IT-säkerhet

This document addresses organizational and technical solutions aimed at ensuring the cybersecurity of high-risk AI systems over the life cycle, appropriate to the relevant circumstances and the risks. The technical solutions to address AI-specific vulnerabilities include, where appropriate, measures to prevent, detect, respond to, resolve and control for attacks trying to manipulate the training dataset (data poisoning), or pre-trained components used in training (model poisoning), inputs designed to cause the model to make a mistake (adversarial examples or model evasion), confidentiality attacks or model flaws. This document provides objective criteria to enable decisions on whether a given technical or organizational solution adequately achieves a given vulnerability-related goal.

This document specifies refinements for an application of EN ISO/IEC 27701 in a European context. This document is applicable to the same entities as is ISO/IEC 27701: all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors. An organization can use this document for the implementation of the generic requirements and controls of EN ISO/IEC 27701 according to its context and its applicable obligations. Certification criteria based on these refinements can provide a certification model under ISO/IEC 17065 for processing operations performed within the scope of a privacy information management system according to EN ISO/IEC 27701, which can be combined with certification requirements for EN ISO/IEC 27701 under ISO/IEC 17021.

This document: - defines terms for identity management and specifies core concepts of identity and identity management, and their relationships; - is applicable to any information system where information relating to identity is processed or stored; - is considered to be a horizontal document for the following reasons: - it applies concepts such as distinguishing the term “identity” from the term “identifier” on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management, - it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management.

This document: - provides guidelines for the implementation of systems for the management of identity information; - specifies requirements for the implementation and operation of a framework for identity management; - is applicable to any information system where information relating to identity is processed or stored; - is considered to be a horizontal document for the following reasons: - it applies concepts such as distinguishing the term "identity" from the term "identifier" on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management, - it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management

- provides requirements and guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2; - is applicable to any information system where information relating to identity is processed or stored; - is considered to be a horizontal document for the following reasons: - it applies concepts such as distinguishing the term “identity” from the term “identifier” on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management, - it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management.

This document contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organizations by specifying: —   a harmonized terminology for PII deletion; —   an approach for defining deletion rules in an efficient way; —   a description of required documentation; —   a broad definition of roles, responsibilities and processes. This document is intended to be used by organizations where PII is stored or processed. This document does not address: —   specific legal provision, as given by national law or specified in contracts; —   specific deletion rules for particular clusters of PII that are defined by PII controllers for processing PII; —   deletion mechanisms; —   reliability, security and suitability of deletion mechanisms; —   specific techniques for de-identification of data.

This document specifies requirements and guidance for the interoperability of data, data sharing mechanisms, and services within data spaces. It covers requirements, criteria and implementation guidance on: - dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty, and on machine-readable formats to find, access and use of data; - data structures, data formats, vocabularies, classification schemes, taxonomies and code lists, and how to describe these elements a publicly available and consistent manner; - technical means to access the data, such as application programming interfaces, and their terms of use and quality of service to enable automatic access and transmission of data between parties; - where applicable, the means to enable the interoperability of tools for automating the execution of data sharing contracts. This document is applicable to all organizations participating in dataspaces, regardless of their size or type.

This document provides terminology, concepts, requirements, and guidance for logging of AI systems. It is primarily intended for organizations placing on the market or putting into service AI systems and is not specific to any particular sector.