< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27091 — Cybersecurity and Privacy — Artificial Intelligence — Privacy protection [DRAFT]

Abstract

[TBA]

Introduction

 By gathering and processing substantial quantities of information, AI/ML systems may erode privacy - for example by linking personal information from disparate sources back to individual people - unless appropriate privacy arrangements are made.

Scope of the standard

“[ISO/IEC 27091 will] provide guidance for organizations to address privacy risks in artificial intelligence (AI) systems and machine learning (ML) models. The guidance[will] help organizations identify privacy risks throughout the AI system lifecycle, and establish mechanisms to evaluate the consequences of and treat such risks.”

[Source: SC 27 project proposal]

Content of the standard

[TBA]

Status

The project started in 2023.

 It is at Working Draft stage and is due to be published in 2026.

Personal notes

The project proposal indicates that the standard will identify [generic] privacy risks applicable to AI/ML, and describe the corresponding privacy controls - in other words, the standard will promote a risk-based approach, which sounds good to me.

In line with the risk treatments noted ISO/IEC 27005, I hope it will also mention the possibility of accepting, sharing or avoiding privacy risks, aside from mitigating them with privacy controls.

< Previous standard      ^ Up a level ^      Next standard >