Topic-specific policies
ISO/IEC 27561

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC PRF 27561 — Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) [DRAFT]



“This document describes a model and method to operationalize ISO/IEC 29100 privacy principles into sets of controls and functional capabilities: The method is described as a process following ISO/IEC/IEEE 24774; It is designed for use with other standards and privacy guidance; It supports networked, interdependent applications and systems. The document is intended for engineers and other practitioners developing systems controlling or processing PII.”
[Source: ISO/IEC JTC 1/SC 27 SD11]



The standard will present a systematic approach for engineering IT systems to satisfy privacy and personal data protection requirements, drawing on the 11 privacy principles expressed in ISO/IEC 29100 privacy framework and ISO/IEC TR 27555 privacy engineering for system lifecycle processes.


Scope of the standard

The standard will help ‘privacy engineers’ (or system architects or technical managers) interpret and satisfy the privacy requirements expressed in policies etc. plus those that emerge in the course of further analysis and development.


Content of the standard

Following the foreword, introduction, scope, references, abbreviations and ~50 definitions, the main clauses are:

  1. Context of privacy operationalization - background to the model and approach.
  2. Initial information inventory process - an iterative personal information inventory process including determination of the domains, processes, systems and data flows.
  3. Privacy controls, privacy control requirements, capabilities, risk assessment and iteration process - determination and documentation of the required controls, functions, mechanisms etc.
  4. Privacy capabilities - essentially the governance arrangements for addressing privacy.

   Annexes - relationships to ISO/IEC TR 27550 and ISO/IEC 29100, plus bibliography



The standard was submitted for publication as a “PRF” (?) in November 2023.  It should emerge from the ISO/IEC sausage-machine soon.


Personal notes

Despite the contrived title with the neologism ‘operationalization’, the standard’s systematic, structured approach will be useful for privacy engineers.



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights