Information technology — Information security incident management — Part 2: Guidelines to plan and p...
Scope
This document provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the “plan and prepare” and “learn lessons” phases of the information security incident management phases model presented in ISO/IEC 27035-1:2023, 5.2 and 5.6.
The major points within the “plan and prepare” phase include:
— information…
Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services sup...
Scope
This document provides guidance for product and service acquirers, as well as suppliers of hardware, software and services, regarding:
a) gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered hardware, software, and services supply chains;
b) responding to risks stemming from this physically dispersed and multi-layered…
Information security, cybersecurity and privacy protection — Security and privacy requirements for a...
Scope
This document provides high-level security and privacy requirements and recommendations for authentication using biometrics on mobile devices, including security and privacy requirements and recommendations for functional components and for communication.
This document is applicable to the cases that the biometric data and derived biometric data do not leave the device, i.e. local modes
Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organ...
Scope
This document provides guidelines for organizational privacy risk management, extended from ISO 31000:2018.
This document provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an…
Information security, cybersecurity and privacy protection — Privacy enhancing data de-identificatio...
Scope
This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are PII controllers or PII processors acting on a controller’s behalf…
Information security, cybersecurity and privacy protection — Verification of cryptographic protocols...
Scope
This document establishes a framework for the verification of cryptographic protocol specifications according to academic and industry best practices.
Information technology — Security techniques — Guidelines for privacy impact assessment
Scope
This document gives guidelines for:
— a process on privacy impact assessments, and
— a structure and content of a PIA report.
It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.
This document is relevant to those involved in designing or implementing projects, including the…
Information technology — Biometric presentation attack detection — Part 3: Testing and reporting
Scope
This document establishes:
— principles and methods for the performance assessment of presentation attack detection (PAD) mechanisms;
— reporting of testing results from evaluations of PAD mechanisms; and
— a classification of known attack types (Annex A).
Outside the scope are:
— standardization of specific PAD mechanisms;
— detailed information about countermeasures (i.e. anti-…
Information technology — Smart City ICT reference framework — Part 1: Smart city business process fr...
Scope
This document specifies a generic business process framework for a smart city focusing solely on smart city-specific processes. Generic business processes common between smart cities and commercial organizations are be identified but not detailed.
