Abstract
[ISO/IEC 27574] "provides requirements and guidelines on privacy for brain computer interface applications. It provides privacy controls specific to brain computer interface applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701."
[Source: Preliminary Work Item/initial draft]
Introduction
'Brain-Computer Interface' refers to cutting-edge telepathic technologies such as brain implants allowing users to control smart prosthetic devices and receive information from sensors and systems directly back into their brains.
This standards development project under ISO/IEC JTC 1/SC 27/WG 5 is focused on the privacy aspects of such intimate biotech connections, for example the potential for adversaries to monitor/intercept and exploit sensitive personal datacommunications.
Scope
Judging by the proposal, it appears the project is addressing:
Privacy aspects of the intimate Brain-Computer Interface, rather than broader information and cyber security aspects.
BCI applications i.e. the software elements of 'systems' using BCI, as opposed to, say, the hardware and procedural aspects, or indeed the medical element and biotech in general.
That's not to say those other areas won't even be mentioned, and it is very early days for this project so changes are entirely possible.
Structure
Main sections [from the initial draft]:
5: Classification of Brain-Computer Interface
6: Processing of neuro data in BCI applications
7: Privacy risk management
Annex A: Typical applications (use cases) of BCI
Annex B: Threat modelling
Status
The proposal was accepted and the project launched in December 2025.
The standard's development project timeline allows roughly:
1 year for drafting;
1 year for formal committee comments and approval;
1 year for finalisation ... culminating in publication at the end of 2028.
Commentary
Addressing privacy at the early stages of such technological developments demonstrates the principle of 'security by design', particularly if the project is able to offer constructive guidance to this nascent field on how to treat the associated information risks (ideally, not just privacy risks!).