CDE19650Cloud
by hexcloud.ai
HomePricing
RomanianEnglish
BIM Assessment
HomeResourcesISO 19650-5
Published 2020 · UK Initiative

ISO 19650-5: Information Security

The security-minded approach to built environment information management — protecting sensitive infrastructure data from unauthorized access, modification or disclosure.

Request Demo ISO 19650 General Guide

About ISO 19650-5

Published in 2020 and driven by the UK initiative, ISO 19650-5 addresses built environment and construction information security. It extends the ISO 19650 series with a critical dimension: protection of sensitive information.

The standard is particularly important for critical infrastructure, public buildings and government facilities, where detailed technical information may represent security risks if it falls into the wrong hands.

It protects against unauthorized access, modification or disclosure of sensitive information throughout the entire asset lifecycle.

Applicable to any project with sensitive information
Mandatory for critical infrastructure and public facilities
Complementary to ISO 27001 (IT security)
Integration with national security requirements

Why Security in Construction?

Terrorism

Information about critical structures can be exploited for planning attacks.

Industrial Espionage

Technical specifications and proprietary processes can be targeted by unfair competition.

Cyber Attacks

Unauthorized access to BIM systems can compromise sensitive project data.

Data Theft

Personal data of occupants or financial data require special protection.

ISO 19650-5 Core Framework

Sensitivity Levels (4 Tiers)

ISO 19650-5 classifies information into four sensitivity levels, each with specific protection and access control requirements.

Tier 1

Public

Information available to the public. Site plans, non-sensitive data, marketing and presentation information.

Examples:

  • Exterior renders
  • General descriptions
  • Official publications
Tier 2

Restricted

Commercially sensitive information. Accessible only to the project team and authorized contractors.

Examples:

  • Detailed technical specifications
  • Cost data
  • Interior plans
Tier 3

Confidential

Operationally sensitive information. Strictly accessible to individuals with demonstrated need.

Examples:

  • Security systems
  • Structural vulnerabilities
  • Personal data
Tier 4

Secret

National security implications. Special protocols, access limited to governmental level.

Examples:

  • Critical infrastructure
  • Government facilities
  • National defense

Security Assessment Process

ISO 19650-5 defines a five-step process for assessing and managing security risks.

1

Identification

What information assets exist? Inventory all documents, models and data sets in the project.

2

Assessment

What are the security implications? Analyze the potential impact of unauthorized disclosure.

3

Classification

Assign the sensitivity level (Tier 1-4) to each type of information and define access policies.

4

Protection

Implement technical and organizational controls: encryption, access control, handling procedures.

5

Monitoring

Periodic review of classifications, access auditing and updating controls according to new threats.

CDE Security Requirements

A CDE compliant with ISO 19650-5 must implement a minimum set of technical and organizational controls.

Role-Based Access Control

Each user accesses only the information necessary for their role. The "least privilege" principle.

Complete Audit Trail

Recording all actions: who accessed what information, when and what they did with it.

End-to-End Encryption

Data encrypted both at rest and in transit with AES-256 and TLS 1.3.

Secure Deletion

Certified deletion procedures that prevent recovery of deleted sensitive information.

Personnel Verification

Screening procedures for personnel with access to Tier 3 and Tier 4 information.

Incident Response

Documented response plan for security breaches: detection, containment, notification, remediation.

Security Management Plan

ISO 19650-5 requires the development of a Security Management Plan for each project or asset with sensitive information. The plan must include:

1
Information security classification framework
2
Access control matrix by roles and levels
3
Security incident response plan
4
Periodic security reviews (minimum annually)
5
Personnel security training program
6
Screening procedures for sensitive access
7
Information handling and transmission policies
8
Protocol for exchange with third parties / subcontractors

ISO 19650-5 in CDE 19650 Cloud

Granular Access Control

Permissions at folder, document and metadata field level. Configurable roles for each project.

AES-256 Encryption

All data encrypted at rest and in transit. SSL/TLS certificates for all connections.

Immutable Audit Logs

Complete and immutable log of all actions. Export for compliance audits.

Secure Data Centers

Data stored in ISO 27001 certified data centers, within the EU, GDPR compliant.

GDPR Compliance

Personal data processing in accordance with European Regulation 2016/679. DPA available.

Penetration Testing

Periodic penetration tests performed by independent external firms. Reports available upon request.

CDE 19650 Cloud — by HEXCLOUD

Security Compliant with ISO 19650-5

CDE 19650 Cloud integrates all ISO 19650-5 requirements: granular access control, encryption, immutable audit logs and GDPR compliance — ready from day one.

Request Free Demo All Resources

Previous

ISO 19650-3: Operational Phase

Previous

ISO 19650-4: Information Exchange

General Guide

ISO 19650 Complete Guide