< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27091 — Cybersecurity and privacy — Artificial Intelligence — Privacy protection [DRAFT]

Abstract

“ISO/IEC 27091 provides guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance in [ISO/IEC 27091] helps organizations identify privacy risks throughout the AI system lifecycle, and establishes mechanisms to evaluate the consequences of and treat such risks ...”

[Source: ISO/IEC JTC 1/SC 27 SD11 Jan 2025]

Introduction

By gathering and processing substantial quantities of information, AI/ML systems may erode privacy - for example by linking personal information from disparate sources back to individual people - unless appropriate privacy arrangements are made.

Scope of the standard

Applies to organisations that develop or use AI systems.

Content of the standard

[TBA]

Status

The standard development project started in 2023.

The standard is at Working Draft stage and is due to be published at the end of 2026.

Personal comments

The project proposal indicates that the standard will identify privacy risks typically applicable to AI/ML, and describe the corresponding privacy controls - in other words, the standard will promote a risk-based approach, which sounds good to me.

In line with the risk treatments noted ISO/IEC 27005, I hope it will also mention the possibility of accepting, sharing or avoiding privacy risks, aside from mitigating them with privacy controls.

< Previous standard      ^ Up a level ^      Next standard >