Topic-specific policies
ISO/IEC 27045

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27045 — Information technology — Big data security and privacyProcesses [DRAFT]



“Defines process reference, assessment and maturity models for the domain of big data security and privacy. These models are focused on process architecture and the processes used to achieve big data security and privacy, most specifically on the maturity of those processes.”
[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]


‘Big data’ systems present numerous information security, privacy and technological challenges due to the system complexity, sheer quantity and volatility of the data.


Scope & purpose

The standard is intended to help organisations build or enhance their information security and privacy capabilities relating to big data systems.






This standard was initially proposed in 2017.

Having run off-the-rails in 2021, the drafting project re-started in 2024.

June update Publication is now planned at the end of 2026.

July update The first Working Draft outlines potential threats plus security and privacy controls relating to big data characteristics: volume, velocity, variety, variability, volatility, veracity and value.


Personal comments

The definition of ‘big data’ quoted from ISO/IEC 20456:2019 does not (in my personal, rather jaundiced/cynical opinion) reflect its widespread use in the IT industry at present. “Extensive datasets primarily in the characteristics of volume, variety, velocity, and/or variability that require a scalable architecture for efficient storage, manipulation, and analysis”. Wikipedia is more helpful e.g.:

“Current usage of the term big data tends to refer to the use of predictive analytics, user behavior analytics, or certain other advanced data analytics methods that extract value from data, and seldom to a particular size of data set. "There is little doubt that the quantities of data now available are indeed large, but that's not the most relevant characteristic of this new data ecosystem." Analysis of data sets can find new correlations to "spot business trends, prevent diseases, combat crime and so on." Scientists, business executives, practitioners of medicine, advertising and governments alike regularly meet difficulties with large data-sets in areas including Internet searches, fintech, urban informatics, and business informatics. Scientists encounter limitations in e-Science work, including meteorology, genomics, connectomics, complex physics simulations, biology and environmental research.

It seems to me a defining characteristic is that big data is so big that typical database management systems struggle or are unable to cope with the complexity and dynamics/volatility. Beyond the limits of their scalability, conventional architectures experience constraints and failures, no matter how much raw CPU power, network bandwidth and storage capacity is thrown at the problems. That implies the need for fundamentally different approaches with novel information risks and almost certainly controls. However, it remains to be seen what this standard will actually address in practice: this is cutting-edge stuff.

Hopefully this standard will refer to others for the low-level and relatively conventional data security and privacy controls that apply to small and medium data, focusing instead on the high-level and novel aspects and processes that are unique to big data e.g.:

  • Strategic management of big data sets, big data systems etc., including governance arrangements to monitor and control the management and operational activities as a whole (e.g. overall programme as well as individual project management) and the business/strategy aspects and requirements (e.g. enormous financial investment in huge systems implies enormous expected returns);
  • Architecture and design of big data systems - specifically the data security and privacy aspects including information risk assessment, compliance, ethics, data aggregation, inference, interconnectivity (both within and without the organisation), access controls, metadata management and security, resilience etc.;
  • Operation and use of big data systems e.g. how to classify and segregate data and functions, how to determine/define and assign access rights/permissions, what privacy and security roles and responsibilities might be appropriate;
  • Maintenance and support of big data systems, including their security and privacy aspects;
  • Capacity and performance management including the dynamics and challenges arising;
  • Incident management, change management and so on (adapting conventional processes for the big data environment).

Potentially, the standard could get into advanced/cutting-edge data/system security controls and privacy approaches involving artificial intelligence, instrumentation, anomaly and fraud detection, automated responses etc. ... but I suspect the standard’s initial release will be more basic, and it appears to be focused on the processes rather than technologies (we’ll see how that turns out in practice!).



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights