Topic-specific policies
ISO/IEC 27091

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27091 — Cybersecurity and Privacy — Artificial Intelligence Privacy protection [DRAFT]





April info By gathering and processing substantial quantities of information, AI/ML systems may erode privacy - for example by linking personal information from disparate sources back to individual people - unless appropriate privacy arrangements are made.


Scope of the standard

“[ISO/IEC 27091 will] provide guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance[will] help organizations identify privacy risks throughout the AI system lifecycle, and establish mechanisms to evaluate the consequences of and treat such risks.”
[Source: SC 27 project proposal]


Content of the standard




The project started in 2023.

April status update It is at Working Draft stage and is due to be published in 2026.


Personal notes

The project proposal indicates that the standard will identify [generic] privacy risks applicable to AI/ML, and describe the corresponding privacy controls - in other words, the standard will promote a risk-based approach, which sounds good to me.

In line with the risk treatments noted ISO/IEC 27005, I hope it will also mention the possibility of accepting, sharing or avoiding privacy risks, aside from mitigating them with privacy controls.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT Ltd.