Topic-specific policies
ISO/IEC 27561


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27561:2024 Information security, cybersecurity and privacy protection — Privacy operationalisation model and method for engineering (POMME) (first edition)

 

Abstract

“This guidance document [ISO/IEC 27561] describes a model and method to operationalize the privacy principles specified in ISO/IEC 29100 into sets of controls and functional capabilities. The method is described as a process that builds upon ISO/IEC/IEEE 24774. [ISO/IEC 27561] is designed for use in conjunction with relevant privacy and security standards and guidance which impact privacy operationalization. It supports networked, interdependent applications and systems. [ISO/IEC 27561] is intended for engineers and other practitioners developing systems controlling or processing personally identifiable information.”
[Source: ISO/IEC 27561:2024]

 

Introduction

The standard presents a systematic approach for engineering IT systems to satisfy privacy and personal data protection requirements, drawing on the 11 privacy principles expressed in ISO/IEC 29100 privacy framework plus ISO/IEC TR 27550 and ISO/IEC TR 27555 privacy engineering for system lifecycle processes.

 

Scope of the standard

The standard is intended to help ‘privacy engineers’ (or system architects or technical managers) interpret and satisfy the privacy requirements expressed in policies etc. plus those that emerge in the course of further analysis and development. It lays out a structured analytical method and model based on OASIS, emphasising functional architecture and practical implementation of privacy engineering. The process involves elaborating on privacy risks and designing controls, capabilities required plus the functions and mechanisms to deliver them.

 

Content of the standard

Following the foreword, introduction, scope, references, abbreviations and 47 definitions, the main clauses are:

  1. Context of privacy operationalization - background to the model and approach.
  2. Initial information inventory process - an iterative personal information inventory process including determination of the domains, processes, systems and data flows.
  3. Privacy controls, privacy control requirements, capabilities, risk assessment and iteration process - determination and documentation of the required controls, functions, mechanisms etc.
  4. Privacy capabilities - essentially the governance arrangements for addressing privacy.

   Annexes - mapping to ISO/IEC 29100, example and use case.

     

Status

The first edition was published in 2024.

 

Personal comments

Despite the contrived title with the neologism ‘operationalization’, the standard’s systematic, structured approach should prove useful for privacy specialists.

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2025 IsecT Ltd. Contact us re Intellectual Property Rights