Search Results

Up Up Up ISO/IEC 27566-2 ISO/IEC 27566-2 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 2: Technical approaches and guidance for implementation [PROPOSAL] Up Abstract ISO/IEC 27566 part 2 "describes different technical approaches suitable in different ecosystems for age assurance systems and guidance for their implementation.” [Source: PROPOSAL] Introduction ISO/IEC 27566 part 2 "provides technical guidance for implementing age assurance systems in a consistent and modular manner. It supports the practical application of the framework defined in Part 1 by identifying technical components, implementation approaches, and context-specific trade-offs. This enables privacy-respecting, effective, and policy-aligned age assurance across diverse digital and physical environments." [Source: P reliminary W ork I nstruction] Part 2 bridges between the foundational concepts in part 1 and the analytical approaches in part 3. Scope ISO/IEC 27655 part 2 “ includes guidance for considering the characteristics of various approaches and for making trade-offs when selecting approaches for different users, actors and use cases. The document describes different technical approaches suitable in different ecosystems for the implementation of age assurance systems or of age assurance components” [Source: P reliminary W ork I nstruction] Structure Main sections [from initial draft]: 5: Principles carried forward from part 1 6: Relating context of use to implementation choices 7: Major contexts of use 8: Selecting components 9: Specifying requirements for procurement 10: Documenting operational practice statements and evidence Annex A: Commonalities of age assurance methods and interaction models Annex B: Common concerns related to common sub-contexts of use Annex C: Enrolment, user account management, and wallet management Annex D: Relationship to part 3 Annex E: Examples of trade-off choices during design of age assurance systems Annex F: Examples of practice statements Status Part 2 is at first W orking D raft stage. Commentary 'Context of use' refers - I think - to the particular business situation in which some form of age assurance is needed. SInce these vary, the standard explains how to identify, determine and evaluate relevant requirements and parameters driving the design of the age assurance approach. e.g. how important is assurance to verify a person's true age? It then offers guidance on how to go about satisfying the requirements by selecting and implementing appropriate age assurance methods and technologies. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27040 ISO/IEC 27040:2024 — Information technology — Security techniques — Storage security (second edition) Up Abstract ISO/IEC 27040:2024 "provides detailed technical requirements and guidance on how organizations can achieve an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection of data both while stored in information and communications technology (ICT) systems and while in transit across the communication links associated with storage. Storage security includes the security of devices and media, management activities related to the devices and media, applications and services, and controlling or monitoring user activities during the lifetime of devices and media, and after end of use or end of life. Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage products and services, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information or storage security, storage operation, or who are responsible for an organization’s overall security programme and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security. [ISO/IEC 27040:2024] provides an overview of storage security concepts and related definitions. It includes requirements and guidance on the threats, design, and control aspects associated with typical storage scenarios and storage technology areas. In addition, it provides references to other international standards and technical reports that address existing practices and techniques that can be applied to storage security.” [Source: ISO/IEC 27040:2024] Introduction Information deserves to be adequately protected while in storage, as well as when created, communicated, processed, used and disposed of. The standard guides the purchasers and users of data storage technologies to determine and treat the associated information risks. Scope The standard concerns the security of data storage devices and media, security of management activities related to the devices and media, applications/services, and end-users, in addition to security of the information being transferred across the communication links associated with storage. The standard describes information risks associated with data storage, and controls to mitigate the risks. It aims to: Draw attention to common risks associated with the confidentiality, integrity and availability of information on various data storage technologies; Encourage organisations to improve their protection of stored information using suitable information security controls; and Improve assurance, for example by facilitating reviews or audits of the information security controls protecting stored data. The information security issues associated with backup/disaster recovery locations and cloud storage are covered, as well as those associated with primary/local storage on a variety of data storage technologies, media and subsystems (e.g. DAS, SAN, NAS, CAS, FC and OSD). Media sanitisation (destruction of data stored on various computer storage media) is also covered. The standard is unusually detailed. It mentions a number of specific storage technologies which is also unusual for the ISO27k standards that are mostly generic and hence timeless. Structure Main sections: 6: Overview and concepts 7: Organizational controls for storage 8: People controls for storage 9: Physical controls for storage 10: Technological controls for storage Annex A: Storage security controls summary Status The first edition was published in 2015 . The second edition was published in 2024 . Commentary Resilience aspects of digital storage are covered in the standard - an important information security concept that (in my considered opinion) deserves much more emphasis throughout ISO27k . After all, information security involves protecting/ensuring the availability of important and valuable information, information technologies and information services, right? Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27555 ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion (first edition) Up Abstract ISO/IEC 27555 "contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organisations by specifying: a harmonized terminology for PII deletion; an approach for defining deletion rules in an efficient way; a description of required documentation; a broad definition of roles, responsibilities and processes. ...” [Source: ISO/IEC 27555:2021] Introduction This standard gives guidance on the deletion of P ersonally I dentifiable I nformation using a systematic approach supporting ISO/IEC 29100’s “Privacy framework”. Scope The standard is intended for organisations that store and process PII “and other personal data”, in particular PII Controllers who are primarily accountable for compliance with privacy laws. It does not address: Specific provisions in laws and contracts (although it does reflect the general thrust of GDPR and other privacy laws and regulations based on the OECD privacy principles ); Specific deletion rules for particular types (“clusters”) of PII; Deletion mechanisms such as those for cloud storage; Security of the deletion mechanisms; nor Specific techniques for de-identification (anonymisation) of data. Standardising the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data. Structure Main sections: 5: Framework for deletion 6: Clusters of PII 7: Specification of deletion periods 8: Deletion classes 9: Requirements for implementation 10: Responsibilities ~30 pages Status The current first edition was published in 2021 . It is now being revised with publication of the second edition planned for mid-2027. Commentary The standard discusses deletion of “clusters” of PII, an intriguing yet complex concept relating to how PII is used for various business purposes. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27033-6 ISO/IEC 27033-6:2016 Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (first edition) Up Abstract ISO/IEC 27033 part 6 “describes the threats, security requirements, security control and design techniques associated with wireless networks. It provides guidelines for the selection, implementation and monitoring of the technical controls necessary to provide secure communications using wireless networks. The information in [part 6] is intended to be used when reviewing or selecting technical security architecture/design options that involve the use of wireless network in accordance with ISO/IEC 27033-2. Overall, ISO/IEC 27033-6 will aid considerably the comprehensive definition and implementation of security for any organization's wireless network environment. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls necessary to provide secure wireless networks.” [Source: ISO/IEC 27033-6:2016] Introduction This is a generic wireless network security standard offering basic advice for WiFi, Bluetooth, 3G and other wireless networks. Scope Risks, design techniques and control issues for securing IP wireless networks. Relevant to those involved in the detailed planning, design and implementation of security for wireless networks (e.g. network architects and designers, network managers and network security admins). Structure Main sections: 6: Overview 7: Security threats 8: Security requirements 9: Security controls 10: Security design techniques and considerations Annex A: Technical description of threats and countermeasures Status The current first edition of part 6 was published in 2016 and confirmed unchanged in 2021. Commentary The standard uses the term “wire line network”, more commonly known as a wired network. The standard repeatedly refers to “access network”, a curious term that is not defined (aside from Radio Access Network). It seems to mean “network” but without a definition, we cannot be sure. The standard indicates that encryption is an integrity control, whereas normally other cryptographic controls and protocols provide the integrity functions, while encryption provides confidentiality. Similarly to Part 7, this part lists a number of “threats” which are, in fact, attack modes or incident scenarios. The list would, I feel, have been more useful if the standard systematically addressed each of them, explaining how certain controls mitigate them. It doesn’t. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27046 ISO/IEC 27046 — Information technology — Big data security and privacy — Implementation guidelines [DRAFT] Up Abstract ISO/IEC 27046 "aims to analyze key challenges and risks of big data security and privacy, and propose guidelines for implementation of big data security and privacy in aspects of big data resources, and organizing, distributing, computing and destroying big data.” [Source: ISO/IEC JTC 1/SC 27 Committee Doc 11, May 2025] Introduction This standard was intended to help organisations implement the processes described in ISO/IEC 27045 in order to ensure the security and privacy of big data. Scope The standard may “address the key challenges and risks of big data security and privacy”, providing guidance on how to: [Identify and] grade [evaluate?] big data security and privacy risks; Deploy [implement, use and manage] and maintain security and privacy controls [and other risk treatments?]; Validate and verify big data security and privacy arrangements [to gain assurance]. The audiences include: “software and hardware providers to securely construct a big data framework”; “application operators [service providers??] to securely maintain a big data framework”; “data providers and consumers to securely realize big data functions [??]; “industry to improve robustness and efficiency at the ecosystem level [??] to improve compatibility and inter-operation, to diversify choices of security products and to reduce redundant cost on security”. [from the 4th Working Draft ]. ISO/IEC 20547-4 “Information technology - Big data reference architecture - Part 4: Security and privacy” is cited as a normative (essential) reference. Structure The standard may guide big data security and privacy planners, managers, implementers, operators and auditors, through a lifecycle sequence of big data: Collection - data are amassed from internal/corporate and external systems; Transmission - data pass between networks; Storage - stored in massive database systems, perhaps in the cloud; Processing - manipulating and analysing big data to gain useful insight; Exchange - information passes between organisations; and Destruction - securely and permanently destroying big data. The applicable information security and privacy controls vary across the lifecycle, and are described succinctly in the standard through a set of action-oriented statements (e.g . in the big data transmission stage, one control is to “check the integrity of the transmitted data”, with no further guidance about why that may be important nor how to do it). In effect, the standard is a generic checklist of suggested/potential controls to consider, adapt and adopt. Status The standard development project commenced in 2019 and reached C ommittee D raft stage before being halted due to the rebooting of the ISO/IEC 27045 project in 2023, returning to the P reliminary W ork I tem stage. It is unlikely to surface before ISO/IEC 27045 is published in 2027 - so maybe 2028? Commentary The definition of ‘big data’ in the draft standard did not (in my personal, rather jaundiced and cynical opinion) reflect its widespread use in the IT industry at present, mostly because of the vagueness of ‘extensive’ which is essentially synonymous with, and adds little clarity to, plain ‘big’. I find Wikipedia more helpful e.g. : “Current usage of the term big data tends to refer to the use of predictive analytics, user behavior analytics, or certain other advanced data analytics methods that extract value from data, and seldom to a particular size of data set. "There is little doubt that the quantities of data now available are indeed large, but that's not the most relevant characteristic of this new data ecosystem." Analysis of data sets can find new correlations to "spot business trends, prevent diseases, combat crime and so on." Scientists, business executives, practitioners of medicine, advertising and governments alike regularly meet difficulties with large data-sets in areas including Internet searches, fintech, urban informatics, and business informatics. Scientists encounter limitations in e-Science work, including meteorology, genomics, connectomics, complex physics simulations, biology and environmental research.” For me, one of the defining characteristics of big data is that typical (mostly relational) database management systems struggle or are unable to cope with the complexity and dynamics/volatility of truly massive data sets. Beyond the limits of their scalability, conventional architectures experience constraints and failures, no matter how much raw CPU power is thrown at the problems. That implies the need for fundamentally different approaches and I rather suspect entails novel information risks and hence security/privacy controls. However, it remains to be seen what this standard will actually address in practice: this is cutting-edge stuff. I’m not sure how this standard will differ from and add value to the existing standard ISO/IEC 20547-4:2020 . The draft standard is not explicitly risk-driven: as shown above with a big data transmission control example, it simply recommends a bunch of security and privacy controls without clarifying the “key challenges and [information] risks” they are intended to mitigate - hence users of the standard may not appreciate their relative importance and relevance to the business, or to relevant compliance obligations and conformity requirements. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27574 ISO/IEC 27574 Information security, cybersecurity and privacy protection— Privacy in brain computer interface (BCI) applications [PROPOSAL] Up Abstract [ISO/IEC 27574] "provides requirements and guidelines on privacy for brain computer interface applications. It provides privacy controls specific to brain computer interface applications to address the privacy risks based on the principles described in ISO/IEC 29100 and ISO/IEC 27701." [Source: Preliminary Work Item/initial draft] Introduction 'B rain-C omputer I nterface' refers to cutting-edge telepathic technologies such as brain implants allowing users to control smart prosthetic devices and receive information from sensors and systems directly back into their brains. If approved, this standards project intends to focus on the privacy aspects of such intimate biotech connections, for example the potential for adversaries to intercept and exploit sensitive personal datacommunications. Scope The project intends to focus on the privacy aspects of the intimate Brain-Computer Interface, begging questions about broader information security aspects. Structure Main sections [from the initial draft]: 5: Classification of BCI 6: Processing of neuro data in BCI applications 7: Privacy risk management Annex A: Typical applications (use cases) of BCI Annex B: Threat modelling Status A standards development project was proposed to ISO/IEC JTC 1/SC 27 Working Group 5 in July 2025 but failed to gain sufficient expert commitment/support ... so the proposers tried again in November. Commentary Addressing privacy at the early stages of such technological developments is a nice example of 'security by design', particularly if the project is able to offer constructive guidance to this nascent field on how to treat the associated information risks (ideally, not just privacy risks!). Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27033-3 ISO/IEC 27033-3:2010 Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — threats, design techniques and control issues (first edition) Up Abstract ISO/IEC 27033 part 3 “describes the threats, design techniques and control issues associated with reference network scenarios. For each scenario, it provides detailed guidance on the security threats and the security design techniques and controls required to mitigate the associated risks. Where relevant, it includes references to ISO/IEC 27033-4 to ISO/IEC 27033-6 to avoid duplicating the content of those documents. The information in ISO/IEC 27033-3:2010 is for use when reviewing technical security architecture/design options and when selecting and documenting the preferred technical security architecture/design and related security controls, in accordance with ISO/IEC 27033-2. The particular information selected (together with information selected from ISO/IEC 27033-4 to ISO/IEC 27033-6) will depend on the characteristics of the network environment under review, i.e. the particular network scenario(s) and ‘technology’ topic(s) concerned. Overall, ISO/IEC 27033-3:2010 will aid considerably the comprehensive definition and implementation of security for any organization's network environment.” [Source: ISO/IEC 27033-3:2010] Introduction Using a set of 'reference scenarios' (worked examples), part 3 demonstrates how to identify, evaluate and treat typical information risks in the networking security context. Scope Part 3 intended to“define the specific risks, design techniques and control issues associated with typical network scenarios” [Source: ISO/IEC 27033-1] . Structure Main sections: 7: Internet access services for employees 8: Business to business services 9: Business to customer services 10: Enhanced collaboration services 11: Network segmentation 12: Networking support for home and small business offices 13: Mobile communication 14: Networking support for travelling users 15: Outsourced services Annex A: An Example Internet Use Policy Annex B: Catalogue of Threats Status The current first edition of part 3 was published in 2010 and confirmed unchanged in 2018. Commentary Discusses threats, specifically, rather than all the elements of risk. Refers to other parts of ISO/IEC 27033 for more specific guidance. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC TS 27568 ISO/IEC TS 27568 — Security and privacy of digital twins [PROPOSAL] Up Abstract ?? Introduction Digital twins are essentially analogues, realistic models of real-world situations used for various purposes. Scope The standard will address the security and privacy implications of digital twins, supporting other digital twinning standards as the field develops at pace. Structure ?? Status Currently (2025) at P reliminary W ork I tem stage. Publication of the T echnical S pecification is planned for 2028. Commentary Blank look Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27019 ISO/IEC 27019:2024 — Information security, cybersecurity and privacy protection — Information security controls for the energy utility industry (second edition) Up Abstract ISO/IEC 27019 "provides information security controls for the energy utility industry, based on ISO/IEC 27002:2022, for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices; digital controllers and automation components such as control and field devices or programmable logic controllers (PLCs), including digital sensor and actuator elements; all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes; communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote-control technology; Advanced metering infrastructure (AMI) components, e.g. smart meters; measurement devices, e.g. for emission values; digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms; energy management systems, e.g. for distributed energy resources (DER), electric charging infrastructures, and for private households, residential buildings or industrial customer installations; distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations; all software, firmware and applications installed on above-mentioned systems, e.g. distribution management system (DMS) applications or outage management systems (OMS); any premises housing the abovementioned equipment and systems; remote maintenance systems for abovementioned systems.” [Source: ISO/IEC 27019:2024] Introduction This standard is intended to help organisations in “the energy utility industry” (such as conventional/non-nuclear electricity generators, plus suppliers of gas, oil and heating) to interpret and apply ISO/IEC 27002 in order to secure their industrial process control systems i.e. their O perational T echnology as opposed to I nformation T echnology. Scope Information security management presents fundamentally the same risk management challenges in all contexts, but the real-time nature of process control systems plus their associated safety and environmental criticality make some aspects particularly challenging for energy utilities. The standard therefore provides additional, more specific guidance on information security controls than the generic advice provided by ISO/IEC 27002 , tailored to the specific context of process control systems used by energy utilities for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. Note: given its unique risks, the scope of ISO/IEC 27019 explicitly excludes process control in nuclear facilities. See instead (for example) IEC 63096 “Nuclear power plants - Instrumentation, control and electrical power systems - Security controls” . Structure ISO/IEC 27019 complements and must be read in conjunction with ISO/IEC 27002 . It is aligned with ISO/IEC 27002:2022 but does not incorporate the content of ISO/IEC 27002. A dozen additional controls are offered for the energy sector. The standard notes in clause 0.4: “In addition to the controls provided by a comprehensive information security management system, [ISO/IEC 27019] provides additional assistance and sector-specific measures for the process control systems used by the energy utility sector, taking into consideration the special requirements in these environments. If necessary, further controls can be developed to fulfil particular requirements. The selection of controls depends upon the decisions taken by the organization on the basis of its own risk acceptance criteria, the options for dealing with the risk and the general risk management approach of the organization. NOTE National and international law, legal ordinances and regulations can apply.” Other ISO27k standards are also recommended to fill-in the broader context e.g. ISO/IEC 27001 for an overarching I nformation S ecurity M anagement S ystem that encompasses process control/OT as well as general commercial systems, networks and processes, plus ISO/IEC 27005 concerning the management of information risk. Status A preliminary edition was published as a T echnical R eport in 2013 by fast-tracking the German standard DIN SPEC 27009:2012-04 based on ISO/IEC 27002:2005. The first International Standard was published in 2017, based on ISO/IEC 27001:2013 and ISO/IEC 27002:2013, plus IEC TC 57 standards, IEC TC 65 standards (IEC 62443-2-1) and IEC SC45A standards (IEC 62645). A corrigendum to replace a stray “should” with a “shall” in the annex was published to critical acclaim in 2019. Hurrah! Crisis averted! The corrected standard was confirmed unchanged in 2022 ... but then was revised anyway to reflect the themed restructure and controls resequence of ISO/IEC 27002:2022 adding 12 suggested “ENR” controls to ISO/IEC 27022’s 96. The second edition was published in 2024 . Commentary The global energy industry has long had a strong safety culture since the devastating physical impacts caused by explosions, oil and chemical spills, radioactive releases etc. are painfully apparent (Bhopal , Three Mile Island , Chernobyl , Exxon Valdiz , Deepwater Horizon , Fukoshima ... need we say more?). The industry also has a strong awareness of its environmental obligations both in terms of its own operations, the upstream primary industries (e.g. mining) and the downstream impacts of some of its products. F Furthermore, the industry has a strong culture of physical and information security due to the substantial risks arising from: Threats such as natural disasters and deliberate attacks (sabotage) from hackers, A dvanced P ersistent T hreats, spies and spooks, terrorists, insiders, pressure groups and foreign states, as well as more mundane threats from accidents, competitors, electromechanical failures, malware/ransomware, social engineers etc .; Vulnerabilities inherent in their systems and processes. Process control systems that are (in some manner) connected to, exposed to or accessible from the Internet and other networks are vulnerable to a panopoly of cyber-threats, including those resulting from design flaws and bugs in software especially if they are not well designed, managed and maintained (e.g . security patching is distinctly challenging on safety-critical systems, given the need for assurance that patches do not harm safety); and Impacts , particularly limited availability and/or integrity of business- or safety-critical information leading to supply interruptions (power cuts), out-of-specification supplies (e.g . over/under-voltage supplies), safety incidents (e.g . the catastrophic release of vast amounts of energy) and environmental incidents (e.g. oil/gas/chemical leaks). Energy utilities, both public and private, are generally classed as part of the critical national infrastructures (e.g. under NIS 2 in Europe) due to their obvious strategic significance. With an extremely high level of automation, the energy industry relies heavily on OT, principally electronic process control systems such as P rogrammable L ogic C ontrollers, I ndustrial I nternet o f T hings, I ndustrial C ontrol S ystems and S upervisory C ontrol A nd D ata A cquisition, plus the associated networks and procedures, to monitor, direct and control its production activities in real time. Most of the safety-related operations, for example, in a modern plant depend heavily on networked computer systems with electronic monitoring and electrically-operated valves, switches and actuators, while manually-operated controls are often limited to specific backup or emergency override functions. Many of the monitored and controlled systems are located in physically stressful locations subject to extreme heat, pressure, corrosion and/or vibration, and some are distributed remotely, sometimes very remotely, making physical access, monitoring and access control challenging and costly. In short, the industry cannot function normally and safely without its electronic process control systems and networks, while serious, widespread or extended incidents cause severe national if not international repercussions. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27556 ISO/IEC 27556:2022 — Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework (first edition) Up Abstract ISO/IEC 27556 "provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.” [Source: ISO/IEC 27556:2022] Introduction The standard lays out a “user-centric framework” (an architecture) to handle personal information in a controlled manner in accordance with the privacy-by-design and other requirements of applicable privacy laws and regulations. The standard outlines a mechanism for organisations handling personal data to comply with data subjects’ privacy requirements, even as those organisations share and collaborate on processing the data. Scope The standard describes a generic high-level system architecture without specifying the content and format of privacy preference information. The architecture, in turn, informs the design and implementation of IT systems handling personal information and communicating it between organisations, while managing the privacy preferences of data subjects (known as ‘PII Principals’ in the standard i.e. the people whose personal information is being handled). The standard expands upon ISO/IEC 29100’s “Privacy framework ”. Structure Main sections: 5: User-centric framework for handling PII. 6: Requirements and recommendations for the P rivacy P reference M anager (defined as “component providing a capability allowing PII principals to express privacy preferences and a capability to monitor PII processing according to these privacy preferences” - normally an IT system component, not a person). 7: Further considerations for the PPM in a P rivacy I nformation M anagement S ystem. Annex A: Use cases of PII handling based on privacy preferences Annex B: Identifying an actor serving as a component for each example service Annex C: Guidance on configuration of privacy preferences management Annex D: Supporting the design of a privacy preference management Status The current first edition was published in 2022 . Commentary I appreciate the intent to standardise the handling and management of users’ privacy consents, perhaps allowing the preferences to be shared among systems. However, given strong commercial incentives for social media and related systems and companies to exploit every scrap of personal information they can obtain, it may take even stronger pressure from regulators and legislators on behalf of private individuals to see this widely adopted in practice. So, watch this space. Up Up Up This page last updated: 19 November 2025