Search Results

Up Up Up ISO/IEC 27090 ISO/IEC 27090 — Cybersecurity — Artificial Intelligence — Guidance for addressing security threats and compromises to artificial intelligence systems [DRAFT] Up Abstract ISO/IEC 27090 “addresses security threats and compromises specific to artificial intelligence (AI) systems. The guidance in this This document aims to provide information to organizations to help them better understand the consequences of security threats specific to AI systems, throughout their life cycle, and descriptions of how to detect and mitigate such threats. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems.” [Source: ISO/IEC 27090 D raft I nternational S tandard] Introduction The rampant proliferation of ‘smart systems’ means ever greater reliance on automation: computers are making decisions and reacting or responding to situations that would previously have required human beings. Currently, however, the tech smarts are limited, so the systems don’t always react or behave as they should. Scope The standard will guide organisations on addressing security threats to A rtificial I ntelligence systems. It will: Help organisations better understand the consequences of security threats to AI systems, throughout their lifecycle; and Explain how to detect and mitigate such threats. Structure The standard will cover at least a dozen threats such as: Poisoning - data and model poisoning e.g. deliberately injecting false information to mislead and hence harm a competitor’s AI system; Evasion - deliberately misleading the AI algorithms using carefully-crafted training inputs; Membership inference and model inversion - methods to distinguish [and potentially manipulate] the data points used in training the system; Model stealing - theft of the valuable intellectual property in a trained AI system/model. For each threat, the standard will offer about a page of advice: Describing the threat; Discussing the potential consequences of an attack; Explaining how to detect and mitigate attacks. An extensive list of references will direct readers to further information including relevant academic research and more pragmatic advice, including other standards. Status ISO/IEC JTC1 SC27 Working Group 4 started developing this standard in 2022. The standard is now at D raft I nternational S tandard stage, due for publication in mid-2026. Commentary It will be disappointing if Imprecise/unclear use of terminology in the draft persists in the published standard. Are ‘security failures’ vulnerabilities, control failures, events, incidents or compromises maybe? Are ‘threats’ attacks, information risks, threat agents, incidents or something else? Detecting ‘threats’ (which generally refers to impending or in-progress attacks) is seen as a focal point for the standard, hinting that security controls cannot respond to undetected attacks ... which may be generally true for active responses but not for passive, general purpose controls. As usual with ‘cybersecurity’, the proposal and drafts focused on active, deliberate, malicious, focused attacks on AI systems by motivated and capable adversaries, disregarding the possibility of natural and accidental threats such as design flaws and bugs, and threats from within i.e. insider threats. The standard addresses ‘threats’ (attacks) to AI that are of concern to the AI system owner, rather than threats involving AI that are of concern to its users or to third parties e.g. hackers and spammers misusing AI systems to learn new malevolent techniques. The rapid proliferation (explosion?) of publicly-accessible AI systems during 2023 put a rather different spin on this area. The scope excludes ‘robot wars’ where AI systems are used to attack other AI systems. Scary stuff, if decades of science fiction and cinema blockbusters are anything to go by. The potentially significant value of AI systems in identifying, evaluating and responding to information risks and security incidents is also out of scope of this standard: the whole thing is quite pessimistic, focusing on the negatives. However, the hectic pace of progress in the AI field is clearly a factor: this standard will provide a starting point, a foundation for further AI security standards and updates as the field matures. Up Up Up This page last updated: 4 December 2025

Up Up Up ISO/IEC 27045 ISO/IEC 27045 — Information technology — Big data security and privacy — Guidelines for managing big data risks [DRAFT] Up Abstract ISO/IEC 27045 "provides guidance on how to navigate the threats that can arise during the big data life cycle from the various big data characteristics that are unique to big data: volume, velocity, variety, variability, volatility, veracity and value, including when using big data for the design and implementation of AI systems. [ISO/IEC 27045] can help organizations build or enhance their big data security and privacy capabilities, including when using big data in the development and use of AI systems.” [Source: ISO/IEC JTC 1/SC 27 Committee Doc 11 May 2025] Introduction ‘Big data’ systems present numerous information security, privacy and technological challenges due to complexity plus the sheer quantity and volatility of the data. Scope The standard is intended to help organisations build or enhance their information security and privacy capabilities relating to big data systems, perhaps as part of AI systems design and implementation. Structure Main sections: 4: Overview - a brief summary. 5: Big data - explores the information risk and security implications of big data in addition to the 'traditional' concerns for conventional IT systems. Describes the seven v's. 6: Security and privacy threats and controls to big data - stepping through the seven 'v ' characteristics of big data (v olume, v elocity, v ariety, v ariability, v olatility, v eracity and v alue), identifying pertinent threats and controls. 7: Big data risk management process - builds on the guidance in ISO/IEC 27005 . Annex A: maps the organisational and technological controls from clause 6 against the threats relating to the seven v's. Annex B: use cases. Status This standard was initially proposed in 2017. Having run off-the-rails in 2021, the drafting project re-started in 2024. It is currently at D raft I nternational S tandard stage, with national body votes due by February 24th 2026. Publication looks likely in 2026. Commentary The definition of ‘big data’ quoted from ISO/IEC 20456:2019 does not (in my personal, rather jaundiced/cynical opinion) reflect its widespread use in the IT industry at present. “Extensive datasets primarily in the characteristics of volume, variety, velocity, and/or variability that require a scalable architecture for efficient storage, manipulation, and analysis ”. I prefer Wikipedia ’s description: “Current usage of the term big data tends to refer to the use of predictive analytics, user behavior analytics, or certain other advanced data analytics methods that extract value from data, and seldom to a particular size of data set. "There is little doubt that the quantities of data now available are indeed large, but that's not the most relevant characteristic of this new data ecosystem." Analysis of data sets can find new correlations to "spot business trends, prevent diseases, combat crime and so on." Scientists, business executives, practitioners of medicine, advertising and governments alike regularly meet difficulties with large data-sets in areas including Internet searches, fintech, urban informatics, and business informatics. Scientists encounter limitations in e-Science work, including meteorology, genomics, connectomics, complex physics simulations, biology and environmental research.” It seems to me a defining characteristic is that big data is (are!) so big that conventional database management systems are unable to cope with the complexity and dynamics/volatility, struggling to maintain integrity given so many coincident changes. Beyond the limits of their scalability, conventional architectures start to experience constraints and failures (including security control and privacy issues), no matter how much raw CPU power, network bandwidth and storage capacity is thrown at the challenge. That implies the need for fundamentally different approaches with novel information risks most likely requiring novel controls. It remains to be seen what this standard will actually recommend: this is cutting-edge stuff. Hopefully this standard will refer to others for the low-level and relatively conventional data security and privacy controls that apply to small and medium data, focusing instead on the high-level and novel aspects and processes that are unique to big data e.g. : Strategic management of big data sets, big data systems etc. , including governance arrangements to monitor and control the management and operational activities as a whole (e.g. overall programme as well as individual project management) and the business/strategy aspects and requirements (e.g. enormous financial investment in huge systems implies enormous expected returns); Architecture and design of big data systems - specifically the data security and privacy aspects including information risk assessment, compliance, ethics, data aggregation, inference, interconnectivity (both within and without the organisation), access controls, metadata management and security, resilience etc. ; Operation and use of big data systems e.g . how to classify and segregate data and functions, how to determine/define and assign access rights/permissions, what privacy and security roles and responsibilities might be appropriate; Maintenance and support of big data systems, including their security and privacy aspects; Capacity and performance management including the dynamics and challenges arising; Incident management, change management and so on (adapting conventional processes for the big data environment). Potentially, the standard could get into advanced/novel data/system security controls and privacy approaches involving artificial intelligence, instrumentation, anomaly and fraud detection, automated responses etc. ... but it looks as if the standard’s initial release will be more modest. Up Up Up This page last updated: 2 December 2025

Up Up Up ISO/IEC 27562 ISO/IEC 27562:2024 — Information technology — Security techniques — Privacy guidelines for fintech services (first edition) Up Abstract ISO/IEC 27562 "provides guidelines on privacy for fintech services. It identifies all relevant business models and roles in consumer-to-business relations and business-to-business relations, as well as privacy risks and privacy requirements, which are related to fintech services. It provides specific privacy controls for fintech services to address privacy risks. [ISO/IEC 27562] is based on the principles from ISO/IEC 29100, ISO/IEC 27701, and ISO/IEC 29184, the privacy impact assessment framework described in ISO/IEC 29134, and the risk management guideline described in ISO 31000. It also provides guidelines focusing on a set of privacy requirements for each stakeholder. [ISO/IEC 27562] can be applicable to all kinds of organizations such as regulators, institutions, service providers and product providers in the fintech service environment.” [Source: ISO/IEC 27562:2024 ] Introduction ”Fintech” (a contraction of fin ancial tech nology, formally defined by the standard as “digital innovations and technology-enabled business model innovations in the financial sector” ) refers to the use of information and communications technology within the financial services industry - banking, insurance, investment etc . - in particular, for financial services delivered digitally. A significant amount of personal information is processed by fintech. Personal information is subject to an array of privacy laws and regulations as well as corporate privacy policies and ethical considerations, all of which help ensure the trustworthiness necessary to earn the trust of data subjects (customers). Modern fintech architectures increasingly involve novel technologies such as cloud-based microservices with A pplication P rogramming I nterfaces, blockchain and A rtificial I ntelligence/M achine L earning. In addition to the usual data/IT/cyber security risks and controls, privacy concerns must also be identified, evaluated and addressed Scope The standard addresses the privacy aspects of fintech. Structure Main sections: 5: Stakeholders and general considerations for fintech services 6: General principles applicable to fintech services 7: Actors in fintech services 8: Privacy risks to actors 9: Privacy controls for actors 10: Privacy guidelines for actors Annex A: Purpose of collecting and processing PII Annex B: Examples of international and regional regulations Annex C: Example of open platform architecture for fintech service providers Annex D: Use cases for fintech services Annex E: List of common vulnerabilities and privacy risks Annex F: Characteristics of AI-related PII processing for fintech services Status The current first edition was published in 2024 . Commentary I am unclear whether/why the financial services technology industry requires specific guidance on privacy that is not already available in other standards, laws and regulations. What makes fintech privacy special, I wonder? Should we anticipate similar privacy standards for healthtech, govtech, agritech and othertech? Even within fintech, what about safety, information security, security generally and governance, aside from privacy? Where does it all end? A particular concern for the already heavily-regulated financial services industry is the potential additional compliance burden if regulators start using this standard as a mandatory set of privacy control requirements. There are lots of controls in this standard, some quite complex and costly to design, implement, operate, manage and maintain. The details are devilish. On the upside, guidance on the application of AI/ML technologies within financial services is timely. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27554 ISO/IEC 27554:2024 — Information security, cybersecurity and privacy protection — Application of ISO 31000 for assessment of identity-related risk [first edition] Up Abstract ISO/IEC 27554 "provides guidelines for identity-related risk, as an extension of ISO 31000:2018. More specifically, it uses the process outlined in ISO 31000 to guide users in establishing context and assessing risk, including providing risk scenarios for processes and implementations that are exposed to identity-related risk. [ISO/IEC 27554] is applicable to the risk assessment of processes and services that rely on or are related to identity. [ISO/IEC 27554] does not include aspects of risk related to general issues of delivery, technology or security.” [Source: ISO/IEC 27554:2024] Introduction This standard facilitates the application of the ISO 31000 risk management guidelines to identity management , supporting or supplementing various identity management standards. It applies the ISO 31000 risk management process to establish the context and assess risk, suggesting some risk scenarios for the processes and implementations specifically involving identity-related risk. Scope The standard applies to the assessment, specifically, of risks associated with ‘services and transactions’ that rely on or are related to identity management, excluding risks arising generally from delivery, technology or security. It can be used in conjunction with other standards concerning controls to protect identity information. The standard succinctly explains identity-related risk definition, context and impacts. It covers the central part of the classical ISO 31000-style risk management process, excluding risk monitoring and review, and risk communication and consultation. Structure Main sections: 4: Principles - simply refers to the ISO 31000 principles 5: Framework - refers to the ISO 31000 approach 6: Process - refers to the ISO 31000 risk management process 7: Identity-related risk assessment 8: Identity-related context establishment 9: Identity-related risk identification 10: Identity-related risk analysis 11: Identity-related risk evaluation 12: Identity-related risk treatment - refers to ISO 31000 ... with appendices on related standards on risk and identity management, and “risk impact assessment”. Status The current first edition was published in 2024 . Commentary ISO 31000 remains useful, along with ISO/IEC 27005 ... begging questions about the value of another standard in this area, especially one so naively and narrowly focused. In my jaundiced opinion, the standard misrepresents the probability element of risk, equating it to the amount of control applied rather than the predicted rate of occurrence. Conflating risk and control could be seen as a fundamental problem with the approach, confusing inherent (pre-treatment) and residual (post-treatment) risk. Language/terminological issues (e.g. “B.1 Assessing the degree of impact of a consequence”) beg further questions. Rewriting this standard in plain English might help bring such issues into the disinfecting glare of sunlight. The use of ‘degrees’, ‘levels’, ‘scales’ and ‘categories’ of risk, and ‘strength’ of identity-related processes (presumably controls?) indicates a subjective and qualitative approach ... and yet the standard suggests “collapsing the distinct indicators into a single combined value” at one point and for unexplained reasons presents numeric values in a ‘Plot matrix’ ... at which point I’m afraid I completely lost the plot. Repeat after me: Ordinary arithmetic is inappropriate for ordinal numbers. Ordinary arithmetic is inappropriate for ordinal numbers. Ordinary arithmetic is inappropriate for ordinal numbers. ... Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27050-2 ISO/IEC 27050-2:2018 — Information technology — Security techniques — Electronic discovery — Part 2: Guidance for governance and management of electronic discovery (first edition) Up Abstract ISO/IEC 27050 part 2 “provides guidance for technical and non-technical personnel at senior management levels within an organisation, including those with responsibility for compliance with statuary and regulatory requirements, and industry standards. [Part 2] describes how such personnel can identify and take ownership of risks related to electronic discovery, set policy and achieve compliance with corresponding external and internal requirements. It also suggests how to produce such policies in a form which can inform process control. Furthermore, it provides guidance on how to implement and control electronic discovery in accordance with the policies.” [ Source: ISO/IEC 27050-2:2018 ] Introduction Part 2 guides management on identifying and treating the information risks related to eDiscovery e.g. by setting and implementing eDiscovery-related policies and complying with relevant (mostly legal) obligations and expectations. It also offers guidance on good governance for forensics work i.e. the overarching framework or structure within which digital forensic activities take place and are managed through a controlled, repeatable and trustworthy suite of activities. Scope Governance and management of eDiscovery. Structure Main sections: 5: Electronic discovery background 6: Governance of electronic discovery 7: Management of electronic discovery 8: Risks and environmental factors 9: Compliance and review Status The current first edition of part 2 was published in 2018 . Commentary Part 2 suggests a few possible metrics, although organisations are well advised to determine their own based on their objectives relating to eDiscovery, eForensics, incident management, information risks and so forth. Of all the things going on in this area, which parts and aspects are important for the business and why? What kinds of information would help management manage them? What questions are likely to need answering? Those are good clues to the metrics that would actually help, as opposed to metrics suggested by others - including ISO. Thankfully, part 2 outlines information risks that various information security controls are intended to mitigate. However, the list of risks is incomplete, for example it fails to mention that damage, theft, loss or some other incident affecting ESI can compromise its value and admissibility in court, potentially decimating an otherwise valid case. It's a starting point though, something worth elaborating on. Hint: metrics relating to key risks and key controls are likely to be of value to management. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC TR 27024 ISO/IEC TR 27024 — Technical report — ISO/IEC 27001 family of standards references list — Use of ISO/IEC 27001 family of standards in Governmental / Regulatory requirements [DRAFT] Up Abstract ISO/IEC TR 27024 "provides a list of national regulations that reference ISO/IEC 27001 as a requirement.” [Source: ISO/IEC JTC 1/SC 27 Committee Doc 11, May 2025] Introduction This T echnical R eport is meant to help management determine which of the ISO27k standards are recommended or required of their organisations for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management. Scope The draft standard: Identifies a number of national laws, regulations and guidelines that depend and build upon the ISO27k standards ; Explicitly concerns information security, privacy/data protection, and digitalization and electronic archiving; Does not (explicitly) concern other areas such as governance, contracts, product quality/fitness for purpose, cryptography, digital signatures, defence, official secrets, classified information, health and safety, financial data integrity, medical records, misinformation, and more. Structure The central chapter contains just 18 clauses, each listing a selection of relevant laws and regulations from a different country or region (such as the EU). Status A T echnical R eport is being developed from SC 27 S tanding D ocument 7 - an internal committee reference document. Since SD7 is mature, the standard progressed rapidly to D raft T echnical R eport stage and was planned for release back in 2023. Patently, however, compiling and checking details on relevant laws and regs around the globe, along with editorial changes required by ISO, have substantially delayed release. The title may become “Government and regulatory use of ISO/IEC 27001, ISO/IEC 27002 and other information security standards ”. It entering C ommittee D raft stage and is due to be published this year (2025). Commentary If this remained as a S tanding D ocument without the formalities of becoming a standard, it would be easier, quicker and cheaper to update it as the referenced standards, laws and regs change, with the bonus of being freely available to those who need the information ... but in its infinite wisdom, the committee decided to publish (and consequently maintain) it as a T echnical R eport. Taking a broad perspective, there are loads of laws and regs that have some relevance to the c onfidentiality, i ntegrity or a vailability of information. In the extreme, virtually every law involves forensic evidence with strong cia implications. Laws and regs relating to human safety are important to protect the valuable knowledge and competencies in our heads, while those relating to mental health affect our information processing capabilities. Laws and regs on tax and financial reporting and corporate governance all have information security implications. The standard is unlikely even to mention these, reflecting its arbitrary nature. This standards project faces a similar conundrum to ISO/IEC 27002 . It would be wonderful if the standard was truly comprehensive and up-to-date and could be relied upon as such, but ultimately that is infeasible. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching which laws and regs are in fact applicable - hopefully not you though, having read this cautionary note! Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27050-3 ISO/IEC 27050-3:2020 — Information technology — Security techniques — Electronic discovery — Part 3: Code of practice for electronic discovery (second edition) Up Abstract ISO/IEC 27050 part 3 “provides requirements and recommendations on activities in electronic discovery, including, but not limited to, identification, preservation, collection, processing, review, analysis and production of electronically stored information (ESI). In addition, this document specifies relevant measures that span the lifecycle of the ESI from its initial creation through to final disposition. [Part 3] is relevant to both non-technical and technical personnel involved in some or all of the electronic discovery activities. It is important to note that the user is expected to be aware of any applicable jurisdictional requirements.” [Source: ISO/IEC 27050-3:2020 ] Introduction Part 3 identifies requirements and offers guidance on the seven main steps of eDiscovery noted in part 1 i.e. ESI: Identification - what information from/at a crime scene might be relevant and useful? Preservation - starting the chain of evidence. Collection - removing physical media etc, Processing - forensic bit-copies. Review - searching evidence for relevant info. Analysis - picking out the most weighty bits for court. Production - preparing the evidence+analysis to present in court. Scope The structured processes involving Electronically Stored Information. Structure Main sections: 5: Electronic discovery background 6: Electronic discovery requirements and guidance Status The first edition of part 3 was published in 2017 . The second edition was published in 2020 . Commentary Part 3 is, essentially, a basic, generic how-to-do-it guide laying out the key elements that will no doubt form the basis of many digital forensics manuals. While full-time forensics specialists have their own well-practiced procedures, training, forms, tools etc., corporate information security pro's who only get involved occasionally in this area may benefit from preparing the basics to get the process started properly, even if the decision is made to call in eForensics specialists. If things get fouled up at the beginning, they are unlikely to be recoverable later on, compromising potentially valid cases. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27099 ISO/IEC 27099:2022 — Information technology — Public key infrastructure — Practices and policy framework (first edition) Up Abstract ISO/IEC 27099 "sets out a framework of requirements to manage information security for Public key infrastructure (PKI) trust service providers through certificate policies, certificate practice statements, and, where applicable, their internal underpinning by an information security management system (ISMS). The framework of requirements includes the assessment and treatment of information security risks, tailored to meet the agreed service requirements of its users as specified through the certificate policy. [ISO/IEC 27099] is also intended to help trust service providers to support multiple certificate policies ...” [Source: ISO/IEC 27099:2022] Introduction Since trustworthiness is an essential characteristic of any P ublic K ey I nfrastructure, strenuous efforts are required to minimise all risks that might lead to loss of trust in PKI. The standard describes the use of an ISO/IEC 27001 I nformation S ecurity M anagement S ystem as a PKI management framework. Scope ISO/IEC 27099: Identifies information risk and security management requirements for PKI T rust S ervice P roviders and C ertification A uthorities through C ertificate P olicies and C ertification P ractice S tatements. Facilitates the implementation of operational, baseline controls and practices through an ISMS, building on and generalising the financial services PKI standard ISO 21188:2018 plus ISO/IEC 9594-8 , ISO/IEC 19790 and RFC 3647 . Supports the lifecycle of public key certificates used for digital signatures, authentication, or encryption key establishment and exchange; Primarily concerns PKI systems used in contractual relationships between organisations but also covers open (public) and closed (corporate/internal) PKIs; Is applicable to root and intermediate CAs, not just those issuing certificates directly to users. It does not address: Attribute certificates; Authentication methods; Non-repudiation requirements; Key management protocols based on the use of public key certificates; Blockchain - at least, not explicitly. Structure The ~100-page standard has 3 main clauses and 6 informative annexes: 5: introduces PKI concepts. 6: CP, CPS and their relation to ISMS. 7: CA objectives and controls, plus other requirements concerning the operation of a CA, based on the ISO/IEC 27002:2013 structure. Annex A: Management by CP. Annex B: Elements of a CPS (mapping to RFC 3647 ). Annex C: CA key generation ceremony. Annex D: Content and use of the CA audit journal. Annex E: Certificate and PKI roles. Annex F: Changes from ISO 21188. Status The current first edition was published in 2022. Commentary As with PKIs in general, this standard defines and uses 60 obscure terms of art plus 24 abbreviations, making it tough for non-specialists to comprehend - even tougher than PKI itself and cryptography in general. It is a detailed standard on an advanced, technical topic. It would take a lot of work to adopt ISO’s version of plain English . Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27033-5 ISO/IEC 27033-5:2013 Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (first edition) Up Abstract ISO/IEC 27033 part 5 “gives guidelines for the selection, implementation, and monitoring of the technical controls necessary to provide network security using Virtual Private Network (VPN) connections to interconnect networks and connect remote users to networks.” [Source: ISO/IEC 27033-5:2013] Introduction Part 5 revised ISO/IEC 18028 part 5. It extends the IT security management guidelines of ISO/IEC TR 13335 by detailing the specific operations and mechanisms needed to implement network security safeguards and controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations. It provides guidance for securing remote access over public networks. Scope Guides network administrators and technicians who plan to make use of this kind of connection, or who already have it in use and need advice on how to set it up securely and operate it securely. Structure Main sections: 6: Overview 7: Security threats 8: Security requirements 9: Security controls 10: Design techniques 11: Guidelines for product selection Status The current first edition of part 5 was published in 2013 and confirmed unchanged in 2019. Commentary Gives a high-level, incomplete assessment of the threats to VPNs (i.e. it mentions the threats of intrusion and denial of service but not unauthorized monitoring/interception, traffic analysis, data corruption, insertion of bogus traffic, various attacks on VPN end points, malware, masquerading/identity theft, insider threats etc ., although these are mentioned or at least hinted-at later under security requirements). Introduces different types of remote access including protocols, authentication issues and support when setting up remote access securely. Up Up Up This page last updated: 19 November 2025

Up Up Up ISO/IEC 27553-2 ISO/IEC 27553-2:2025 — Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 2: remote modes (first edition) Up Abstract ISO/IEC 27553 part 2 "provides high-level security and privacy requirements for authentication using biometrics on mobile devices, in particular, for functional components, communication, storage and remote processing. [The standard] is applicable to remote modes, i.e. the cases where: the biometric sample is captured through mobile devices, and the biometric data or derived biometric data are transmitted between the mobile devices and the remote services in either or both directions. The following are out of scope of this document: the cases where the biometric data or derived biometric data never leave the mobile devices (i.e. local modes), the preliminary steps for biometric enrolment before authentication procedure, and the use of biometric identification as part of the authentication.” [Source: ISO/IEC 27553-2:2025 ] Introduction Part 2 provides high-level requirements for situations where biometric authentication on mobile devices involves communicating biometric data over the network to a remote authentication server. Scope Biometric authentication on mobile devices where biometric information is communicated between the devices and remote services via network connections, as opposed to local modes where the authentication process and data are limited to the devices. The standard is restricted to authentication, excluding enrolment and identification. Structure Main sections: 5: Security and privacy considerations 6: System description 7: Information assets 8: Threat analysis 9: Security requirements and recommendations 10: Privacy considerations, requirements and recommendations Annex A: Implementation example Annex B: Authentication assurance and assurance level Status The current first edition was published in 2025 . Commentary Involvement of remote services in the authentication process implies network data communication with associated confidentiality, integrity and availability implications, as well as risks relating to the remote storage and processing (such as aggregating, correlating and comparing biometric and other data between various remote and networked systems to glean additional information). Not being a S ubject M atter E xpert in authentication, specifically, I am intrigued by obscure terms such as “synthesized wolf biometric samples” and “hill climbing attack”. Presumably these are covered by the numerous cited standards and familiar to authentication SMEs. It would be challenging to adopt ISO’s version of plain English for such a technical standard. Up Up Up This page last updated: 19 November 2025