iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty!
ISO

ISO/IEC DIS 27555

(Main)

Information security, cybersecurity and privacy protection – Guidelines on personally identifiable information deletion

Information security, cybersecurity and privacy protection – Guidelines on personally identifiable information deletion

Titre manque

General Information

Status
Published
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 5 - Identity management and privacy technologies
Current Stage
4020 - DIS ballot initiated: 5 months
Start Date
08-Dec-2020
Completion Date
08-Dec-2020
Ref Project

Buy Standard

ISO/IEC DIS 27555ISO/IEC DIS 27555
PreviousNext
Draft
ISO/IEC DIS 27555 - Information security, cybersecurity and privacy protection – Guidelines on personally identifiable information deletion
English language
24 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27555
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2020-12-08 2021-03-02
Information security, cybersecurity and privacy protection
– Guidelines on personally identifiable information
deletion
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27555:2020(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27555:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 27555:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 3

5 A framework for deletion ............................................................................................................................................................................ 3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Leg al, regulatory and contractual requirements ....................................................................................................... 4

5.3 Clusters of PII ........................................................................................................................................................................................... 4

5.4 Retention period and regular deletion period ............................................................................................................. 4

5.4.1 Retention period .............................................................................................................................................................. 4

5.4.2 Regular deletion period ............................................................................................................................................. 5

5.4.3 Allocation of clusters of PII ..................................................................................................................................... 6

5.5 Archives and backup copies ......................................................................................................................................................... 6

5.6 Standard deletion periods, starting points, deletion rules and deletion classes ........................... 6

5.7 Special situations .................................................................................................................................................................................. 7

5.8 Documentation of policies and procedures ................................................................................................................... 7

6 Clusters of PII ........................................................................................................................................................................................................... 7

6.1 Identification ............................................................................................................................................................................................ 7

6.2 Design criteria ......................................................................................................................................................................................... 8

6.3 Documentation ....................................................................................................................................................................................... 9

7 Specification of deletion periods ......................................................................................................................................................... 9

7.1 Standard and regular deletion periods .............................................................................................................................. 9

7.2 Regular deletion period specifications............................................................................................................................10

7.3 Standard deletion period identification .........................................................................................................................10

7.4 Deletion period specifications for special situations ..........................................................................................11

7.4.1 General...................................................................................................................................................................................11

7.4.2 Transformation of a cluster of PII ..................................................................................................................12

7.4.3 Need to extend period of active use .............................................................................................................12

7.4.4 Suspension of the deletion ...................................................................................................................................12

7.4.5 Backup copies ..................................................................................................................................................................12

8 Deletion classes ..................................................................................................................................................................................................13

8.1 Abstract starting points — abstract deletion rules ..............................................................................................13

8.2 Matrix of deletion classes ...........................................................................................................................................................14

8.3 Allocation of deletion classes and definition of deletion rules ...................................................................15

9 Requirements for implementation ................................................................................................................................................15

9.1 General ........................................................................................................................................................................................................15

9.2 Conditions for starting points outside IT systems ................................................................................................17

9.3 Requirements for implementation for cross-sectional areas ......................................................................18

9.3.1 General...................................................................................................................................................................................18

9.3.2 Backup ...................................................................................................................................................................................18

9.3.3 Protocols ..............................................................................................................................................................................18

9.3.4 Transport systems .......................................................................................................................................................18

9.3.5 Repair, dismantling and disposal of systems and components ............................................19

9.3.6 Everyday business life ..............................................................................................................................................19

9.4 Requirements for implementation for individual IT systems .....................................................................19

9.5 Deletion in regular manual processes .............................................................................................................................20

9.6 Requirements for implementation for service providers ...............................................................................20

9.7 Control deletion in special cases ..........................................................................................................................................21

9.7.1 Exception management...........................................................................................................................................21

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 27555:2020(E)

9.7.2 Further sets of PII ........................................................................................................................................................21

10 Responsibilities ..................................................................................................................................................................................................22

10.1 General ........................................................................................................................................................................................................22

10.2 Documentation ....................................................................................................................................................................................22

10.3 Implementation ...................................................................................................................................................................................23

Bibliography .............................................................................................................................................................................................................................24

iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 27555:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

The main task of the joint technical committee is to prepare International Standards. Draft International

Standards adopted by the joint technical committee are circulated to national bodies for voting.

Publication as an International Standard requires approval by at least 75 % of the national bodies

casting a vote.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

ISO/IEC 27555 was prepared by Technical Committee ISO/TC JTC1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 27555:2020(E)
Introduction

Many functional processes and IT applications use personally identifiable information (PII) which is

subject to various compliance provisions relating to privacy. Thus, organizations need to ensure that

PII is not retained for longer than is necessary, and is deleted at the appropriate time. This also may

require organizations to fulfill PII principals' rights such as right to obtain the erasure (to be forgotten).

ISO/IEC 29100 defines principles of “data minimization” and “use, retention and disclosure limitation”

for personally identifiable information (PII) which can be enforced using deletion as a security control.

PII deletion requires a set of carefully-designed, clear and simple to understand, deletion rules,

embodying appropriate retention periods that satisfy the demands of multiple stakeholders. Those

rules should also comply with requirements originating from regulations, code of practice and other

standards. Mechanisms are correctly to be implemented and to be operated properly. In order to

ensure the legally compliant deletion of PII, the PII controller needs to develop policies and procedures

for deletion that includes a set of rules and responsibilities for the processes involved. The chances of

success for the development and implementation of these policies and processes can be improved if the

PII controller uses an approved approach to their design and implementation.

This document provides a framework for developing and establishing policies and procedures for PII

deletion that can be implemented by an organization. This framework allows to accomplish consistent

deletion of PII throughout an organization.
vi © ISO/IEC 2020 – All rights reserved
---------------------- Page: 6 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27555:2020(E)
Information security, cybersecurity and privacy protection
– Guidelines on personally identifiable information
deletion
1 Scope

This document contains guidelines for developing and establishing policies and procedures for deletion

of PII in organizations by specifying:
— a harmonized terminology for PII deletion,
— an approach for defining deletion rules in an efficient way,
— a description of required documentation, and
— a broad definition of roles, responsibilities and processes.

This document is intended to be used by organizations where PII are being stored or processed.

This document does not address:
— specific legal provision, as given by national law or specified in contracts,

— specific deletion rules for particular clusters of PII as are to be defined by PII controllers for

processing PII,
— deletion mechanisms,
— security of deletion mechanisms,
— specific techniques for de-identification of data.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 29100, Information technology — Security techniques — Privacy framework
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 29100 and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http:// www .electropedia .org/
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC DIS 27555:2020(E)
3.1
cluster of PII
PII which is processed for a consistent functional purpose

Note 1 to entry: Clusters of PII are described independently of the technical representation of data objects. On a

regular basis, the clusters of PII also include PII which is not stored electronically

3.2
data object
element which contain PII

EXAMPLE Such elements are for instance files, documents, records or attributes. Concrete data objects can

be e.g. invoices, contracts, personal files, visitor lists, personnel planning sheets, photos, voice recordings, user

accounts, log entries, consent documents, and so on.

Note 1 to entry: In the context of this document data objects usually contain PII and can be combined with other

data objects in a cluster of PII. The individual data object can be of varying complexity.

3.3
deletion

process by which PII is changed in a manner so that it is no longer present or recognizable and usable

and can only be reconstructed with excessive effort

Note 1 to entry: In this document the term deletion covers all such synonyms: disposition mechanism, erasure,

destruction, destruction of data storage media.

Note 2 to entry: In this document the term deletion refers to the elimination of the bit patterns or comparable

practices, not simply marking or moving the data to be hidden. As a result, excessive effort for PII reconstruction

will be required, considering all the means likely reasonably to be used, e.g. available state of the art of technology,

human and technical resources, costs and time.

Note 3 to entry: For selecting the methods for deletion, a risk-based approach is to be taken into account, including

sensitivity of PII and potential use of forensic tools. Required measures may change during time depending on

the state of the art of technology and other factors.

Note 4 to entry: PII can be also changed applying irreversible de-identification technique. Such data often fall out

of privacy legislation. Further guidance on a de-identification technique can be found in ISO/IEC 20889:2018–11

(1st edition) — Privacy enhancing data de-identification terminology and classification of techniques.

3.4
deletion class

combination of a standard deletion period and an abstract starting point for the period run

Note 1 to entry: All clusters of PII which are subject to the same deletion period and the same abstract starting

point are combined in a deletion class. As opposed to the (specific) deletion rule for a cluster of PII, the (abstract)

deletion class relates only to the abstract starting point and not to a specific condition for the start of the period

run (see also Clause 8.)
3.5
deletion rule

combination of deletion period and specific condition for the starting point of the period run

3.6
deletion period
time period after which a specific cluster of PII should be deleted

Note 1 to entry: As a generic term, the deletion period comprises all deletion periods. This includes the standard

deletion periods and the regular deletion periods, which form special groups. However, the term also includes,

for instance, the specific deletion periods for some clusters of PII or deletion periods in special cases. For details

see Clause 7.

Note 2 to entry: The deletion period for a cluster of PII extends beyond the end of the retention period, by at least

an amount commensurate with the time required to achieve deletion of the relevant data objects.

2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC DIS 27555:2020(E)
3.7
standard deletion period
unified deletion periods for the PII controller

Note 1 to entry: A standard deletion period is a deletion period used for several clusters of PII to standardize

several deletion periods lying close to one another (see 7.1.)
3.8
regular deletion period

maximum time period after which the data objects of a cluster of PII should be deleted if used in regular

processing in the processes of the PII controller
Note 1 to entry: For the boundary conditions of period specifications see 5.4.
3.9
retention period

time period within which the data objects of cluster of PII is required to be available in the PII

controller’s organization because of the functional use or legal retention obligations

Note 1 to entry: A specific cluster of PII typically has the same retention period

Note 2 to entry: For the boundary conditions of period specifications see 5.4 and Clause 7.

3.10
legal retention period

time period within which the data objects of a cluster of PII are available in the PII controller’s

organization as required by legal provisions
4 Symbols and abbreviated terms
CRM Customer Relationship Management
DMS Document Management system
IT Information Technology
PII Personally Identifiable Information
5 A framework for deletion
5.1 General

This document describes how an organization acting as PII controller can establish policies and

procedures for deletion of PII. For this, the PII controller should specify:
— which deletion rules apply to which PII;
— how the deletion is implemented using the deletion rules;

— the manner in which the deletion rules and the deletion measures are documented; and

— who is responsible for the deletion rules, deletion processes and their documentation.

To establish deletion policies and procedures the following steps are recommended:

— select a minimum number of standard deletion periods which form the basis of deletion classes;

— base deletion classes on the standard deletion periods identified;
— allocate each cluster of PII to a deletion class.
© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC DIS 27555:2020(E)
— identify and document deletion processes;
— implement deletion processes for each cluster of PII.

The number and complexity of the deletion classes should be kept to a minimum within the context of

the relevant compliance requirements.
5.2 Leg al, regulatory and contractual requirements

The PII controller should ensure their policies and procedures to meet compliance and contractual

requirements are relevant to the PII in their possession.

Where the organization is performing the role of a PII processor, they should ensure deletion rules are

implemented in accordance with the relevant PII controller instructions.

Where compliance and/or contractual requirements state that PII should be deleted when it is no longer

required for the defined purpose the principles contained in ISO/IEC 29100: (a) “Use, retention and

disclosure limitation” and (b) “Data minimization”, should be considered when designing the deletion

processes.

EXAMPLE The deletion rule for the cluster of PII named “Accounting data” could be 10 years after the end of

the financial year in which the accounting entry was made in the balance sheet.

Compliance and/or contractual requirements can require special measures, particularly where clusters

of PII are retained only to fulfil retention obligations. In this case, restricting the processing of the

clusters of PII concerned may be required.
5.3 Clusters of PII

Clusters of PII should be named individually and unambiguously and according to their functional

purposes. Each cluster of PII should be allocated one deletion rule (see 6.2.)

EXAMPLE For a telecommunications provider, customer data, location data, traffic data, billing data,

itemized bill data, etc. could be the names of clusters of PII.
The same PII can be part of more than one cluster of PII because of two cases:

— clusters of PII contain one or more data objects. Some attributes like name or address can occur

in several data objects in the same or different clusters of PII, e.g. in the customer master data, an

invoice and a letter to the customer. Deletion is applied usually on the data object as a whole (and

not on single attributes within the data object.)
— copies of a data object can be part of different clusters of PII.

EXAMPLE Assume an invoice documents materials and actions performed to repair an engine. With

functional processes three copies of the document are stored in different clusters of PII: “Bookkeeping data”

(deleted 11 years after payment), “engine documentation file” to document the history and parts of the engine

(deleted 5 years after destruction of the engine) and “supplier file” to document the history of the relationship

and operations with the supplier (deleted 15 years after receiving the data object.)

PII should not be deleted upon individual case decisions only, but in accordance with appropriate

deletion rules wheresoever possible. Therefore, the PII controller should develop deletion rules in

accordance with their deletion policy. Every deletion rule should include a definition of the deletion

period and when the deletion period begins (starting point.)
5.4 Retention period and regular deletion period
5.4.1 Retention period

The period of time for which a cluster of PII is retained, based on its functional purposes (which might

include retention period complying with legal and statutory obligations), is its retention period. This

4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC DIS 27555:2020(E)

time period includes the time period in which a cluster of PII is actively used in functional processes,

in accordance with compliance and/or contractual purposes and in accordance with the organizations

long term storage requirements.

EXAMPLE The legal retention obligations for clusters of PII include, for example, the provisions of tax laws

for trade letters and accounting documents. Functional purposes include, for example, guarantee commitments

and potential equipment recall actions.
5.4.2 Regular deletion period

Clusters of PII should not be deleted until the end of its defined retention period, unless specific

approvals have been obtained.

Legal obligations may grant a leeway after retention period to perform deletion. This leeway can be

used to apply a process and mechanisms for deletion in accordance with organizational and technical

conditions. The combination of the retention period and the maximum time period for the deletion

process is defined as the regular deletion period. The PII controller should estimate the maximum time

period that is acceptable for the deletion process.

Each deletion rule should be applied by deleting data objects within a cluster of PII in all systems and

all other storage places including physical documents. This includes the deletion of clusters of PII

processed by any PII processors contracted by the PII controller.

Figure 1 shows an example of how to derive a regular deletion period based on the lifecycle of an order.

The retention period and regular deletion period for the order starts with the formation of the contract.

The active use of the contract ends with the receipt of payment. After that, the contract is still retained

for possible warranty cases and as a trade letter.
Figure 1 — Example of regular deletion period for an order

NOTE In the example in Figure 1 the retention period for the order is shorter than the regular deletion

period. Depending on which cluster of PII is involved and its defined deletion period, the retention period and the

regular deletion period sometimes have nearly the same duration. The invoice and the booking of the payment

received are categorized as separate clusters of PII and therefore have different deletion rules.

© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC DIS 27555:2020(E)
5.4.3 Allocation of clusters of PII

The allocation of clusters of PII to specific standard deletion periods should be based on compliance

and/or contractual requirements in alignment with business needs. The standard deletion periods

should be kept as few as possible and should be the minimum required in order to ensure compli

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 11770-4:2017/Amd 2:2021(Amendment)
Leakage-resilient password-authenticated key agreement with additional stored secrets
    • sale 15% off
    • Standard
      39 pages
      English language
    • sale 15% off
    • Draft
      39 pages
      English language
    • sale 15% off
    • Draft
      40 pages
      English language
ISO
ISO/IEC TS 27570:2021(Main)
Privacy protection -- Privacy guidelines for smart cities

The document takes a multiple agency as well as a citizen-centric viewpoint. It provides guidance on: — smart city ecosystem privacy protection; — how standards can be used at a global level and at an organizational level for the benefit of citizens; and — processes for smart city ecosystem privacy protection. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that provide services in ...view more

    • sale 15% off
    • Technical specification
      37 pages
      English language
    • sale 15% off
    • Draft
      37 pages
      English language
ISO
ISO/IEC TS 27100:2020(Main)
Information technology -- Cybersecurity -- Overview and concepts

This document provides an overview of cybersecurity. This document: — describes cybersecurity and relevant concepts, including how it is related to and different from information security; — establishes the context of cybersecurity; — does not cover all terms and definitions applicable to cybersecurity; and — does not limit other standards in defining new cybersecurity-related terms for use. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, governme...view more

    • sale 15% off
    • Technical specification
      17 pages
      English language
    • sale 15% off
    • Draft
      17 pages
      English language
ISO
ISO/IEC 27014:2020(Main)
Information security, cybersecurity and privacy protection -- Governance of information security

This document provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization. The intended audience for this document is: — governing body and top management; — those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; — those responsible for in...view more

    • sale 15% off
    • Standard
      16 pages
      English language
    • sale 15% off
    • Draft
      16 pages
      English language
    • sale 15% off
    • Draft
      15 pages
      English language
ISO
ISO/IEC 20897-1:2020(Main)
Information security, cybersecurity and privacy protection -- Physically unclonable functions

This document specifies the security requirements for physically unclonable functions (PUFs). Specified security requirements concern the output properties, tamper-resistance and unclonability of a single and a batch of PUFs. Since it depends on the application which security requirements a PUF needs to meet, this documents also describes the typical use cases of a PUF. Amongst PUF use cases, random number generation is out of scope in this document.

    • sale 15% off
    • Standard
      16 pages
      English language
    • sale 15% off
    • Draft
      16 pages
      English language
    • sale 15% off
    • Draft
      16 pages
      English language
ISO
ISO/IEC 18032:2020(Main)
Information security -- Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the righ...view more

    • sale 15% off
    • Standard
      33 pages
      English language
    • sale 15% off
    • Draft
      33 pages
      English language
    • sale 15% off
    • Draft
      36 pages
      English language
ISO
ISO/IEC 19772:2020(Main)
Information security -- Authenticated encryption

This document specifies five methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives: — data confidentiality, i.e. protection against unauthorized disclosure of data; — data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified; — data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. All five methods specified i...view more

    • sale 15% off
    • Standard
      26 pages
      English language
    • sale 15% off
    • Draft
      25 pages
      English language
ISO
ISO/IEC 11770-5:2020(Main)
Information security -- Key management

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It defines: — symmetric key-based key establishment mechanisms for multiple entities with a key distribution centre (KDC); and — symmetric key establishment mechanisms based on a general tree-based logical key structure with both individual rekeying and batch rekeying. It also defines key establishment mechanisms based on a key chain with group forward secrecy, group backward secrecy or both group f...view more

    • sale 15% off
    • Standard
      18 pages
      English language
    • sale 15% off
    • Draft
      18 pages
      English language
    • sale 15% off
    • Draft
      18 pages
      English language
ISO
ISO/IEC 19989-2:2020(Main)
Information security -- Criteria and methodology for security evaluation of biometric systems

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to the security evaluation of biometric recognition performance applying the ISO/IEC 15408 series. It provides requirements and recommendations to the developer and the evaluator for the supplementary activities on biometric recognition performance specified in ISO/IEC 19989-1. The evaluation of presentation attack detection techniques is out of the scope of this document ex...view more

    • sale 15% off
    • Standard
      33 pages
      English language
    • sale 15% off
    • Draft
      42 pages
      English language
ISO
ISO/IEC 19989-1:2020(Main)
Information security -- Criteria and methodology for security evaluation of biometric systems

For security evaluation of biometric recognition performance and presentation attack detection for biometric verification systems and biometric identification systemsthis document specifies: — extended security functional components to SFR Classes in ISO/IEC 15408-2; — supplementary activities to methodology specified in ISO/IEC 18045 for SAR Classes of ISO/IEC 15408-3. This document introduces the general framework for the security evaluation of biometric systems, including extended security fu...view more

    • sale 15% off
    • Standard
      62 pages
      English language
    • sale 15% off
    • Draft
      83 pages
      English language
ISO
ISO/IEC 19989-3:2020(Main)
Information security -- Criteria and methodology for security evaluation of biometric systems

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to security evaluation of presentation attack detection applying the ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1. This document is applicable only to TOEs for single biometric characteristic type but for the selection of a c...view more

    • sale 15% off
    • Standard
      18 pages
      English language
    • sale 15% off
    • Draft
      25 pages
      English language
ISO
ISO/IEC 27035-3:2020(Main)
Information technology -- Information security incident management

This document gives guidelines for information security incident response in ICT security operations. This document does this by firstly covering the operational aspects in ICT security operations from a people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion. This document is...view more

    • sale 15% off
    • Standard
      31 pages
      English language
    • sale 15% off
    • Draft
      32 pages
      English language
ISO
ISO/IEC 13888-1:2020(Main)
Information security -- Non-repudiation

This document serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. The ISO/IEC 13888 series provides non-repudiation mechanisms for the following phases of non-repudiation: — evidence generation; — evidence transfer, storage and retrieval; and — evidence verification. Dispute arbitration is outside the scope of the ISO/IEC 13888 series.

    • sale 15% off
    • Standard
      20 pages
      English language
    • sale 15% off
    • Draft
      20 pages
      English language
ISO
ISO/IEC 13888-3:2020(Main)
Information security -- Non-repudiation

This document specifies mechanisms for the provision of specific, communication-related, non‑repudiation services using asymmetric cryptographic techniques.

    • sale 15% off
    • Standard
      13 pages
      English language
    • sale 15% off
    • Draft
      14 pages
      English language
ISO
ISO/IEC 18033-4:2011/Amd 1:2020(Amendment)
ZUC
    • sale 15% off
    • Standard
      12 pages
      English language
    • sale 15% off
    • Draft
      11 pages
      English language
ISO
ISO/IEC 29184:2020(Main)
Information technology -- Online privacy notices and consent

This document specifies controls which shape the content and the structure of online privacy notices as well as the process of asking for consent to collect and process personally identifiable information (PII) from PII principals. This document is applicable in any online context where a PII controller or any other entity processing PII informs PII principals of processing.

    • sale 15% off
    • Standard
      25 pages
      English language
    • sale 15% off
    • Draft
      25 pages
      English language
ISO
ISO/IEC 27009:2020(Main)
Information security, cybersecurity and privacy protection -- Sector-specific application of ISO/IEC 27001 -- Requirements
oSIST ISO/IEC DIS 27009:2019

This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: — include requirements in addition to those in ISO/IEC 27001, — refine or interpret any of the ISO/IEC 27001 requirements, — include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — modify any of the controls of ISO/IEC 2700...view more

    • sale 15% off
    • Standard
      18 pages
      English language
    • sale 10% off
    • Draft
      24 pages
      English language
    • e-Library read for
      1 day
ISO
ISO/IEC 27006:2015/Amd 1:2020(Amendment)
ISO/IEC 27006:2015/Amd 1:2020
    • sale 15% off
    • Standard
      2 pages
      English language
    • sale 15% off
    • Standard
      2 pages
      French language
ISO
ISO/IEC 20085-2:2020(Main)
IT Security techniques -- Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules

This document specifies the test calibration methods and apparatus used when calibrating test tools for cryptographic modules under ISO/IEC 19790 and ISO/IEC 24759 against the test metrics defined in ISO/IEC 17825 for mitigation of non-invasive attack classes.

    • sale 15% off
    • Standard
      17 pages
      English language
ISO
ISO/IEC 9797-3:2011/Amd 1:2020(Amendment)
ISO/IEC 9797-3:2011/Amd 1:2020
    • sale 15% off
    • Standard
      2 pages
      English language