Information security policies
ISO/IEC 27045

Search this site

Security awareness content

ISO/IEC 27045 — Information technology — Big data security and privacy Processes [DRAFT]


This standard aims to improve organizations’ capabilities for security and privacy around big data.


Scope and purpose

The standard will deliver a process reference model, assessment and maturity models for big data security and privacy.

The models will focus on architecture of the processes used to achieve big data security and privacy, particularly the maturity of those processes.

The processes will include a set of indicators of process performance and process capability to be used as a basis for collecting objective evidence, enabling an assessor to assign ratings.


Content of the standard

The processes may be:

  • Organisational such as compliance management, data sharing agreements, governance of big data, data asset management and data supply chain management;
  • Technical such as data source verification and recording, big data de-identification, instrumenting for data traceability and big data analytical security;
  • Managerial such as metadata management, data rights management, big data incident management, big data risk management, data quality management, data categorization and classification, data disposal management and logging and auditing.


Status of the standard

The project started in 2018.

It is currently at 4th Working Draft stage and is due to be published in 2022.


Personal comments

We do not know, yet, precisely what is meant by “big data” since the term is presently undefined, although 30 other terms are formally defined.

The initial proposal referred to mobile Internet, IoT and cloud leading to big data, and was angled towards addressing security and privacy issues arising from the sharing of data across those realms.

In the context of this standard, big data may mean:

  • Conventional but large, complex, high-volume IT systems;
  • Extensive networks of IT systems;
  • Truly colossal data sets that are too big and too dynamic for conventional database systems; or
  • Something else entirely.

The WD3 draft introduction states, enigmatically:

    “The emerging big data technologies are extensively used in all industries all over the world, and it’s widely accepted that business development today is achieved by big data to some extent. We are working and living in a big data environment. How to protect data security in big data environment? It is a challenge to all organizations in big data environment. These organizations are on the way of utilizing big data technologies to manage their data and extract important value from big data by providing big data services or providing better business services via big data’s help. Based on these business needs, organizations have to face the new security risks in the relevant business processes, and big data security is the new security goal for organizations in big data environment.

    Big data security and privacy is a relatively new area in security industry. Big data security is not the security of big data technology, but rather the data security in a big data environment. Compared with information security, data security is focusing on the appropriate protection to data value, instead of unified security countermeasures to a specific information system. In the big data environment, new business scenarios utilizing big data technologies raise big data security risks. Data security risks are also required to be handled within acceptable tolerance levels.”

We shall see how it turns out.



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2020 IsecT Ltd.