ISO/IEC TR 27550

ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes

Introduction

“Privacy engineering” involves ensuring that privacy is integrated into the function of IT systems during the entire lifecycle, as part of their design and function.

The scope of the standard

Data privacy is a critical aspect of IT systems, so this IT security standard pertains to the design of IT systems to comply with that requirement.

The content

This standard:

– Addresses the ability of privacy engineering to support systems and security engineering, information risk management, human resource management, etc.
– Exceptional discussion of concepts like privacy-by-design and privacy-by-default, as well as privacy-by-default as described in the GDPR;
– Explains how privacy risks are identified, evaluated, and treated when designing IT systems;
– Describes how IT systems can be designed to comply with the OECD privacy principles that are the foundation of many laws and regulations regarding privacy.

Status

2019 marked the publication of the standard as a Technical Report.

Commentary

The operation, use, monitoring, management, and maintenance of IT systems and their privacy controls are just as important as the technical controls themselves, especially if they are systematically developed (engineered, documented, standardized, operational, managed, and maintained). It is good that this standard is not solely focused on technology.