What if there was a formula describing the best methods, techniques and guidelines for privacy? In the face of rapid evolution of information technology and regulations for privacy and data protection, working along the lines of clearly defined controls, concepts and principles is a necessity to tackle the complexity of this constant change.
A pathway to best privacy practices
In the domain of information and communication technology, the International Organization for Standardization provides standards with the International Electrotechnical Commission in their Joint Technical Committee 1. Consequently, most ISO and IEC standards in the field of security and privacy are done within JTC 1. The importance of the vast variety of ISO/IEC standards, specifications and reports that pursue the aim to document “the best way of doing something” cannot be overestimated in their global importance.
ISO is an international organization with national standards bodies from 124 countries contributing as full members, making it a unique nation states-oriented standardization body with global reach. IEC unites a similar number of countries. Currently, 100 countries collaborate in JTC 1. This setup is significantly different to other standard setting bodies, such as industry consortia like the World Wide Web Consortium, organizations of professionals like the Institute of Electrical and Electronics Engineers or government bodies like the National Institute of Standards and Technology.
ISO and IEC are best known their international standards, defined as providing “rules, guidelines or characteristics for activities or for their results, aimed at achieving the optimum degree of order in a given context.” This can include product standards, test methods, codes of practice, guideline standards or management systems standards.
Apart from standards, ISO and IEC publish a variety of other deliverables. Technical specifications are published for immediate use while still subject to feedback, resulting in eventual standardization. Technical reports summarize information about the “state of the art” of a specific issue or theme.
Why are ISO/IEC standards important?
While there are more than 24,000 published ISO, IEC and ISO/IEC standards, certification or accreditation is only available for a limited few. If it is possible, there are many reasons for pursuing a certification according to such standards, performed by external certification bodies. Certification results can serve as a seal of approval from a third party and demonstrate accountability. Organizations might be contractually obliged to maintain certifications. Certifications can also lead to a competitive advantage, demonstrating commitment to minimizing risk exposure in an internationally recognized manner. Also, they are a good way to show customers and key stakeholders that the protection of personal information is taken seriously.
Even when not certified, the implementation of standards can strengthen internal good governance and practices. Their use can not only initiate necessary change processes but also make effective security and privacy management obvious to the board. Thus, even without aiming to obtain a certification, taking a close look at how ISO/IEC formalizes processes around information security and privacy can be considered crucial for keeping up with best practices and state of the art of security and privacy measures.
Privacy-related work within ISO/IEC
In the field of IT, JTC 1 works with its more than 20 subcommittees to develop, maintain, promote and facilitate ICT standards for business and consumer applications.
Subcommittee 27 covers the field for information security, cybersecurity and privacy protection. Two hundred and ten standards have already been published under the responsibility of ISO/IEC JTC 1/SC 27. Eighty-two standards are currently in development. The latest work of SC 27 includes the security and privacy requirements of the internet of things, big data security, trustworthiness and applications involving privacy technology.
The primary source for standards that define state of the art privacy practices and privacy by design is ISO/IEC JTC 1/SC 27/WG 5, focusing on “identity management and privacy technologies.” Its work includes a privacy framework, a privacy reference architecture, privacy infrastructures, a privacy impact assessment, specific privacy-enhancing technologies and privacy engineering.
The basis for ISO/IEC privacy standards
Which privacy-related standards of ISO and ISO/IEC can support an organization or specific functions within a company best? There is a lot to choose from. Depending on the sector, product, role and task at hand, the approach to structure and analyzing which standards are most appropriate can vary.
The common denominator of ISO and IEC’s work on privacy in general is the privacy framework ISO/IEC 29100:2011. Originally published in 2011, it was last reviewed and updated in 2018.
The ISO/IEC 29100 Privacy Framework defines a basic privacy terminology, defines roles of different organizations with respect to privacy, describes privacy safeguarding considerations and contains a list of the following 11 privacy principles:
- Consent and choice.
- Purpose legitimacy and specification.
- Collection limitation.
- Data minimization.
- Use, retention and disclosure limitation.
- Accuracy and quality.
- Openness, transparency and notice.
- Individual participation and access.
- Accountability.
- Information security.
- Privacy compliance.
For all those principles, the Privacy Framework provides further details how to adhere to them. In comparison to privacy principles formulated in the U.S. Fair Information Privacy Practices and the EU General Data Protection Regulation, the 29100 Privacy Framework is based on an international agreement. As such, it is comparable to the Organisation for Economic Co-operation and Development Privacy Protection Guidelines, which also reflect the consensus of the international community regarding personal data, while encompassing privacy in ICT systems.
The 29100 Privacy Framework is publicly available free of charge and is the basis for all other ISO/IEC privacy-related standards. It is accompanied by the Privacy Reference List SD 2, which provides an overview of privacy and data protection laws and authorities around the globe.
An orientation in the landscape of ISO/IEC privacy standards
From a privacy management perspective, the core of privacy standards built on the basis of the ISO/IEC 29100:2011 Privacy Framework is ISO/IEC 27701:2019. ISO/IEC 27701:2019 is the most crucial standard for implementing a comprehensive privacy information management system and will be covered in more detail below.
A large variety of more detailed standards help fulfill the best practices of ISO/IEC 27701:2019. They can also be used independently. To help assess which standards are most useful under given circumstances, ISO/IEC privacy standards can be grouped in a variety of ways. In a perspective based on ISO/IEC 29100, the publications and projects of WG 5 and SC 27 can, for example, be categorized into the following principles and related management issues:
- First, several standards provide additional guidance in support of the requirements of a PIMS.
For example, ISO/IEC TR 27550:2019 is a technical report on privacy engineering for system life cycle processes. It provides an overview of the current state of the art of privacy engineering, explores how to integrate various management processes, and elaborates on objectives, controls and risk models.
Another relevant guidance for anyone involved in implementing privacy by design considerations into projects is ISO/IEC 29134:2017. These guidelines describe the process, structure and content of a PIA.
- A second group of standards define specific controls and expand on technical and organizational requirements.
For example, ISO/IEC 29184:2020, “Information technology - Online privacy notices and consent,” provides details on the implementation of the privacy principles of “consent and choice” and “openness, transparency and notice.” It lays the foundation for presenting clear, easily understood information about the processing of personal data, and specifies controls to obtain consent in a fair, demonstrable, transparent, unambiguous and revocable manner.
Other standards cover authentication, access management, user preferences, deletion, identity management or deidentification.
- Lastly, additional standards focus on specific sectors.
For example, ISO/IEC 27018:2019 establishes sets of controls to protect personal information in the context of public clouds acting as processors. Other areas, like IoT, smart cities, big data and financial technology services, are also covered by dedicated standards.
Notably, ISO/IEC 27701 for implementing a Privacy Information Management System is a crucial management standard. An example for a widely applicable privacy standard that can be operationalized independently is the Guidelines for privacy impact assessments in ISO/IEC 29134:2017. Both are explained below in further detail.
A Privacy Information Management System according to ISO/IEC 27701
The most prominent standard of ISO/IEC in privacy is “ISO/IEC 27701, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.” This standard provides distinctive guidance for establishing, implementing, maintaining and continually improving a privacy information management system for controllers and processors of personal data.
It was developed as a response to the growing need for a global data privacy framework with the goal to support compliance with global privacy standards. Before its publication in August 2019, it was developed under the name of ISO/IEC 27552 but was renamed to document its close relation to 27001 and 27002.
ISO/IEC 27701 is meant as an extension to some of the most popular standards in ISO history: ISO/IEC 27001 and ISO/IEC 27002. Belonging to the vast ISO/IEC 27000 family, those two fundamental standards are the basis for establishing an information security management system. They will, by the way, be updated during 2022.
To get a PIMS certified based on ISO/IEC 27701, the preceding or parallel implementation of an effective information security management system according to ISO/IEC 27001 and ISO/IEC 27002 can be useful. In other words, an existing framework for information security management can be complemented by a privacy framework for managing personal data. This leads to an integration and alignment of security and privacy controls.
“ISO/IEC 27701 helps organizations establish their PIMS based on global best practices with focus on measurement, monitoring and continuous improvement, while using risk-based approach which in the privacy world is vital, given constantly changing privacy threat landscape triggered by unprecedented innovation in digital technologies” said Srinivas Poosarla, CIPP/A, CIPP/E, CIPP/US, CIPM, CIPT, FIP, Global CPO of Infosys, who was not only a co-editor of the standard but also helped Infosys become one of the first organizations in the world to accomplish accredited ISO/IEC 27701 certification. He added, “the mandatory periodic audits are a key differentiator for ISO/IEC 27701 when compared with other models and frameworks, since it helps organizations sustain the focus, rather than treating privacy compliance as a one-time initiative.”
Although the standard is jurisdiction agnostic, it may help organizations meet regulatory requirements across jurisdictions. In their ISO/IEC 27701 audits, organizations may need to declare applicable laws and regulations. In this context, the privacy controls of the standard can get mapped to the legal requirements of specific laws and regulations and the proper operational controls implemented.
The open-sourced Data Protection Mapping Project aims to help with understanding the relationship between ISO/IEC 27701 and various data protection regulations. Various mappings reconcile universal data protection controls outlined by ISO/IEC 27701 with global laws and regulations. One example could be to find out that clause 7.5.1 of ISO/IEC 27701 (identifying the basis for PII transfer between jurisdictions) relates to GDPR Article 15.2 or 1798.110 b of the California Consumer Privacy Act.
Guidelines for PIAs according to ISO/IEC 29134:2017
In June 2017, ISO issued ISO/IEC 29134:2017 as an international standard on PIAs. The structure this standard proposes for PIAs is similar to one of its predecessors, ISO 22307:2008, which was spearheading PIAs in the financial sector.
According to the standard, it is crucial the assessment begins in the planning stage in the information system life cycle to ensure privacy by design. Before performing a PIA, a preliminary analysis is done to determine whether a PIA is necessary. If it is, the PIA accompanies the product development until deployment and beyond. It requires six elements: a plan, an assessment, a report, competent expertise, a degree of independence, and public aspects and their use in the decision-making process. The heart of the process is the definition of privacy requirements in the scope of the PIA, the risk assessment and risk response plan with the goal to reduce or avoid risks.
ISO/IEC 29134:2017 is a blueprint with highly practical relevance. Since data protection impact assessments are required by the GDPR for data processing likely to result in a high risk to individuals, and U.S. agencies are required to perform PIAs since 2002, performing a necessary PIA is becoming general best practice. Conducting a PIA early on can save costs in comparison to only implementing privacy and security measures later in the process or not at all. Also, PIAs can be used to create trust between stakeholders since viewpoints from different teams will be taken into consideration without bias.
Recent developments in the development of ISO and ISO/IEC privacy standards
The scale and complexity of the work done by ISO and IEC on privacy has increased tremendously over the last 10 to 15 years. The publicly available “Roadmaps” of ISO/IEC JTC 1/SC 27/WG 5 — the detailed picture of all existing standards, projects, work items and activities, as well as possible fields of future work of WG 5 — show the growing number of standards over time, mirroring the general expansion of privacy law and technological advances relevant for the field.
Most recently established and ongoing projects are yet again promising in solving outstanding challenges. Related to ISO/IEC TR 27550:2019 on privacy engineering (mentioned above), WG 5 is currently working on ISO/IEC 27561, a privacy operationalization model and method for engineering, known as POMME. This technical specification, initiated May 2021, is intended for engineers and other practitioners, developing systems controlling or processing personal information. It aims at setting a standard for operationalizing privacy principles into sets of controls and functional capabilities.
But not just the work of WG 5 should be watched closely. Other working groups in ISO/IEC JTC 1/SC 27 are also very active. WG 2, Cryptography and Security Mechanisms, is working on a variety of standards in the field of privacy-enhancing technologies, including secure multiparty computation and homomorphic encryption. The standardization of new privacy-protecting technologies is an important factor to consider them as state of the art that products or services must take into account.
Standards will keep evolving as the world continues to change and technological advances as well as privacy regulations are in constant flux. Picking the right standard that works for your organization is critical. To support you in this mission, this article pointed out the variety of privacy standards provided by ISO and IEC as a follow-up to exploring the NIST Privacy Framework. The third part in the series will cover relevant standards by further organizations such as W3C and IEEE.
Photo by FORREST CAVALE on Unsplash