< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27561 — Information technology — Security techniques — Privacy operationalisation model and method for engineering (POMME) [DRAFT]

Abstract

The standard will present “a standardized model and method for selecting, composing and integrating privacy-enabling functionality across the complex ecosystem of associated systems”, involving various mechanisms providing privacy capabilities and embodying information security controls.

Introduction

The standard will present a systematic approach for engineering IT systems to satisfy privacy and personal data protection requirements, drawing on the 11 privacy principles expressed in ISO/IEC 29100 privacy framework and ISO/IEC TR 27555 privacy engineering for system lifecycle processes.

Scope of the standard

The standard will help ‘privacy engineers’ (or system architects or technical managers) interpret and satisfy the privacy requirements expressed in policies etc. plus those that emerge in the course of further analysis and development.

Content of the standard

Foreword, introduction, scope, references, abbreviations, ~50 definitions ...
 

5. Context - background to the model/approach.
6. Iterative [personal] information inventory process including determination of the domains, processes, systems and data flows.
7. Privacy risk assessment process to determine and document the required controls, functions, mechanisms etc.
8. ‘Privacy capabilities’ - essentially the governance arrangements within which privacy requirements are addressed.

Annexes - relationships to ISO/IEC TR 27550 and ISO/IEC 29100, plus bibliography

 

Status

The standard is at Committee Draft stage. ISO/IEC JTC 1/SC 27/WG 5 is responsible for this standard.

Personal notes

Despite the contrived title with the neologism ‘operationalization’, the standard’s systematic, structured approach should prove useful for ‘privacy engineers’ seeking direction.

< Previous standard      ^ Up a level ^      Next standard >