Skip to Main Content
Main Menu

ISO 27550

The International Organization for Standardization (ISO) 27550, focuses on security techniques, establishes engineering guidelines designed to help entities to incorporate privacy engineering elements into various system lifecycle processes.

Who should use ISO 27550?

This voluntary international standard is directed towards engineers and practitioners involved in the development, implementation or operation of systems that need privacy consideration. Managers responsible for privacy, development, product management, marketing, and operations also find this standard beneficial.

Key obligations of ISO 27550

Risk management processes

Conduct a risk management process to identify, assess, and remediate systematic risks throughout the entire lifecycle of a system product and/or service.

Similarly, a supplementary analysis risk activity should be performed to: identify risks associated with processing personally identifiable information (PII) as well as any vulnerabilities of systems processing PII, estimate the possibility and consequences of each identified risk, and evaluate and prioritize mitigating the identified risk.

Implementation of data management controls

Entities must establish system infrastructures that enable granular control over PII to implement key privacy principles such as maintaining data quality and integrity, achieving data minimization, and implementing individuals privacy preferences. There should also be system controls to enable certain privileged stakeholders to administer changes to PII management and processing, and the fair treatment of individuals.

Safeguarding individual identities via disassociability

Disassociability is a method to actively conceal an individuals’ identity and/or activities from unnecessary exposure during processing or transactions involving PII. Disassociability can be achieved through deploying cryptographic techniques, including: anonymity, de-identification, unlinkability, unobservability, and pseudonymity.


Provide individuals with information regarding the entire system lifecycle that covers actual and planned processing activities, including: why PII is needed for processing, the purpose of processing, and whether PII will be disclosed to third-parties.


Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance


  • What are the data subject rights that I must comply with?

    ISO 27550 does not establish explicit requirements for entities to comply with data subject rights. However, entities are required to develop system functionalities that enable individuals to control their PII and privacy preferences, and intervene in all privacy related data processing activities (e.g. request for data erasure and withdraw consent to processing).

  • Is there an obligation to obtain consent from individuals prior to collecting their PII?

    No, ISO 27550 does not provide explicit obligations to seek consent prior to collecting and processing PII. However, as a best practice, entities should comply with relevant data protection and consent obligations in the jurisdiction where processing will take place.

  • Do I need to designate an internal data protection officer?

    ISO 27550 does not establish explicit requirements for entities to designate a data protection officer. However, entities are required to create a point of contact with supervisory authorities who can intervene in data processing activities by requesting or enforcing the blocking, erasure or destruction of data or even shutting off the system.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top