ISO/IEC 25642:2025

International
Standard
ISO/IEC 25642
First edition
Information technology — Data
2025-10
governance — Data collaboration
framework
Reference number
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Data collaboration fundamentals . 4
4.1 Decouple data from applications .4
4.2 Access-based collaboration over copy-based integration .4
4.3 Govern and manage data as a product .4
4.4 Enforce controls at the metadata layer .4
4.5 Create metadata-driven experiences .5
4.6 Design for enterprise composability .5
Bibliography . 6

© ISO/IEC 2025 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by DGSI (as CAN/DGSI 100-9:2023 / Rev 1: 2024) and drafted in accordance
with its editorial rules. It was adopted, under the JTC 1 PAS procedure, by Joint Technical Committee ISO/
IEC JTC 1, Information technology.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
iv
Introduction
This is the first revision of the first edition of CAN/DGSI 100-9:2023 / Rev 1:2024, Data governance – Part 9:
Data Collaboration Framework.
This revised version incorporates the following amendments:
— Revised title to make it more accessible and add clarity
— Minor updates of terms and definitions to provided added clarity and plain language use
Data collaboration offers a framework for building modular solutions within a controlled data management
environment which can be applied either as stand-alone experiences or combined into advanced digital
solutions.
This data collaboration framework is designed for an audience of IT professionals facing complex data
integration challenges and is intended to accelerate digital transformation projects within organizations.
This document complements the existing International Standards on IT governance (ISO/IEC 38500) and
data governance (ISO/IEC 38505-1). It is designed to provide practical guidance for organizations including
governing bodies and management to allow them to:
— Build and control new digital capabilities that support universal data access controls.
— Eliminate point-to-point, copy-based data integration from the IT delivery process.
— Support human-to-human, human-to-system, and system-to-system collaboration on operational data.
This can include multiple AI systems.
This document is guided by the following core principles:
1. Avoid solution-specific databases (data silos) when building new IT solutions.
2. Adopt a connected or ‘networked’ data management architecture to enable the instant integration of
data from legacy and new applications.
3. Make data protection universal by embedding access controls at the metadata layer, not the application
/ code layer.
4. Automate data versioning, recoverability, lineage, and usage reporting.
The sharing and integration of data is crucial to the continued evolution of digital technology, including the
effective implementation of artificial intelligence systems.
However, the traditional approach to data sharing is a complex and risky process where information is
copied between data silos which often takes the form of application-specific databases and data stores (data
warehouses, data lakes).
The result is that control over the access to data is transferred from its rightful owner (e.g., a citizen, team
leader, or supply chain partner) to the software that manages the integration process and/or the code that
controls individual applications.
This has the following impacts in terms of data governance and data protection:
— The enforcement of uniform access controls is extremely difficult, if not impossible,
— The deletion of data (right to be forgotten/right to erasure) is extremely difficult, if not impossible,
— The porting of customer data between organizations is extremely difficult, and
— The precise reporting (auditability) of data usage is extremely difficult, if not impossible.

© ISO/IEC 2025 – All rights reserved
v
These issues pose a significant obstacle to organizations who are required to comply with increasingly strict
national and international data privacy, data protection, and AI safety regulations.
This is where the strategic need for modern data governance supported by a data collaboration framework
is most notable.
By eliminating copies from the development of new applications, data owners (e.g., customers, team leaders,
supply chain partners) can manage a single set of access controls that can be uniformly and universally
enforced.
In principle, the reduction of copies and embedding of controls enables organizations to adopt a much more
controlled approach to digital innovation that reflects how most societies protect their currency, intellectual
property, and identity of citizens.
In addition to the implications for compliance with national and international data protection legal
statements, the current copy-based approach to data integration represents a growing “innovation tax” on
organizations and a barrier to the productive collaboration on data.
Each new digital solution, whether bought or built, creates a new data silo in the form of an application-
specific database. This new silo generally requires some degree of point-to-point integration with pre-
existing applications and data stores which in turn creates a complex overhead that grows exponentially
over time.
Today, every new application requires organizations to perform more integration which is an increasingly
unproductive use of capital and resources.
In contrast, this standard for data collaboration outlines a framework for developing new digital solutions
where people and systems (including machine learning, generative AI, and computer vision systems) are able
to collaborate on organizational data that is connected across a shared data architecture. This framework
leverages modern data management architectures which are based on controlled networks of data capable
of reusing data across multiple data models in support of multiple digital solutions rather than requiring
application-specific database silos.
For developers, analysts, business users, customers, AI systems, and everyday problem-solvers working
within a data collaboration framework, the only barrier to collaboration on operational data is being granted
access to it by its rightful owner or their appointed data steward. The access permissions can include the
ability to change, delete, add, approve/reject, and query the data.
The major benefit to organizations is that they can use the data collaboration framework to eliminate the
escalating cost and compliance risk associated with application-specific databases (aka ‘data silos’ or ‘data
fragmentation’) and copy-based data integration.
The impact on the wider economy will also be significant, as access-based collaboration on data is used
to accelerate the delivery of innovations in open banking, cleantech, smart cities, and precision healthcare
without compromising data protection.
CAN/DGSI 100-9:2023 / Rev 1:2024 was prepared by the Digital Governance Standards Institute Technical
Committee 1 (TC 1) on Data Governance, comprised of over 240 thought leaders and experts in data
governance and related subjects. This Standard was approved by a Technical Committee formed balloting
group, comprised of 5 producers, 2 government / regulator / policymakers, 3 users, and 2 general interests.
All units of measurement expressed in this Standard are in SI units using the International system (SI).
This Standard is subject to technical committee review beginning no later than one year from the date of
publication. The completion of the review may result in a new edition, revision, reaffirmation or withdrawal
of the Standard. The intended primary application of this Standard is stated in its scope. It is important to
note that it remains the responsibility of the user of the Standard to judge its suitability for a particular
application.
ICS 35.020; 35.030
© ISO/IEC 2025 – All rights reserved
vi
International Standard ISO/IEC 25642:2025(en)
Information technology — Data governance — Data
collaboration framework
1 Scope
This document specifies minimum recommendations for zero-copy data integration and includes guidance
for building modular capabilities within a controlled data management environment which can be applied
either as stand-alone experiences or combined into advanced solutions.
This document provides a blueprint for IT and other leaders who rely on organizational data integrity to
perform their functions to support the build of new digital solutions with granular and universally enforced
data controls.
This document applies to all sectors, including public and private companies, government entities, and not-
for-profit organizations.
This document is not intended for non-data intensive operational roles and does not specify interfaces with
other systems or components.
NOTE 1 : This document does not define the specific people or groups who represent the rightful owner of
given data – this is to be worked out by individual organizations.
NOTE 2 to entry: This document does not force organizations into converging on a single
...