Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27556:2022 — Privacy Enhancing Technologies — Selection Framework
Structured multi-criteria decision framework for selecting Privacy Enhancing Technologies
1. The Need for a PET Selection Framework
ISO/IEC 27556:2022 addresses a fundamental challenge faced by privacy engineers and decision-makers: how to systematically select the most appropriate Privacy Enhancing Technology (PET) for a given use case. With the proliferation of PET options — from basic encryption to advanced cryptographic protocols, from anonymization techniques to system-level privacy architectures — organizations need a structured decision framework rather than relying on ad-hoc choices or vendor preferences. This standard provides exactly that: a multi-criteria decision analysis (MCDA) framework that evaluates PET candidates against weighted criteria derived from the organization’s specific privacy requirements, threat landscape, regulatory obligations, data characteristics, and operational constraints. While ISO/IEC 27555 catalogs available PETs and their properties, 27556 provides the methodology for choosing among them.
Think of 27555 as the PET catalog and 27556 as the decision algorithm — together they form a complete toolkit for privacy engineering.
2. The Selection Methodology
The standard defines a five-step selection methodology. Step 1: Context Analysis — characterize the data processing scenario including data types (structured, unstructured, streaming), sensitivity classification, processing purposes, data subjects’ expectations, and the operational environment (cloud, on-premises, hybrid). Step 2: Threat Modeling — identify relevant privacy threats using a structured threat model (the standard provides a privacy-specific threat taxonomy aligned with ISO/IEC 27551 and 27553 frameworks). Step 3: Criteria Definition and Weighting — define selection criteria across multiple dimensions: privacy effectiveness (re-identification resistance, information leakage prevention), regulatory compliance (GDPR, CCPA, sector-specific), operational impact (latency, throughput, storage overhead, computational cost), maturity (standardization status, industry adoption, vendor ecosystem), usability (data subject experience, administrator complexity), and cost (licensing, infrastructure, expertise). Step 4: Candidate PET Identification and Scoring — using the 27555 catalog, identify candidate PETs and score each against the weighted criteria. Step 5: Decision and Implementation Planning — select the optimal PET or PET combination, document the rationale, and develop an implementation roadmap with validation milestones.
| Step | Input | Key Activities | Output |
|---|---|---|---|
| 1. Context Analysis | Processing use case, data inventory | Characterize data flows, sensitivity, environment | Context profile document |
| 2. Threat Modeling | Context profile, threat taxonomy | Identify privacy threats per processing phase | Threat register with severity ratings |
| 3. Criteria Definition | Threat register, regulatory map | Define and weight selection criteria | Weighted criteria matrix |
| 4. PET Scoring | PET catalog (from 27555), criteria matrix | Score each candidate PET | PET evaluation scorecard |
| 5. Decision | Scorecard, risk appetite, budget | Select PET, plan implementation | Selection report + roadmap |
The standard strongly warns against “PET anchoring” — the cognitive bias of selecting a familiar PET rather than the most appropriate one. The structured methodology is designed to counteract this bias by requiring objective, criteria-based evaluation.
3. Practical Application and Case Studies
ISO/IEC 27556 includes detailed application examples demonstrating the selection framework in action across diverse scenarios. For a healthcare data sharing platform sharing patient records for research, the threat model identified re-identification through linkage attacks as the primary risk. The weighted criteria prioritized privacy effectiveness (40%) and regulatory compliance (30%) over operational impact (20%) and cost (10%). Differential privacy with ε=1 combined with k-anonymity (k=10) scored highest, outperforming encryption-only approaches that would not prevent re-identification at the analysis stage. For a real-time fraud detection system processing financial transactions, latency was the dominant constraint. The selection favored lightweight pseudonymization combined with trusted execution environments (TEEs), rejecting homomorphic encryption due to its prohibitive latency overhead. For an IoT sensor network collecting environmental data with incidental PII, local differential privacy at the sensor node combined with secure aggregation at the edge gateway provided the optimal balance of privacy and bandwidth efficiency.
The case studies demonstrate that the “best” PET is rarely the strongest in absolute terms — the optimal choice balances privacy effectiveness with the operational realities of each specific deployment context.
4. Frequently Asked Questions
Q1: How does 27556 relate to 27555?
27555 provides the comprehensive catalog of available PETs with their properties, strengths, and limitations. 27556 provides the methodology for selecting among them. The standards are designed to be used together — 27556 references 27555’s PET taxonomy extensively.
27555 provides the comprehensive catalog of available PETs with their properties, strengths, and limitations. 27556 provides the methodology for selecting among them. The standards are designed to be used together — 27556 references 27555’s PET taxonomy extensively.
Q2: Can the selection framework be applied to legacy systems?
Yes, with modifications. For legacy systems, the criteria weighting should account for integration difficulty and migration cost. The standard provides guidance on “retrofit PET selection” with modified criteria emphasizing backward compatibility and incremental deployment.
Yes, with modifications. For legacy systems, the criteria weighting should account for integration difficulty and migration cost. The standard provides guidance on “retrofit PET selection” with modified criteria emphasizing backward compatibility and incremental deployment.
Q3: How often should the PET selection be revisited?
The standard recommends reassessment whenever there is a material change in: the processing context (new data types, new purposes), the threat landscape (new attack vectors, new re-identification techniques), regulatory requirements (new laws, new interpretations), or the PET landscape (new technologies reaching maturity).
The standard recommends reassessment whenever there is a material change in: the processing context (new data types, new purposes), the threat landscape (new attack vectors, new re-identification techniques), regulatory requirements (new laws, new interpretations), or the PET landscape (new technologies reaching maturity).
Q4: What if no single PET meets all requirements?
The standard explicitly addresses this scenario through “PET composition” — combining multiple PETs in a layered architecture where each PET addresses specific privacy risks identified in the threat model. The methodology includes guidance on composing PETs and analyzing emergent properties of combined deployments.
The standard explicitly addresses this scenario through “PET composition” — combining multiple PETs in a layered architecture where each PET addresses specific privacy risks identified in the threat model. The methodology includes guidance on composing PETs and analyzing emergent properties of combined deployments.
