n a rare behind-the-scenes look into international privacy standardization, Professor Chris Mitchell—cryptography expert and long-time ISO/IEC contributor—shared his in-depth perspective on the creation and evolution of privacy and security standards. With over three decades of experience contributing to ISO/IEC standards, including as editor of pivotal documents like ISO/IEC 20889 and ISO/IEC 27108, Prof. Mitchell offers a unique window into how privacy standards are developed, revised, and applied globally.
This article summarizes the key takeaways from his expert interview, providing valuable context for cybersecurity professionals, privacy officers, and organizations seeking to understand or contribute to the ISO/IEC ecosystem.
Prof. Chris Mitchell: A Veteran in Standards Development
Prof. Mitchell’s early work involved cryptographic standards for secure email (X.400/X.500) and public key infrastructure (X.509), but his more recent focus has shifted toward privacy—particularly data de-identification and privacy in cloud environments.
He served as editor for:
- ISO/IEC 20889: A taxonomy and framework for data de-identification techniques
- ISO/IEC 27108: Privacy protection in public cloud services acting as processors of PII
Related Reading: Data Anonymization Techniques Explained
Understanding the Lifecycle of an ISO/IEC Standard
Prof. Mitchell described the multi-year process of standard development in detail:
- Preliminary Work Item: Proposed by national bodies to address an identified need
- New Work Item Proposal: Outlines the scope and rationale; must gain consensus and participation
- Working Draft to Final Publication:
- Working Draft (WD)
- Committee Draft (CD)
- Draft International Standard (DIS)
- Final Draft International Standard (FDIS)
- Published ISO Standard
Typical Duration: 3–5 years
Challenge: Balancing technical accuracy with international consensus, often requiring hundreds (or thousands) of formal comments to be resolved
ISO/IEC 27701: A Cornerstone for Privacy Management
According to Prof. Mitchell, ISO/IEC 27701 is one of the most significant privacy-related standards in recent years. As an extension of ISO/IEC 27001 and 27002, it:
- Introduces the Privacy Information Management System (PIMS)
- Provides controls for both data controllers and processors
- Offers global alignment for laws like the GDPR, CCPA, and more
He also revealed that ISO/IEC 27701 is undergoing a major revision, prompted by the restructuring of ISO/IEC 27002. A new version is expected by mid-2025, and it will likely include a complete structural overhaul to remain aligned with the latest security control frameworks.
Related Guide: What is ISO 27001? A Beginner’s Guide
The Role of Editors and National Committees
Prof. Mitchell explained the critical but humble role of editors: synthesizing feedback from national standards bodies, chairing working groups, and updating drafts based on consensus—not personal opinion.
“As editor, you’re essentially the slave of the committee,” he joked, adding that precision in language, especially for multilingual standards, is essential.
The UK shadow committee (IST/33/5), which Mitchell attended regularly, mirrors ISO’s internal work and helps form the UK’s stance on international standards. Similar committees exist in other countries, and they influence what changes are proposed or accepted.
How to Get Involved in Standards Work
For privacy researchers or professionals interested in contributing to standards:
- Join national committees (e.g., BSI in the UK, ANSI in the US)
- Contribute via liaison roles (universities, companies, or research groups)
- Participate in public comment periods or attend technical meetings through affiliation
Each organization—whether ISO, ETSI, ITU, or IETF—has its own membership structures and governance models. For ISO, participation is usually routed through national standards bodies.
Explore: Stakeholders in Standards Certification
The Hidden Complexity of Consensus
While standards might seem dry or bureaucratic, Mitchell emphasized the intellectual challenge and collaborative diplomacy involved. Many disputes center around terminology and implementation clarity. Reaching consensus is more about avoiding disagreement than securing universal approval.
“The best we typically aim for is everyone not being too unhappy,” Mitchell noted.
Final Thoughts
Prof. Chris Mitchell’s insights highlight the rigor, collaboration, and global relevance of ISO/IEC privacy standards. Whether you’re implementing a PIMS, navigating a GDPR compliance program, or seeking to contribute to future standards, understanding this process can empower your role in the evolving data privacy landscape.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.