Today I’d like to talk to you about the families of the ISO standard with a concrete example.

I’ve just discovered that the ISO 27560 standard is free – take the opportunity to download it and let’s talk about these standards.

ISO/IEC 27560 and ISO/IEC 29184 both deal with data protection consent, but belong to two different families. Why?

Consent – Source: https://mhlawqld.com.au

Objectives of both standards

ISO/IEC 29184:2020This standard focuses on online privacy statements and consents.

It defines the requirements for the clear, comprehensible and transparent presentation of information to individuals (known as “PII principals”) on how their personal data (PII) is collected, used and managed.

It aims to ensure that consent is obtained in a fair, demonstrable, transparent, unambiguous and revocable manner.

It deals with how organizations should inform users via privacy notices, and how to request their consent.

It is based on the principles of ISO/IEC 29100 relating to consent and transparency.

ISO/IEC TS 27560:2023This standard is a technical complement to ISO/IEC 29184.

It defines an interoperable, open and extensible information structure for recording and managing consent given by individuals. It covers the creation, maintenance and exchange of consent records (detailed logs) and consent receipts (simplified receipts given to individuals as proof of consent).

The aim is to ensure traceability, management of the consent lifecycle, and secure exchange of this information between systems or entities.

In concrete terms, the standard informs us about the technical and operational management of consent already obtained

Why two different families (27000 series vs. 29000 series)?

  • ISO/IEC 29184 is part of the 29000 series, which groups together standards relating to the protection of privacy and the management of personal data in a broader communication and information context. This series focuses on the political, organizational and procedural aspects of privacy, including how to communicate and obtain consent.
  • ISO/IEC 27560 belongs to the 27000 series, which is dedicated to information security. This series deals with technical aspects, security controls and mechanisms for protecting information. ISO 27560 therefore fits into this series, as it specifies technical requirements for the management, retention and secure exchange of consent records, which is an operational and technical aspect of data protection.

Origins and complementarity

  • ISO/IEC 29184 was published in 2020 to meet the need for an international standard that defines how to inform individuals and obtain their consent in a clear way that complies with regulations such as the RGPD.
  • ISO/IEC TS 27560, published in 2023, is the complement to provide a more technical way of managing these consents in a standardized way, notably in the form of data (Example json format) to facilitate compliance and interoperability between systems.

In short, ISO 29184 defines how to inform and request consent (communication and transparency aspects), while ISO 27560 defines how to record, manage and exchange evidence of consent (technical and security aspects). The fact that they belong to two different series reflects this distinction between the organizational (29000 series) and technical (27000 series) dimensions of personal data protection.

I invite you to click on “Follow” to continue learning more about information security and privacy topics.**