iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC FDIS 29100

(Main)

Information technology — Security techniques — Privacy framework

Information technology — Security techniques — Privacy framework

ISO/IEC 29100:2011 provides a privacy framework which specifies a common privacy terminology; defines the actors and their roles in processing personally identifiable information (PII); describes privacy safeguarding considerations; and provides references to known privacy principles for information technology. ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

Technologies de l'information — Techniques de sécurité — Cadre privé

La présente Norme internationale fournit un cadre pour la protection de la vie privée qui: — spécifie une terminologie commune relative à la protection de la vie privée; — définit les acteurs et leurs rôles dans le traitement de données à caractère personnel (DCP); — décrit les éléments à prendre en considération pour la protection de la vie privée; et — fournit des références à des principes connus de protection de la vie privée pour les technologies de l'information. La présente Norme internationale s'applique aux personnes physiques et aux organismes participant à la spécification, à la fourniture, à l'architecture, à la conception, au développement, aux essais, à la maintenance, à l'administration et à l'exploitation des systèmes ou services de technologies de l'information et de la communication dans lesquels des mesures de protection de la vie privée sont requises pour le traitement de DCP.

General Information

Status
Not Published
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Current Stage
5020 - FDIS ballot initiated: 2 months. Proof sent to secretariat
Start Date
20-Jun-2023
Completion Date
20-Jun-2023
Ref Project

Relations

Revises
ISO/IEC 29100:2011 - Information technology — Security techniques — Privacy framework
Effective Date
29-Oct-2022
Revises
ISO/IEC 29100:2011/Amd 1:2018 - Information technology — Security techniques — Privacy framework — Amendment 1: Clarifications
Effective Date
29-Oct-2022

Buy Standard

ISO/IEC FDIS 29100 - Information technology — Security techniques — Privacy framework Released:6. 06. 2023ISO/IEC FDIS 29100 - Information technology — Security techniques — Privacy framework Released:6. 06. 2023
PreviousNext
Draft
ISO/IEC FDIS 29100 - Information technology — Security techniques — Privacy framework Released:6. 06. 2023
English language
22 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
29100
ISO/IEC JTC 1/SC 27
Information technology — Security
Secretariat: DIN
techniques — Privacy framework
Voting begins on:
2023-06-20
Technologies de l'information — Techniques de sécurité — Cadre
privé
Voting terminates on:
2023-08-15
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 29100:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC FDIS 29100:2023(E)
FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
29100
ISO/IEC JTC 1/SC 27
Information technology — Security
Secretariat: DIN
techniques — Privacy framework
Voting begins on:
Technologies de l'information — Techniques de sécurité — Cadre
privé
Voting terminates on:
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/IEC FDIS 29100:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
© ISO/IEC 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 2 ----------------------
ISO/IEC FDIS 29100:2023(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Abbreviated terms ............................................................................................................................................................................................. 4

5 Basic elements of the privacy framework................................................................................................................................. 4

5.1 Overview of the privacy framework ................................................................................................................................... 4

5.2 Actors and roles ..................................................................................................................................................................................... 5

5.2.1 General ........................................................................................................................................................................................ 5

5.2.2 PII principals .......................................................................................................................................................................... 5

5.2.3 PII controllers........................................................................................................................................................................ 5

5.2.4 PII processors ........................................................................................................................................................................ 5

5.2.5 Third parties .......................................................................................................................................................................... 5

5.3 Interactions ............................................................................................................................................................................................... 6

5.4 Recognizing PII ....................................................................................................................................................................................... 7

5.4.1 General ........................................................................................................................................................................................ 7

5.4.2 Identifiers ................................................................................................................................................................................. 7

5.4.3 Other distinguishing characteristics ............................................................................................................... 7

5.4.4 Information which is or can be linked to a PII principal ................................................................ 8

5.4.5 Pseudonymous data ......................................................................................................................................................... 8

5.4.6 Metadata .................................................................................................................................................................................... 9

5.4.7 Unsolicited PII ....................................................................................................................................................................... 9

5.4.8 Sensitive PII ............................................................................................................................................................................ 9

5.5 Privacy safeguarding requirements ................................................................................................................................ 10

5.5.1 General ..................................................................................................................................................................................... 10

5.5.2 L egal and regulatory factors ................................................................................................................................ 11

5.5.3 Contractual factors ....................................................................................................................................................... 11

5.5.4 Business factors ...............................................................................................................................................................12

5.5.5 Other factors .......................................................................................................................................................................12

5.6 Privacy policies ...................................................................................................................................................................................13

5.7 Privacy controls ........................................................................................................................................... .......................................13

6 The privacy principles of this document.................................................................................................................................14

6.1 Overview of privacy principles ............................................................................................................................................. 14

6.2 Consent and choice ........................................................................................................................................................................... 14

6.3 Purpose legitimacy and specification ............................................................................................................................. 15

6.4 Collection limitation .......................................................................................................................................................................15

6.5 Data minimization ............................................................................................................................................................................ 16

6.6 Use, retention and disclosure limitation ...................................................................................................................... 16

6.7 Accuracy and quality ..................................................................................................................................................................... 16

6.8 Openness, transparency and notice ................................................................................................................................. 17

6.9 Individual participation and access .................................................................................................................................. 17

6.10 Accountability ...................................................................................................................................................................................... 18

6.11 Information security ...................................................................................................................................................................... 19

6.12 Privacy compliance ......... ............................................................. .................................................................................................... 19

Annex A (informative) Correspondence between ISO/IEC 29100 concepts and ISO/

IEC 27000 concepts .........................................................................................................................................................................................20

Bibliography .............................................................................................................................................................................................................................21

iii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC FDIS 29100:2023(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work.

The procedures used to develop this document and those intended for its further maintenance

are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria

needed for the different types of document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or

www.iec.ch/members_experts/refdocs).

ISO and IEC draw attention to the possibility that the implementation of this document may involve the

use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of

any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC

had not received notice of (a) patent(s) which may be required to implement this document. However,

implementers are cautioned that this may not represent the latest information, which may be obtained

from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall

not be held responsible for identifying any or all such patent rights.

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see

www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding­standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 29100:2011), of which it constitutes

a minor revision. It also incorporates the Amendment ISO/IEC 29100:2011/Amd 1:2018.

The main changes are as follows:

— Clause 2 (normative references) has been added and cross­references have been updated throughout

the document;
— replaced the term "secondary use” with “secondary purpose” in Clause 3;
— bibliography has been updated.

Any feedback or questions on this document should be directed to the user’s national standards

body. A complete listing of these bodies can be found at www.iso.org/members.html and

www.iec.ch/national­committees.
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC FDIS 29100:2023(E)
Introduction

This document provides a high-level framework for the protection of personally identifiable information

(PII) within information and communication technology (ICT) systems. It is general in nature and

places organizational, technical, and procedural aspects in an overall privacy framework.

The privacy framework is intended to help organizations define their privacy safeguarding

requirements related to PII within an ICT environment by:
— specifying a common privacy terminology;
— defining the actors and their roles in processing PII;
— describing privacy safeguarding requirements; and
— referencing known privacy principles.

Due to the increasing number of information and communication technologies that process PII, it is

important to have international information security standards that provide a common understanding

for the protection of PII. This document is intended to enhance existing security standards by adding a

focus relevant to the processing of PII.

The increasing commercial use and value of PII, the sharing of PII across jurisdictions, and the growing

complexity of ICT systems, can make it difficult for an organization to ensure privacy and to achieve

compliance with the various applicable laws. Privacy stakeholders can prevent uncertainty and distrust

from arising by handling privacy matters properly and avoiding cases of PII misuse.

Use of this document will:

— aid in the design, implementation, operation, and maintenance of ICT systems that handle and

protect PII;

— spur innovative solutions to enable the protection of PII within ICT systems; and

— improve organizations’ privacy programs through the use of best practices.

The privacy framework provided within this document can serve as a basis for additional privacy

standardization initiatives, such as for:
— a technical reference architecture;

— the implementation and use of specific privacy technologies and overall privacy management;

— privacy controls for outsourced data processes;
— privacy risk assessments; or
— specific engineering specifications.
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 29100:2023(E)
Information technology — Security techniques — Privacy
framework
1 Scope
This document provides a privacy framework which:
— specifies a common privacy terminology;

— defines the actors and their roles in processing personally identifiable information (PII);

— describes privacy safeguarding considerations;
— provides references to known privacy principles for information technology.

This document is applicable to natural persons and organizations involved in specifying, procuring,

architecting, designing, developing, testing, maintaining, administering, and operating information and

communication technology systems or services where privacy controls are required for the processing

of PII.
2 Normative references
There are no normative references in this document
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
anonymity

characteristic of information that does not permit a personally identifiable information principal (3.9) to

be identified directly or indirectly
3.2
anonymization

process by which personally identifiable information (PII) (3.7) is irreversibly altered in such a way that

a PII principal (3.9) can no longer be identified directly or indirectly, either by the PII controller alone or

in collaboration with any other party
3.3
anonymized data

data that has been produced as the output of a personally identifiable information (3.7) anonymization

(3.2) process
3.4
consent

personally identifiable information (PII) principal’s (3.9) freely given, specific and informed agreement to

the processing of their PII
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC FDIS 29100:2023(E)
3.5
identifiability

condition which results in a personally identifiable information (PII) principal (3.9) being identified,

directly or indirectly, on the basis of a given set of PII
3.6
opt-in

process or type of policy whereby the personally identifiable information (PII) principal (3.9) is required

to take an action to express explicit, prior consent (3.4) for their PII to be processed for a particular

purpose

Note 1 to entry: A different term that is often used with the privacy principle "consent and choice" is “opt-out”.

It describes a process or type of policy whereby the PII principal is required to take a separate action in order

to withhold or withdraw consent, or oppose a specific type of processing. The use of an opt-out policy presumes

that the PII controller has the right to process the PII in the intended way. This right can be implied by some

action of the PII principal different from consent (e.g. placing an order in an online shop).

3.7
personally identifiable information
PII

information that (a) can be used to establish a link between the information and the natural person to

whom such information relates, or (b) is or might be directly or indirectly linked to a natural person

Note 1 to entry: The “natural person” in the definition is the PII principal (3.9). To determine whether a PII

principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy

stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural

person.
3.8
PII controller

privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing

personally identifiable information (PII) (3.7) other than natural persons who use data for personal

purposes

Note 1 to entry: A PII controller sometimes instructs others [e.g. PII processors (3.10)] to process PII on its behalf

while the responsibility for the processing remains with the PII controller.
3.9
PII principal
data subject

natural person to whom the personally identifiable information (PII) (3.7) relates

3.10
PII processor

privacy stakeholder that processes personally identifiable information (PII) (3.7) on behalf of and in

accordance with the instructions of a PII controller (3.8)
3.11
privacy breach

situation where personally identifiable information (3.7) is processed in violation of one or more relevant

privacy safeguarding requirements
3.12
privacy control

measure that treats privacy risks by reducing their likelihood or their consequences

Note 1 to entry: Privacy controls include organizational, physical and technical measures, e.g. policies,

procedures, guidelines, legal contracts, management practices or organizational structures.

Note 2 to entry: Control is also used as a synonym for safeguard or countermeasure.

© ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC FDIS 29100:2023(E)
3.13
privacy enhancing technology
PET

privacy control (3.12), consisting of information and communication technology (ICT) measures,

products, or services that protect privacy by eliminating or reducing personally identifiable information

(PII) (3.7) or by preventing unnecessary and/or undesired processing of PII, all without losing the

functionality of the ICT system

Note 1 to entry: Examples of PETs include, but are not limited to, anonymization (3.2) and pseudonymization

(3.22) tools that eliminate, reduce, mask, or de-identify PII or that prevent unnecessary, unauthorized and/or

undesirable processing of PII.
Note 2 to entry: Masking is the process of obscuring elements of PII.
3.14
privacy policy

overall intention and direction, rules and commitment, as formally expressed by the personally

identifiable information (PII) controller (3.8) related to the processing of PII (3.7) in a particular setting

3.15
privacy preference

specific choices made by a personally identifiable information (PII) principal (3.9) about how their PII

(3.7) should be processed for a particular purpose
3.16
privacy principle

shared value governing the privacy protection of personally identifiable information (PII) (3.7) when

processed in information and communication technology systems
3.17
privacy risk
effect of uncertainty on privacy

Note 1 to entry: Risk is defined as the “effect of uncertainty on objectives” in ISO Guide 73 and ISO 31000.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.
3.18
privacy impact assessment
privacy risk assessment

overall process of identifying, analysing, evaluating, consulting, communicating and planning

the treatment of potential privacy impacts with regard to the processing of personally identifiable

information (3.7), framed within an organization’s broader risk management framework

3.19
privacy safeguarding requirement

requirement that an organization takes into account when processing personally identifiable information

(PII) (3.7) with respect to the privacy protection of PII
3.20
privacy stakeholder

natural or legal person, public authority, agency or any other body that can affect, be affected by, or

perceive themselves to be affected by a decision or activity related to personally identifiable information

(PII) (3.7) processing
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC FDIS 29100:2023(E)
3.21
processing of PII

operation or set of operations performed upon personally identifiable information (PII) (3.7)

Note 1 to entry: Examples of processing operations of PII include, but are not limited to, the collection, storage,

alteration, retrieval, consultation, disclosure, anonymization (3.2), pseudonymization (3.22), dissemination or

otherwise making available, deletion or destruction of PII.
3.22
pseudonymization

process applied to personally identifiable information (PII) (3.7) which replaces identifying information

with an alias

Note 1 to entry: Pseudonymization can be performed either by PII principals (3.9) themselves or by PII controllers

(3.8). Pseudonymization can be used by PII principals to consistently use a resource or service without disclosing

their identity to this resource or service (or between services), while still being held accountable for that use.

Note 2 to entry: Pseudonymization does not rule out the possibility that there can be (a restricted set of) privacy

stakeholders (3.20) other than the PII controller of the pseudonymized data which are able to determine the PII

principal’s identity based on the alias and data linked to it.
3.23
sensitive PII

category of personally identifiable information (PII) (3.7), either whose nature is sensitive, such as those

that relate to the PII principal’s (3.9) most intimate sphere, or that can have a significant impact on the

PII principal

Note 1 to entry: In some jurisdictions or in specific contexts, sensitive PII is defined in reference to the nature of

the PII and can consist of PII revealing the racial origin, political opinions or religious or other beliefs, personal

data on health, sex life or criminal convictions, as well as other PII that can be defined as sensitive.

3.24
third party

privacy stakeholder (3.20) other than the personally identifiable information (PII) principal (3.9), the PII

controller (3.8) and the PII processor (3.10), and the natural persons who are authorized to process the

data under the direct authority of the PII controller or the PII processor
4 Abbreviated terms
ICT information and communication technology
PET privacy enhancing technology
PII personally identifiable information
5 Basic elements of the privacy framework
5.1 Overview of the privacy framework

The following components relate to privacy and the processing of PII in ICT systems and make up the

privacy framework described in this document:
— actors and roles;
— interactions;
— recognizing PII;
— privacy safeguarding requirements;
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC FDIS 29100:2023(E)
— privacy policies;
— privacy controls.

For the development of this privacy framework, concepts, definitions and recommendations from other

official sources have been taken into consideration. These sources can be found in Reference [3].

NOTE In order to make it easier to use ISO/IEC 27000 and related international standards concerning ISMS

[4]-[25]

in the specific context of privacy and to integrate privacy concepts in the ISO/IEC 27000 context, Table A.1

shows how the concepts from References [4] to [25] correspond with the concepts used in this document.

5.2 Actors and roles
5.2.1 General

For the purposes of this document, it is important to identify the actors involved in the processing

of PII. There are four types of actors who can be involved in the processing of PII: PII principals, PII

controllers, PII processors and third parties.
5.2.2 PII principals

PII principals provide their PII for processing to PII controllers and PII processors and, when it is not

otherwise provided by applicable law, they give consent and determine their privacy preferences for

how their PII should be processed. PII principals can include, for example, an employee listed in the

human resources system of a company, the consumer mentioned in a credit report, and a patient listed

in an electronic health record. It is not always necessary that the respective natural person is identified

directly by name in order to be considered a PII principal. If the natural person to whom the PII relates

can be identified indirectly (e.g. through an account identifier, social security number, or even through

the combination of available attributes), he or she is considered to be the PII principal for that PII set.

5.2.3 PII controllers

A PII controller determines why (purpose) and how (means) the processing of PII takes place. The PII

controller should ensure adherence to the privacy principles in this framework during the processing

of PII under its control (e.g. by implementing the necessary privacy controls). There can be more than

one PII controller for the same PII set or set of operations performed upon PII (for the same or different

legitimate purposes). In this case, the different PII controllers shall work together and make the

necessary arrangements to ensure the privacy principles are adhered to during the processing of PII. A

PII controller can also decide to have all or part of the processing operations carried out by a different

privacy stakeholder on its behalf. It is expected that PII controllers carefully
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 27036-3:2023(Main)
Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security

This document provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding: a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains; b) responding to risks stemming from this physically dispersed and multi-layered hardware, software, and services supply chain that can have an information security impact on the organizations using these products and services; c) integrating information security processes and practices into the system and software life cycle processes, as described in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, while supporting information security controls, as described in ISO/IEC 27002. This document does not include business continuity management/resiliency issues involved with the hardware, software, and services supply chain. ISO/IEC 27031 addresses information and communication technology readiness for business continuity.

  • Standard
    35 pages
    English language
    sale 15% off
  • Draft
    35 pages
    English language
    sale 15% off
  • Draft
    35 pages
    English language
    sale 15% off
ISO
ISO/IEC 29134:2023(Main)
Information technology — Security techniques — Guidelines for privacy impact assessment

This document gives guidelines for: — a process on privacy impact assessments, and — a structure and content of a PIA report. It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations. This document is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.

  • Standard
    44 pages
    English language
    sale 15% off
  • Draft
    44 pages
    English language
    sale 15% off
  • Draft
    44 pages
    English language
    sale 15% off
ISO
ISO/IEC 20008-2:2013/Amd 2:2023(Amendment)
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 2
  • Standard
    26 pages
    English language
    sale 15% off
  • Draft
    26 pages
    English language
    sale 15% off
  • Draft
    26 pages
    English language
    sale 15% off
ISO
ISO/IEC 29128-1:2023(Main)
Information security, cybersecurity and privacy protection — Verification of cryptographic protocols — Part 1: Framework

This document establishes a framework for the verification of cryptographic protocol specifications according to academic and industry best practices.

  • Standard
    15 pages
    English language
    sale 15% off
  • Draft
    15 pages
    English language
    sale 15% off
  • Draft
    15 pages
    English language
    sale 15% off
ISO
ISO/IEC 27035-1:2023(Main)
Information technology — Information security incident management — Part 1: Principles and process

This document is the foundation of the ISO/IEC 27035 series. It presents basic concepts, principles and process with key activities of information security incident management, which provide a structured approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying lessons learned. The guidance on the information security incident management process and its key activities given in this document are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC 27035-2:2023(Main)
Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response

This document provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the “plan and prepare” and “learn lessons” phases of the information security incident management phases model presented in ISO/IEC 27035-1:2023, 5.2 and 5.6. The major points within the “plan and prepare” phase include: — information security incident management policy and commitment of top management; — information security policies, including those relating to risk management, updated at both organizational level and system, service and network levels; — information security incident management plan; — Incident Management Team (IMT) establishment; — establishing relationships and connections with internal and external organizations; — technical and other support (including organizational and operational support); — information security incident management awareness briefings and training. The “learn lessons” phase includes: — identifying areas for improvement; — identifying and making necessary improvements; — Incident Response Team (IRT) evaluation. The guidance given in this document is generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this document according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    53 pages
    English language
    sale 15% off
  • Standard
    53 pages
    English language
    sale 15% off
ISO
ISO/IEC 24760-3:2016/Amd 1:2023(Amendment)
Information technology — Security techniques — A framework for identity management — Part 3: Practice — Amendment 1: Identity Information Lifecycle processes
  • Standard
    3 pages
    English language
    sale 15% off
  • Draft
    3 pages
    English language
    sale 15% off
  • Draft
    3 pages
    English language
    sale 15% off
ISO
ISO/IEC 24760-1:2019/Amd 1:2023(Amendment)
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts — Amendment 1
  • Standard
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
ISO
ISO/IEC 27559:2022(Main)
Information security, cybersecurity and privacy protection – Privacy enhancing data de-identification framework

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are PII controllers or PII processors acting on a controller’s behalf, implementing data de-identification processes for privacy enhancing purposes.

  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO/IEC 27557:2022(Main)
Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management

This document provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. This document provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: — organizational consequences of adverse privacy impacts on individuals; and — organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. This document assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization. This document is applicable to all types and sizes of organizations processing PII or developing products and services that can be used to process PII, including public and private companies, government entities, and non-profit organizations.

  • Standard
    19 pages
    English language
    sale 15% off