Topic-specific policies
ISO/IEC 27556

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition)



“This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.”
[Source: ISO/IEC 27556:2022]


The standard lays out a “user-centric framework” (an architecture) to handle personal information in a controlled manner in accordance with the privacy-by-design and other requirements of applicable privacy laws and regulations.

The standard outlines a mechanism for organisations handling personal data to comply with the data subject’s privacy requirements, even as the organisations share and collaborate on processing the data.


Scope of the standard

The standard describes a generic high-level system architecture without specifying the content and format of privacy preference information.

The architecture, in turn, informs the design and implementation of IT systems handling personal information and communicating it between organisations, while managing the privacy preferences of data subjects (known as ‘PII Principals’ in the standard i.e. the people whose personal information is being handled).

The standard expands upon ISO/IEC 29100’s “Privacy framework”.


Content of the standard

The 3 main clauses are:

  1. User-centric framework for handling PII.
  2. Requirements and recommendations for the Privacy Preference Manager (defined as “component providing a capability allowing PII principals to express privacy preferences and a capability to monitor PII processing according to these privacy preferences” - normally an IT system component, not a person).
  3. Further considerations for the PPM in a Privacy Information Management System.

plus 4 annexes:

  • Use cases of PII handling based on privacy preferences
  • Identifying an actor serving as a component for each example service
  • Guidance on configuration of privacy preferences management
  • Supporting the design of a privacy preference management



The standard was first published in 2022.


Personal comments

I appreciate the intent to standardise the handling and management of users’ privacy consents, perhaps allowing the preferences to be shared among systems. However, given strong commercial incentives for social media and related systems and companies to exploit every scrap of personal information they can obtain, it may take even stronger pressure from regulators and legislators on behalf of private individuals to see this widely adopted in practice. So, watch this space.











< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT Ltd. Contact us re Intellectual Property Rights