The digitalisation of construction through the BIM methodology (Building Information Modelling) has exponentially improved efficiency, but also increased risks. Precisely for this reason, ISO 19650-5 — the international standard that specifically addresses information security in BIM environments — aims to protect sensitive information, critical infrastructure and strategic assets.
Unlike the rigid controls imposed by other standards, ISO 19650-5 proposes a proportional approach: security measures must be aligned with the real level of risk associated with each asset. Protecting a nuclear power station is not the same as protecting a residential building. In this way, unnecessary bureaucracy is avoided without compromising security.
The standard applies to any built asset — buildings, infrastructure, networks — whose information could compromise public security if disclosed. The safeguards required by the standard cover all phases of its life cycle: from planning and design, through construction, to operation and maintenance.
Thus, ISO 19650-5 is founded on four key concepts:
- Sensitivity assessment: not all BIM information is critical. The standard establishes criteria for classifying data in order to prioritise efforts according to their level of risk.
- Risk assessment: identifies potential threats (cyberattacks, sabotage, terrorism), asset vulnerabilities and the impact of a possible security breach.
- Structured access control: includes permission management, the use of secure common data environments, exchange protocols and version traceability.
- Allocation of responsibilities: the standard defines clear roles for owners, project teams, security and information managers.
ISO 19650-5 forms part of the ISO 19650 series (which covers general concepts, the delivery phase and the operational phase) and aligns with cybersecurity frameworks such as ISO/IEC 27001. This enables organisations to incorporate BIM security into their overall data protection strategy.
Let us consider a practical example: an airport modelled in BIM contains structural drawings, electrical systems, evacuation routes and security protocols. If this information were leaked, it could facilitate an attack. ISO 19650-5 establishes how to identify such critical information, restrict access to it and control its distribution in order to mitigate risks.
To learn more, follow the links to our articles on Parts 1, 2, 3 and 4 of this standard:
ISO 19650-1 for BIM, core principles
ISO 19650-2 for BIM, more core principles
ISO 19650-3 for BIM: information management in the operation phase
ISO 19650-4 for information exchange in BIM methodology
By Eduardo Hernández García, Senior Structural Modeller in the Architecture Department of Amusement Logic
