Topic-specific policies
ISO/IEC 27556

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27556 — Information security, cybersecurity and privacy protection — User-centric framework for the handling of personally identifiable information (PII) based on privacy preferences [DRAFT]



“ICT systems handling PII should implement privacy control mechanisms with regard to the concept of Privacy-by-Design. In order to implement effective privacy control mechanisms in ICT systems, data handling should be controlled by privacy preferences input by PII principals, including consent information. Therefore, this document provides a user-centric framework for PII handling based on privacy preferences.”
[Source: SC 27 Standing Document 11 (2021)]


The standard will lay out a “user-centric framework” (an architecture) to handle personal information in a controlled manner in accordance with the privacy-by-design and other requirements of applicable privacy laws and regulations.

The standard outlines a mechanism for organisations handling personal data to comply with the data subject’s privacy requirements, even as they share and collaborate on processing the data.


Scope of the standard

The standard will describe a generic high-level system architecture without specifying the content and format of privacy preference information.

The architecture, in turn, will inform the design and implementation of IT systems handling personal information and communicating it between organisations, while managing the privacy preferences of data subjects (known as ‘PII Principals’ in the standard i.e. the people whose personal information is being handled).

The standard will expand upon ISO/IEC 29100 “Privacy framework”.


Content of the standard




SC 27 started drafting the standard in 2019.

The standard was due to be published in 2022.  It will take longer than expected to address substantive comments and a new use case, hence an extension of this project’s deadline has been sought: it is now expected early in 2023.

It is at 3rd Committee Draft stage.


Personal notes



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.