31700-2Official start date: November 1 2018
• June 2022: Draft technical report
• February 2023: Publication

• 1st intenal draft provided in September 2021
• Draft TR provided in June 2022

Includes 3 use case: on-line retainling, fitness company, and smart locks. Note that the last two use cases are IoT use cases

see launch event : https://www.eventbrite.co.uk/e/launch-event-iso-31700-privacy-by-design-for-consumer-goods-and-services-tickets-488718479127

This document provides guidelines, methodology and techniques for deriving securely information denoted to as provenance metadata about data assets from multiple sources, intermediaries or users.

• 1st WD provided in March 2023
• 2nd WD provided in August 2023
• 3rd WD provided in December 2023
• 1st CD provided in June 2024
• 2nd CD provided in November 2024
• 3rd CD to be provided further to fairfax meeting in March 2025

The purpose of this document is to provide guidance on the methods to quantify the amount of personal information in a data set when that data contains information about the characteristics of, actions of, or relationships to, natural persons. This guidance on the quantification of the level of personal information can further inform the considerations for appropriate use, sharing and exchange of such data. This document is a high level, principles-based advisory standard which sets out terms and concepts, that can be referenced by organizations, persons and systems that use data.

• 1st WD provided in October 2024
• 2nd WD to be provided in May 2025

Editor

Revision: Ramaswamy Chandramouli, Hendrik Decroos

This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in line with the privacy principles in ISO/IEC 29100: for the public cloud computing environment.

In particular, this document specifies guidelines based on ISO/IEC 27002:2022, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.

The guidelines in this document can also be relevant to organizations acting as PII controllers. Hence this document is not meant to be used for certification purposes.

https://www.iso.org/standard/61498.html

• published in 2014
• Revision underway
• DIS provided in October 2023
• FDIS provided in October 2024

Dapeng Liu, Victoria Hailey, Shiqi Li

This document provides guidance on how to navigate the threats that can arise during the big data life cycle from the various big data characteristics that are unique to big data: volume, velocity, variety, variability, volatility, veracity and value, including when using big data for the design and implementation of AI systems. This document can help organizations build or enhance their big data security and privacy capabilities, including when using big data in the development and use of AI systems. This document is applicable to all organizations that develop or use big data systems, regardless of their type, size or purpose.

• 1sd WD was provided in July 2024
• 2nd WD Was provided in December 2024
• 3rd WD to be provided further to Fairfax March 2025 meeting

Follow-up of PWI 27045

This document provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that develop or use AI systems.

Is also the counterpart of ISO/IEC 27090 Cybersecurity and privacy — Artificial Intelligence — Guidance for addressing security threats and failures in artificial intelligence systems (under development)

• 1st WD provided in May 2023
• 2nd WD provided in October 2023
• 3rd WD provided in December 2024
• 1st CD to be provided in April 2025

This document specifies an interoperable, open, and extensible information structure for recording information relevant to the processing of Personally Identifiable Information (PII). This document further provides guidance on the use of this information to support the:

— provision of a record of PII processing to another entity within or outside the organisation;

— provision of a PII processing record to the PII Principal in the form of a ‘Privacy Receipt’;

— exchange of PII processing information i.e. information on how PII is processed between information systems; and,

— management of the lifecycle of PII processing as based on the use of a specific lawful basis.

• 1st WD to be provided in July 2025

Bingsheng Zhang, Patrick Curry, Srinivas Poosarla

This document provides guidelines on using zero knowledge proofs (ZKP) to improve privacy by reducing the risks associated with the sharing or transmission of personal data between organisations and users by minimizing the information shared. It will include several ZKP
functional requirements relevant to a range of different business use cases, then describes show different ZKP models can be used to meet those functional requirements securely.

• Established in October 2021
• 1st WD provided in June 2022
• 2nd WD provided in November 2022
• 3rd WD provided in May 2023
• 1st CD provided in December 2023
• 2nd CD provided in May 2024
• DIS provided in October 2024
• 2nd DIS to be provided in April 2025

It the result of PWI 7758 Guidance on privacy preservation based on zero knowledge proofs

Tony Allen, Denis Pinkas, Mark Svancarek

This document establishes core principles, including privacy and security, for the purpose of enabling age-related eligibility decisions

• Started in May 2023
• 1st WD provided in December 2023
• 2nd WD provided in March 2024
• 1st CD provided in July 2024
• DIS provided in October 2024
• Treatment of DIS still on-going

It the result of PWI 7732 Age verification

Tony Allen, Denis Pinkas, Mark Svancarek

This document establishes approaches to specifying, differentiating and comparing characteristics of age assurance methods and components during an evaluation.

• Started in October 2023
• 1st WD provided in December 2023
• 2nd WD provided in July 2024
• 3rd WD to be provided in April 2025

It the result of PWI 7732 Age verification

Former title: Benchmarks for benchmarking analysis

This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

Guidance is provided to assist in the implementation of the controls in this document.

This document is intended for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

• A revision has been initiated in October 2022
• FDIS provided in June 2023
• New format CD provided in October 2023
• New DIS provided in June 2024
• New FDIS provided in January 2025

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006-1. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.

The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.

NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

• 1st CD was provided in May 2022
• 2nd CD was provided in November 2022
• DIS was provided in May 2023
• Further to October 2023 meeting, document is being restructured
• DIS submitted in July 2024
• FDIS submitted in November 2024

Follow-up of ISO/IEC 27006-2 TS

Editors for revision: Heung Youl Youm, Alan Shipman, Erik Boucher, Sungchae Park

This International Standard establishes commonly accepted control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of Personally Identifiable Information (PII).

In particular, this International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for processing PII which may be applicable within the context of an organization's information security risk environment(s).

This International Standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which process PII, as part of their information processing.

https://www.iso.org/standard/62726.html

• Preparation of revision started in September 2023
• 1st CD provided in February 2024
• 2nd CD provided in May 2024
• DIS provided in October 2024
• 2nd DIS to be provided in April 2025

This proposal aims to analyze challenges and risks of big data security and privacy, and proposes guidelines for implmentation of big data secuirty and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data

• 1st WD was provided in October 2019
• 2nd WD was provided in June 2020
• 3rd WD was provided in November 2020
• 4th WD was provided in April 2021
• 5th WD was provided in April 2022
• 1st CD was provided in October 2022
• Further to April 2023 meeting, this project will be reverted to preliminary work item (PWI)

Tony Allen, Denis Pinkas, Mark Svancarek

This document provides guidelines for interoperability, technical architecture and use of age assurance systems.

• Started in November 2023
• 1st PWI text provided in December 2023
• 2nd PWI text provided in March 2024
• NP voted on September 2024

It the result of PWI 7732 Age verification

Hee Bong Choi, Hoon Jae Lee, Antonio Kung, Rusne Juozapaitiene, Vishnu Kanhere, HyunDuk Shin

This PWI aims to analysis a landscape of elements, personal identifiable information (PII), privacy threats, and privacy protection measures in the metaverse framework. The PWI provides a landscape of regulations, industry approaches and standards development in order to protect PII in the metaverse frameworks. It will:

• Identify elements of metaverse frameworks;

• Outline an architectural framework(s);

• Describe key concepts and terminology, including definitions where possible;

• Define privacy problems, including PII, threats, environment; and

• Suggest NWIP as needed.

Additionally, if collaboration with other SCs such as SC 24 is needed, this PWI may suggest joint work to enhance standardization harmonization;