top of page

ISO/IEC TR 27550

ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes 

(first edition)

Abstract

ISO/IEC TR 27550 "provides privacy engineering guidelines that are  intended to help organisations integrate recent advances in privacy  engineering into system life cycle processes. ...”


[Source: ISO/IEC TR 27550:2019]

Introduction

‘Privacy engineering’ involves taking account of privacy during the entire cradle-to-grave lifecycle of IT systems and the associated processes, such that privacy is and remains an integral part of their function.

Scope

This is an IT security standard about engineering IT systems to satisfy privacy requirements relating to the protection of personal data.

Structure

Main sections:

  • 5: Privacy engineering

  • 6: Integration of privacy engineering in ISO/IEC/IEEE 15288

  • Annex A: Additional guidance for privacy engineering objectives

  • Annex B: Additional guidance for privacy engineering practice

  • Annex C: Catalogues

  • Annex D: Examples of risk models and methodologies


The standard:

  • Discusses how privacy engineering supports system and security engineering, information risk management, knowledge management etc.

  • Elaborates on conceptual principles such as privacy-by-design and privacy-by-default, important design goals noted in GDPR and elsewhere;

  • Elaborates on the processes for identifying, evaluating and treating privacy risks in the course of IT systems design;

  • Explains how IT systems can be engineered to support and satisfy the OECD privacy principles which form the basis of most privacy laws and regulations.

Status

The current first edition was published as a Technical Report in 2019.

Commentary

The procedures for operating, using, monitoring, managing and maintaining IT systems and their privacy controls are just as important as the technical controls themselves, and also benefit from being systematically developed (specified, designed, documented, mandated, operated, monitored, maintained ...): it is a good thing this standard is not limited to the technology.

This page last updated:

2 November 2025

© 2025 IsecT Limited 

 

  • Link
  • LinkedIn
bottom of page