ISO/IEC 27556

ISO/IEC 27556 — Information security, cybersecurity and privacy protection — User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences [Draft]

Introduction

Following the privacy-by-design principle and other requirements of privacy laws and regulations, the standard will outline a “user-centric framework” (an architecture) for handling personal information in a controlled manner.

In the standard, organizations handling personal data are outlined with a mechanism for ensuring compliance with the data subject’s privacy requirements despite sharing and collaborating on data processing.

The scope of the standard

A generic architecture standard will be developed but no specifics about the content and format of privacy preference information will be included.

By designing and implementing the architecture, IT systems can handle personal information and transmit it between organisations, while managing privacy preferences of data subjects (referred to in the standard as PII principals, i.e., the individuals whose information is processed).

In this standard, the privacy framework of ISO/IEC 29100 is expanded upon.

The content

To be determined.

Status

In 2019, a standard development project was launched.

The standard was scheduled for publication in 2022. The project’s due date has been extended to early in 2023 because substantive comments and a new use case will take longer than expected to address.

Currently, it is in the third committee draft stage.

Commentary

To be determined.