Topic-specific policies
ISO/IEC 27564


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

Published end of October ISO/IEC TS 27564:2025 — Privacy protection — Guidance on the use of models for privacy engineering [first edition]

 

Abstract

[ISO/IEC TS 27564] provides guidance on how to use modelling in privacy engineering. It describes categories of models that can be used, the use of modelling to support engineering, and the relationships with other references, including International Standards on privacy engineering and on modelling. It provides high-level use cases describing how models are used.”
[Source: ISO/IEC TS 27564:2025]
 

Introduction

Modelling and other systems engineering approaches are useful when designing complex systems, such as IT systems plus their associated operating environments and processes.

This standard is focused on using modelling and engineering to specify, design and embed suitable privacy arrangements/controls into complex [IT] systems that handle personal information.

Determining requirements and incorporating privacy into the product lifecycle from the outset should reduce the issues that arise if privacy is neglected until later. Bolting-on privacy (or security or safety) late in the day is less than ideal (suboptimal), albeit still better than nothing.

 

Scope of the standard

Guidance on applying the Model-Based Systems and Software Engineering approach (as per ISO/IEC/IEEE 24641:2023 - Systems and Software engineering - Methods and tools for model-based systems and software engineering) to design-in appropriate privacy controls for complex systems using conceptual models.

 

Content of the standard

Published end of October Main clauses:

  1. Engineering with models (particularly MBSSE)
  2. Privacy engineering with models (more MBSSE)
  3. Guidance on the use of privacy models (and standards)

    4. Annex: examples of using models for privacy engineering

     

Status

Published end of October The first edition was published in October 2025.

 

Personal comments

This standard explains the use of others such as ISO/IEC/IEEE 24641, ISO/IEC 27555 (models for deletion of personal information), ISO/IEC 27556 (models for managing privacy preferences), ISO/IEC 27559 (models for de-identification) and ISO/IEC 27561 (POMME), for privacy engineering.

The systems engineering approach involves determining and taking account of the context in which a complex system is to be used, as well as the complexities within, to develop a definitive model.  The architectural model, in turn, drives a coordinated approach to the system development, with updates as things progress to keep everything aligned - in this case, aligned around privacy, specifically.

It is published as a Technical Specification rather than a full International Standard, presumably because the subject matter is still in development. As such, it should (according to the ISO Directives) be reviewed within just three years of the agreed “stability date” rather than the usual five years after publication.

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2025 IsecT Ltd. Contact us re Intellectual Property Rights