ISO/IEC 27046

ISO/IEC 27046 – Information technology — Big data security and privacy — Guidelines for implementation [Draft]

Introduction

The purpose of this standard is to assist organizations in implementing the security and privacy processes described in ISO/IEC 27045.

Scope and objectives

By guiding the following topics, the standard will “address the key challenges and risks of big data security and privacy”:

– Identifying and evaluating the privacy and security risks associated with big data;
– Using, maintaining, and managing security and privacy controls, as well as other risk management measures;
– Validate and verify big data security and privacy arrangements to obtain assurances.

The following audiences are targeted:

– Companies that construct and secure big data frameworks;
– “Users”, “application operators”;
– Providers and consumers of big data;
– “Industry to enhance robustness and efficiency of ecosystems,” as well as improving their compatibility and interoperability, and reducing redundant security products. [Based on a second working draft].

ISO/IEC 20547-4 “Information technology – Big data reference architecture – Part 4: Security and privacy” is recognized as a normative (essential) reference.

The standard’s status

2019 marked the start of the standard development project.

Currently, it is in the Working Draft stage.

It was scheduled to be published in 2023. However, a pause in the ISO/IEC 27045 project implies that this standard and its schedule are in jeopardy.

Commentary

According to the draft standard, the current definition of ‘big data’ does not (according to my cynical and rather jaundiced perspective) adequately reflect its widespread use in IT today, largely due to the vagueness of ‘extensive’, which is essentially synonymous with ‘big’ without adding much clarity.

The term big data is defined as:

“Extensive datasets – primarily in the characteristics of volume, variety, velocity, and/or variability – that require a scalable architecture for efficient storage, manipulation, and analysis. [Source: ISO/IEC 20546]”

You can find more information on Wikipedia, for example:

“Current usage of the term big data tends to refer to the use of predictive analytics, user behaviour analytics, or certain other advanced data analytics methods that extract value from data, and seldom to a particular size of data set. “There is little doubt that the quantities of data now available are indeed large, but that’s not the most relevant characteristic of this new data ecosystem.” Analysis of data sets can find new correlations to “spot business trends, prevent diseases, combat crime and so on.” Scientists, business executives, practitioners of medicine, advertising and governments alike regularly meet difficulties with large data-sets in areas including Internet searches, fintech, urban informatics, and business informatics. Scientists encounter limitations in e-Science work, including meteorology, genomics, connectomics, complex physics simulations, biology and environmental research.”

Big data is characterized by the fact that traditional database management systems (mostly relational these days) are incapable of handling the complexity and volatility of truly vast sets of data. Even with enormous amounts of raw CPU power, conventional architectures are subject to limitations and failures once their scalability has been exceeded. I would expect that would entail fundamentally different approaches, along with relatively new risks to information security and privacy-related controls. However, there is no guarantee that this standard will address the problems in practice; this is cutting-edge technology.

It is not clear how ISO/IEC 20547-4:2020 differs from and adds value to this standard.