Search Results

Back Up Next ISO/IEC 27557 ISO/IEC 27557:2022 — Information technology — Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management (first edition) Up Abstract ISO/IEC 27557"provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. [ISO/IEC 27557] provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: organizational consequences of adverse privacy impacts on individuals; and organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. [ISO/IEC 27557] assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization.” [Source: ISO/IEC 27557:2022] Introduction This standard advises on managing privacy risks (risks relating to or arising from the processing of personal information) that could impact the organisation and/or individuals (data subjects) as an integral part of the organisation’s overall risk management . It supports the requirement for risk management as specified in management systems such as ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS), plus risk management standards - particularly ISO 31000 of course plus ISO/IEC 29134 and ISO/IEC 27005 . The standard distinguishes information risks (with the potential to harm the organisation directly) from privacy risks (with the potential to harm individuals directly and the organisation indirectly), emphasizing difference in the respective risk management activities. Having said that, there are clearly significant overlaps: ‘Personal information’ is simply a type or category of information, subject to threats to its confidentiality, integrity and availability like all other types of information; Many of the vulnerabilities that could lead to privacy incidents are also information security vulnerabilities; Many privacy-related controls are information security controls e.g. identification and authentication, access controls, incident management, compliance enforcement and reinforcement, assurance and accountability; Serious privacy breaches can materially harm the organisation’s reputation and brands, damaging business relationships and prospects, while also increasing its costs through investigation and response activities, noncompliance penalties and additional investment to improve controls and prevent recurrence; Serious information security incidents may incidentally compromise personal information as a side-effect, and/or may harm business activities that involve personal information (e.g. if the entire IT network is out of action due to ransomware or a physical disaster, the organisation may be unable to process both business and personal information: this could have severe consequences for individuals in the case of, say, a hospital). Scope The standard advises using ISO 31000 “Risk management - Guidelines” to manage privacy risks, aiding the integration of privacy risks into the organisation’s overall risk management. Structure Main clauses: 4: Principles of organizational privacy risk management 5: Framework 6: Risk management process Annex A: PII processing identification Annex B: Example privacy events and causes Annex C: Privacy impact and consequence examples Annex D: Template showing the severity scale for privacy impacts on individuals Status The current first edition was published in 2022 . Commentary When an organisation manages privacy risks, it should be protecting both its own interests and those of data subjects, in effect acting on their behalf in a custodianship role ... which differs from the usual solely corporate perspective of information risk management. There is an ethical dimension that goes beyond the organisation’s self-preservation and exploitation of business opportunities, into the realm of acting in the best interests of the individuals whose personal information they handle, and society at large. The standard does not get into ethics, aside from one brief mention of ‘unethical differential treatment of individuals’ as a privacy impact. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27555 ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) Up Abstract ISO/IEC 27555 "contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organisations by specifying: a harmonized terminology for PII deletion; an approach for defining deletion rules in an efficient way; a description of required documentation; a broad definition of roles, responsibilities and processes. ...” [Source: ISO/IEC 27555:2021] Introduction This standard gives guidance on the deletion of P ersonally I dentifiable I nformation using a systematic approach supporting ISO/IEC 29100 ’s “Privacy framework”. Scope The standard is intended for organisations that store and process PII “and other personal data”, in particular PII Controllers who are primarily accountable for compliance with privacy laws. It does not address: Specific provisions in laws and contracts (although it does reflect the general thrust of GDPR and other privacy laws and regulations based on the OECD privacy principles ); Specific deletion rules for particular types (“clusters”) of PII; Deletion mechanisms such as those for cloud storage; Security of the deletion mechanisms; nor Specific techniques for de-identification (anonymisation) of data. Standardising the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data. Structure Main lauses: 5: Framework for deletion 6: Clusters of PII 7: Specification of deletion periods 8: Deletion classes 9: Requirements for implementation 10: Responsibilities ~30 pages Status The current first edition was published in 2021 . It is currently being revised with publication of the second edition planned for mid-2027. Commentary The standard discusses deletion of “clusters” of PII, an intriguing yet complex concept relating to how PII is used for various business purposes. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27553-2 ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) Up Abstract ISO/IEC 27553 part 2 "provides high-level security and privacy requirements for authentication using biometrics on mobile devices, in particular, for functional components, communication, storage and remote processing. [The standard] is applicable to remote modes, i.e. the cases where: the biometric sample is captured through mobile devices, and the biometric data or derived biometric data are transmitted between the mobile devices and the remote services in either or both directions. The following are out of scope of this document: the cases where the biometric data or derived biometric data never leave the mobile devices (i.e. local modes), the preliminary steps for biometric enrolment before authentication procedure, and the use of biometric identification as part of the authentication.” [Source: ISO/IEC 27553-2:2025 ] Introduction Part 2 provides high-level requirements for situations where biometric authentication on mobile devices involves communicating biometric data over the network to a remote authentication server. Scope Biometric authentication on mobile devices where biometric information is communicated between the devices and remote services via network connections, as opposed to local modes where the authentication process and data are limited to the devices. The standard is restricted to authentication, excluding enrolment and identification. Structure Main clauses: 5: Security and privacy considerations 6: System description 7: Information assets 8: Threat analysis 9: Security requirements and recommendations 10: Privacy considerations, requirements and recommendations Annex A: Implementation example Annex B: Authentication assurance and assurance level Status The current first edition was published in 2025 . Commentary Involvement of remote services in the authentication process implies network data communication with associated confidentiality, integrity and availability implications, as well as risks relating to the remote storage and processing (such as aggregating, correlating and comparing biometric and other data between various remote and networked systems to glean additional information). Not being a S ubject M atter E xpert in authentication, specifically, I am intrigued by obscure terms such as “synthesized wolf biometric samples” and “hill climbing attack”. Presumably these are covered by the numerous cited standards and familiar to authentication SMEs. It would be challenging to adopt ISO’s version of plain English for such a technical standard. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27551 ISO/IEC 27551:2021 — Information security, cybersecurity and privacy protection — Requirements for attribute-based unlinkable entity authentication (first edition) Up Abstract ISO/IEC 27551 "provides a framework and establishes requirements for attribute-based unlinkable entity authentication (ABUEA).” [Source: ISO/IEC 27551:2021] Introduction A ttribute-B ased U nlinkable E ntity A uthentication is a mechanism for authenticating unfamiliar parties through the services of a mutually-trusted third party, whilst maintaining privacy of the authenticated. ‘Unlinkable’ refers to the need to be able to handle and process personal information anonymously, in a way that precludes being able to identify the original data subjects from the information being communicated and processed. Scope The standard describes a framework and requirements for ABUEA - a way of avoiding the privacy leakage that can occur when (for instance) we use Internet sites, providing different information to each one or on each occasion, giving the possibility of linking our disparate disclosures back to us, specifically. Structure Main clauses: 5: General objectives of attribute-based entity authentication 6: Properties of attribute-based entity authentication protocols 7: Unlinkability properties of attribute-based entity authentication protocols 8: Attributes 9: Requirements for level N attribute-based unlinkable entity authentication Annex A: Formal definitions for security and unlinkability notions Annex B: Examples of attribute-based entity authentication protocols Annex C: ABUEA with OpenID & FIDO Annex D: Use cases for attribute-based unlinkable entity authentication Status The current first edition was published in 2021 . Commentary It would be a challenge to rewrite this standard in accordance with ISO’s version of plain English , given such a deep dive into the technology. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27553-1 ISO/IEC 27553-1:2022 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: local modes (first edition) Up Abstract ISO/IEC 27553 part 1 "provides high-level security and privacy requirements and recommendations for authentication using biometrics on mobile devices, including security and privacy requirements and recommendations for functional components and for communication. [The standard] is applicable to the cases that the biometric data and derived biometric data do not leave the device, i.e. local modes.” [Source: ISO/IEC 27553-1:2022 ] Introduction This multi-part standard provides high-level requirements for biometric authentication on mobile devices, including functional components and communications. Biometrics are increasingly used for user authentication on mobile devices. They are easier to use and harder to steal or fake than conventional passwords and tokens. However, proliferating devices and approaches are fragmenting the market, hence standardization offers advantages for users and manufacturers. Scope Biometric authentication on mobile devices. Part 1 applies where the user of a mobile ICT device such as a smartphone or tablet PC biometrically authenticates directly to the device such as when logging on to unlock the device, access stored data and run mobile apps. Although the outcome of biometric authentication may be used elsewhere (e.g . in cloud or corporate server apps), this standard specifically concerns risks to and protection of the biometrics on the device itself (e.g . fingerprints). The standard references ISO/IEC 24745:2022 “Biometric information protection”. Structure Main clauses: 5: Security challenges 6: System description 7: Information assets 8: Threat analysis 9 :Security requirements and recommendations 10: Privacy considerations Annex A: Implementation example Annex B: Security issues related to communication between agents and servers for authentication using biometric on mobile devices Annex C: An example of authentication assurance and assurance levels Status The current first edition was published in 2022 . Commentary As a generic standard, part 1 addresses commonplace information risks that typically arise in relation to biometrics on mobiles. In practice, we should manage (identify, evaluate, treat and monitor) the actual information and privacy risks in real-world situations, including any that are not explicitly identified and accurately described in this standard. That is context-dependent - for instance, the information risks relating to my biometrics on my cellphone are broadly similar but not entirely the same as, say, the king’s or yours, not least because the impacts of any incidents would probably be materially different. Aside from the security and privacy implications arising, there may also be different assurance requirements relating to biometric authentication. The consequences of someone accessing my smartphone without authorisation are rather different in the case of the president's. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC TR 27550 ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes (first edition) Up Abstract ISO/IEC TR 27550 "provides privacy engineering guidelines that are intended to help organisations integrate recent advances in privacy engineering into system life cycle processes. ...” [Source: ISO/IEC TR 27550:2019] Introduction ‘Privacy engineering’ involves taking account of privacy during the entire cradle-to-grave lifecycle of IT systems and the associated processes, such that privacy is and remains an integral part of their function. Scope This is an IT security standard about engineering IT systems to satisfy privacy requirements relating to the protection of personal data. Structure Main clauses: 5: Privacy engineering 6: Integration of privacy engineering in ISO/IEC/IEEE 15288 Annex A: Additional guidance for privacy engineering objectives Annex B: Additional guidance for privacy engineering practice Annex C: Catalogues Annex D: Examples of risk models and methodologies The standard: Discusses how privacy engineering supports system and security engineering, information risk management, knowledge management etc. Elaborates on conceptual principles such as privacy-by-design and privacy-by-default , important design goals noted in GDPR and elsewhere; Elaborates on the processes for identifying, evaluating and treating privacy risks in the course of IT systems design; Explains how IT systems can be engineered to support and satisfy the OECD privacy principles which form the basis of most privacy laws and regulations. Status The current first edition was published as a T echnical R eport in 2019. Commentary The procedures for operating, using, monitoring, managing and maintaining IT systems and their privacy controls are just as important as the technical controls themselves, and also benefit from being systematically developed (specified, designed, documented, mandated, operated, monitored, maintained ...): it is a good thing this standard is not limited to the technology. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27503 ISO/IEC 27503 — Privacy and security guidelines on intelligent travel services [PWI pre-draft] Up Abstract ... Introduction ... Scope ... Structure ... Status P reliminary W ork I tem in 2026. Commentary ISO/IEC JTC 1/SC 27/WG 5 is studying the information security and privacy aspects of 'intelligent travel services'. It seems to be referring to Uber and the like i.e. ride-sharing schemes for road travel but I'm definitely not sure about that. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27404 ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT [first edition] Up Abstract ISO/IEC 27404 "defines a cybersecurity labelling framework for the development and implementation of cybersecurity labelling programmes for consumer IoT products. It provides requirements and includes guidance on the following topics: Risks and threats associated with consumer IoT products; Stakeholders, roles and responsibilities; Relevant standards and guidance documents; Conformity assessment; Labelling issuance and maintenance; Mutual recognition. [ISO/IEC 27404] is limited to consumer IoT products, such as: IoT gateways, base stations and hubs to which multiple devices connect; smart cameras, televisions, and speakers; wearable devices; connected smoke detectors, door locks and window sensors; connected home automation and alarm systems; connected appliances, such as washing machines and fridges; smart home assistants; and connected children’s toys and baby monitors. Products that are not intended for consumer use are excluded from this standard. Examples of excluded devices are those that are primarily intended for manufacturing, healthcare and other industrial purposes. [ISO/IEC 27404] is applicable to consumers, developers, issuing bodies of cybersecurity labels and conformity assessment bodies.” [Source: ISO/IEC 27404:2025 ] Introduction Although cybersecurity is seldom promoted as a feature of consumer-oriented IoT devices (things ), it can be important. Inconsistent and unclear cybersecurity labelling does not help consumers appreciate their security and privacy objectives, nor evaluate and select things accordingly. Standardising the cybersecurity labelling of things is intended to improve consistency across the global market, increase consumer awareness and promote better cybersecurity designs. Scope The standard concerns consumer-grade (retail) things - as opposed to business, industrial, engineering, medical, scientific or mil-spec things (since their cybersecurity requirements and features/capabilities are more likely to be specified in detail). It covers cybersecurity and privacy but excludes safety aspects. Structure Main clauses: 5: Overview of cybersecurity labelling for consumer IoT 6: International alignment through a cybersecurity labelling framework 7: Requirements and guidance for the components of the cybersecurity labelling framework for consumer IoT 8: Requirements and guidance for labelling issuance and maintenance for consumer IoT Annex A: types and features of cybersecurity labels Annex B: illustrative examples of multi-level labelling schemes Annex C: illustrative examples of binary labelling schemes Annex D: determination of equivalency among labelling schemes Annex E: examples of cybersecurity baseline provisions Annex F: examples of secure-by-design provisions Annex G: examples of privacy assessment requirements Status The current first edition was published in 2025 . Commentary Singapore standard TR 91:2021 Cybersecurity labelling for consumer IoT formed the original basis or donor content for this standard, with editorial changes to suit the more formal ISO/IEC style. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27403 ISO/IEC 27403:2024 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics (first edition) Up Abstract ISO/IEC 27403 "provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.” [Source: ISO/IEC 27403:2024] Introduction “Domotics” was originally known as home automation or “smart homes”, where domicile or home is described as “The private, hence highly customizable area where someone lives, alone or with guests or cohabitants” that “includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment or gaming.” Setting the standard for information security and privacy of IoT things intended for home use is quite a challenge given the variety of things , homes and living arrangements, security and privacy issues and controls. Rapid innovation and change in this area further complicates matters. Scope This cybersecurity standard is aimed squarely at the designers, manufacturers and security/privacy assessors of IoT domotics rather than the “users” (consumers/retail customers). It covers the information security and privacy aspects of device-device interactions (e.g. hubs and subsystems) as well as human-device plus device-sensors/actuators that physically interact with the home, and networking both within the home and beyond (e.g. via Internet gateways). Structure Main clauses: 5: Overview of the stakeholders (IoT device manufacturers, service providers, regulatory authorities and users), the lifecycles for IoT domotics developers, service providers and users, an architectural reference model, and an introduction to the ‘security’ (meaning cybersecurity) and privacy aspects. 6: Risk assessment guidelines covering cybersecurity and privacy risks (referring to eight other standards!). 7: ’Security’ and privacy controls. Annex A: Use cases - six examples of the principles in action. Annex B: ‘Security’ and privacy concerns of various stakeholders with differing perspectives. Annex C: Stakeholders’ security and privacy responsibilities. Annex D: ‘Security measures’ (cybersecurity and privacy controls) for various IoT domotics devices. Status The current first edition was published in 2024 . Commentary Whereas “IoT” is a common abbreviation, “domotics” is a neologism derived from domus (Latin for house) and robotics. Rather than simply recommending a bunch of controls, the standard describes typical information [security and privacy] risks relating to domotics, and recommend information security controls to mitigate them, making this a risk-based ISO27k standard. Sounds good in theory, although strictly speaking several of the ‘risks’ described in the draft are in fact weak or missing controls, not risks. Information risks provide the rationale, context or basis for the controls. Helping readers identify and consider the information risks should give them a better appreciation of what the information security controls are meant to achieve - the control objectives. The risks and the controls in the standard are examples to stimulate readers into considering the risks and control objectives in their particular contexts. Challenges (risks) in the home environment include: Limited information security awareness and competence by most people. IoT things are generally just black-boxes. Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically permanently installed about the home (e.g. smart heating controls, door locks and cat feeders). Things are not [always] designed for adequate security or privacy since other requirements (such as low price and ease of use) generally take precedence. Finite processing and storage capacities, plus limited user interfaces, hamper or constrain their security capabilities. Lack of processes for managing security and privacy systematically at home. Any such activities tend to be ad hoc /informal and reactive rather than proactive. Informality: the home is a relatively unstructured, unmanaged environment compared to the typical corporate situation. Few domotics users even consider designing a complete system, although certain aspects or subsystems may be intentionally designed or at least assembled for particular purposes (e.g . entertainment). Dynamics and diversity: people, devices and services plus the associated challenges and risks, are varied and changeable. The home is a fairly fluid environment. Limited ability to control who may be present in/near the home and hence may be interacting with IoT devices e.g. adult residents plus children, owners, visitors, installers, maintenance people, neighbours, intruders ... Physically securing things against accidental or malicious interaction (e.g. someone reading the label with the default password, hitting the reset button, damaging or stealing the device) is difficult. Limited ability to manage or control IoT device and service upstream supply chains, as well as the downstream installation, configuration, use, monitoring and maintenance of devices and services, with little if any coordination among the parties. Given their number, variety and significance, I believe conventional, structured and systematic information risk management is largely impracticable for domotics: there is way too much to do here! In accordance with the risk-based approach that underpins all the ISO27k standards, this standard prioritises some significant information risks, encouraging IoT device and service providers to play their parts - although even that is difficult since they are only providing parts of a complex and dynamic system. The bigger picture remains of concern. Up Up Up This page last updated: 12 February 2026

Back Up Next ISO/IEC 27402 ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition] Up Abstract ISO/IEC 27402 "provides baseline requirements for IoT devices to support security and privacy controls.” [Source: ISO/IEC 27402:2023] Introduction ISO/IEC 27400 describes commonplace information risks relevant to consumer and industrial IoT devices (things ) plus the associated network/cloud services, introducing the corresponding ICT security and privacy controls for the manufacturers and the users. In practice, however, as insecure things have been proliferating rapidly, the risks have generally increased. As an international standard, ISO/IEC 27402 is intended to ensure that all things at least provide a common set of foundational capabilities and functionality. IoT manufacturers using the suggested information risk management processes can build upon the standardised foundation, providing additional controls addressing the information risks relevant to various industrial and consumer applications. Scope The standard concerns basic information security and privacy controls for things . Structure Main clauses: 4: Overview - 1 paragraph 5: Requirements - for a cybersecurity and privacy baseline Annex: Risk management guidance based on ISO 31000 Status The current first edition was published in 2023 . Commentary The sheer scale, variety and rate of change in IoT makes developing information security and privacy standards challenging and yet important, arguably essential. Rapid innovation and intense market pressures on manufacturers seem unlikely to lead to voluntary adoption of this standard without additional factors (which are beyond the scope of the standard and ISO) ... unless a sufficient proportion of industrial and general consumers start inquiring about the security and privacy controls for IoT, voting with their budgets and wallets. The approach taken is to specify only a few fundamental information security and privacy controls in this ‘horizontal’ baseline standard (such as an information risk management process involving the identification, evaluation and treatment of information risks), with the intention of developing further standards specifying additional requirements for particular industry ‘verticals’, building on the generic baseline. It is anticipated that additional security controls will be required and defined in further standards for specific applications (e.g. for medical or vehicular things ). Noticeably absent from SC 27’s strategy (at present) are standards for implementing, using, managing, monitoring and administering IoT devices securely. The committee has thus far focused on getting appropriate security and privacy controls specified. As the controls are gradually designed and integrated into things (hopefully!), advice on the associated operational aspects may yet follow (possibly!). Up Up Up This page last updated: 12 February 2026