Topic-specific policies
ISO/IEC 27091

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence Privacy protection [DRAFT]



“ISO/IEC 27091 provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in this document helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks ...”
[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]


By gathering and processing substantial quantities of information, AI/ML systems may erode privacy - for example by linking personal information from disparate sources back to individual people - unless appropriate privacy arrangements are made.


Scope of the standard

Applies to organisations that develop or use AI systems.


Content of the standard




The project started in 2023.

The standard is at Working Draft stage and is due to be published in 2026.


Personal comments

The project proposal indicates that the standard will identify privacy risks typically applicable to AI/ML, and describe the corresponding privacy controls - in other words, the standard will promote a risk-based approach, which sounds good to me.

In line with the risk treatments noted ISO/IEC 27005, I hope it will also mention the possibility of accepting, sharing or avoiding privacy risks, aside from mitigating them with privacy controls.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights