ISO/IEC DIS 29151.2:2025(en)

ISO/IEC JTC 1/SC 27

Secretariat: DIN

Date: 2025-04-15

Information security, cybersecurity and privacy protection — Controls and guidance for personally identifiable information protection

COPYRIGHT PROTECTED DOCUMENT

© ISO/IEC 2025

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.

ISO copyright office

CP 401 • Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11

Email: copyright@iso.org

Website: www.iso.org

Published in Switzerland

Content

ISO/IEC 29151 :2025(E) ii

Foreword vii

Introduction viii

1 Scope 11

2 Normative references 11

3 Terms, definitions and abbreviated terms 11

3.1 Terms and definitions 11

3.2 Abbreviated terms 12

4 Overview 13

4.1 Protection of PII 13

4.2 Requirement for the protection of PII 13

4.3 Controls derived from privacy risk assessment 13

4.4 Selecting controls 13

4.5 Developing organization specific guidelines 14

4.6 Life cycle considerations 14

4.7 Structure of this document 14

5 Organizational controls 19

5.1 Policies for information security 19

5.2 Information security roles and responsibilities 19

5.3 Segregation of duties 19

5.4 Management responsibilities 20

5.5 Contact with authorities 20

5.6 Contact with special interest groups 20

5.7 Threat intelligence 20

5.8 Information security in project management 20

5.9 Inventory of information and other associated assets 20

5.10 Acceptable use of information and other associated assets 21

5.11 Return of assets 21

5.12 Classification of information 21

5.13 Labelling of information 21

5.14 Information transfer 21

5.15 Access control 22

5.16 Identity management 22

5.17 Authentication information 22

5.18 Access rights 22

5.19 Information security in supplier relationships 22

5.20 Addressing information security within supplier agreements 22

5.21 Managing information security in the ICT supply chain 23

5.22 Monitoring, review and change management of supplier services 23

5.23 Information security for use of cloud services 23

5.24 Information security incident management planning and preparation 23

5.25 Assessment and decision on information security events 24

5.26 Response to information security incidents 24

5.27 Learning from information security incidents 24

5.28 Collection of evidence 24

5.29 Information security during disruption 24

5.30 ICT readiness for business continuity 24

5.31 Legal, statutory, regulatory and contractual requirements 25

5.32 Intellectual property rights 25

5.33 Protection of records 25

5.34 Privacy and protection of PII 25

5.35 Independent review of information security 25

5.36 Conformance with policies, rules and standards for information security 26

5.37 Documented operating procedures 26

6 People controls 26

6.1 Screening 26

6.2 Terms and conditions of employment 26

6.3 Information security awareness, education and training 26

6.4 Disciplinary process 26

6.5 Responsibilities after termination or change of employment 26

6.6 Confidentiality or non-disclosure agreements 26

6.7 Remote working 27

6.8 Information security event reporting 27

7 Physical controls 27

7.1 Physical security perimeters 27

7.2 Physical entry 27

7.3 Securing offices, rooms and facilities 27

7.4 Physical security monitoring 27

7.5 Protecting against physical and environmental threats 27

7.6 Working in secure areas 27

7.7 Clear desk and clear screen 27

7.8 Equipment siting and protection 27

7.9 Security of assets off-premises 27

7.10 Storage media 27

7.11 Supporting utilities 28

7.12 Cabling security 28

7.13 Equipment maintenance 28

7.14 Secure disposal or re-use of equipment 28

8 Technological controls 28

8.1 User endpoint devices 28

8.2 Privileged access rights 28

8.3 Information access restriction 28

8.4 Access to source code 29

8.5 Secure authentication 29

8.6 Capacity management 29

8.7 Protection against malware 29

8.8 Management of technical vulnerabilities 29

8.9 Configuration management 29

8.10 Information deletion 29

8.11 Data masking 29

8.12 Data leakage prevention 29

8.13 Information backup 29

8.14 Redundancy of information processing facilities 30

8.15 Logging 30

8.16 Monitoring activities 30

8.17 Clock synchronization 30

8.18 Use of privileged utility programs 30

8.19 Installation of software on operational systems 30

8.20 Networks security 30

8.21 Security of network services 30

8.22 Segregation of networks 30

8.23 Web filtering 31

8.24 Use of cryptography 31

8.25 Secure development life cycle 31

8.26 Application security requirements 31

8.27 Secure system architecture and engineering principles 31

8.28 Secure coding 31

8.29 Security testing in development and acceptance 31

8.30 Outsourced development 31

8.31 Separation of development, test and production environments 31

8.32 Change management 31

8.33 Test information 31

8.34 Protection of information systems during audit testing 31

Annex A (normative) Extended control set for PII protection 32

A.1 General 32

A.2 General policies for the use and protection of PII 32

A.3 Consent and choice 32

A.4 Purpose legitimacy and specification 35

A.5 Collection limitation 36

A.6 Data minimization 36

A.7 Use, retention and disclosure limitation 38

A.8 Accuracy and quality 40

A.9 Openness, transparency and notice 41

A.10 PII principal participation and access 42

A.11 Accountability 44

A.13 Privacy compliance 48

Annex B (informative) Correspondence between this document and ISO/IEC 29151:2017 49

Bibliography 52

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).

ISO and IEC draw attention to the possibility that the implementation of this document may involve the use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not received notice of (a) patent(s) which may be required to implement this document. However, implementers are cautioned that this may not represent the latest information, which may be obtained from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/CLC/JTC 13 Cybersecurity and Data Protection, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna Agreement).

This second edition replaces the first edition (ISO/IEC 29151:2017), which has been technically revised.

The main changes are as follows: the document replaces ISO/IEC 29151:2017 in whole. As ISO/IEC 27002 is being revised in 2022, it change the content of the guidance for security controls in the main text and additionally provide modifications to the privacy controls in Annex A.

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-committees.

The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, Information security, cybersecurity and privacy protection, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.1058.

Introduction

The number of organizations processing personally identifiable information (PII) is increasing, as is the amount of PII that these organizations deal with. At the same time, societal expectations for the protection of PII and the security of data relating to individuals are also increasing. A number of countries are augmenting their laws to address the increased number of high profile data breaches.

As the number of PII breaches increases, organizations collecting or processing PII will increasingly need guidance on how they should protect PII in order to reduce the risk of privacy breaches occurring, and to reduce the impact of breaches on the organization and on the individuals concerned. This document provides such guidance.

This document offers guidance for PII controllers on a broad range of information security and PII protection controls that are commonly applied in many different organizations that deal with protection of PII. Other Standards that provide guidance or requirements on other aspects of the overall process of protecting PII are as follows:

— ISO/IEC 27001 specifies an information security management system, which is a suitable foundation for protecting any information, including PII.

— ISO/IEC 27002 provides guidelines for organizational, people-related, physical and technological information security controls that can be used for the protection of all kinds of information, including PII.

— ISO/IEC 27005 provides guidance to assist organizations to address information security risks and perform information security risk management activities, specifically information security risk assessment and treatment.

— ISO/IEC 27018 offers guidance to organizations acting as PII processors when offering processing capabilities as cloud services.

— ISO/IEC 27701 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).

— ISO/IEC 29100 provides a privacy framework which: specifies a common privacy terminology, defines the actors and their roles in processing personally identifiable information (PII), describes privacy safeguarding considerations, and provides references to known privacy principles for information technology.

— ISO/IEC 29134 provides guidelines for assessing the potential impacts on privacy of a process, information system, programme, software module, device or other initiative which processes personally identifiable information (PII), while ISO/IEC 27001 together with ISO/IEC 27005 provides guidance to perform information security risk management activities.

Controls are chosen based on the risks identified as a result of a risk analysis to develop a comprehensive, consistent system of controls. Controls are adapted to the context of the particular processing of PII.

This document contains two parts:

— the main body consisting of Clauses 1 to 8;

— Annexes A and B. .

The structure of this document, including the clause titles, reflects the main body of ISO/IEC 27002:2022 for the development of PII-specific extensions.

The structure of the main body of this document, including the clause titles, reflects the main body of ISO/IEC 27002:2022. The introduction and clauses 1 to 4 provide background on the use of this document. The title of the subclauses in Clauses 5 to 8 mirror those of ISO/IEC 27002:2022, reflecting the fact that this document builds on the guidance in ISO/IEC 27002:2022, adding new controls specific to the protection of PII. Many of the controls in ISO/IEC 27002:2022 do not require amplification in the context of PII controllers. However, in some cases, additional implementation guidance is needed, and this is given under the appropriate heading (and clause number) from ISO/IEC 27002:2022.

Annex A contains an extended set of PII protection-specific controls. These new PII protection controls, with their associated guidance, are divided into twelve categories, corresponding to the privacy policy and the eleven privacy principles of ISO/IEC 29100:

— consent and choice;

— purpose, legitimacy and specification;

— collection limitation;

— data minimization;

— use, retention and disclosure limitation;

— accuracy and quality;

— openness, transparency and notice;

— individual participation and access;

— accountability;

— information security; and

— privacy compliance.

Figure 1 describes the relationship between this document and other International Standards.

Figure 1 — Relationship between this document and other International Standards

This document includes guidance based on ISO/IEC 27002. The guidance is adapted as necessary to address the privacy needs that arise from the processing of PII:

a) in different processing domains such as:

— public cloud services,

— social networking applications,

— internet-connected devices in the home,

— search, analysis,

— targeting of PII for advertising and similar purposes,

— big data analytics programmes,

— employment processing,

— business management in sales and service (enterprise resource planning, customer relationship management);

b) in different locations such as:

— on a personal processing platform provided to an individual (e.g. smart cards, smart phones and their apps, smart meters, wearable devices),

— within data transportation and collection networks (e.g. where mobile phone location data is created operationally by network processing, which may be considered PII in some jurisdictions),

— within an organization's own processing infrastructure,

— on a third party's processing platform;

c) for the collection characteristic such as:

— one-time data collection (e.g. on registering for a service),

— ongoing data collection (e.g. frequent health parameter monitoring by sensors on or in an individual's body, multiple data collections using contactless payment cards for payment, smart meter data collection systems).

Ongoing data collection can contain or yield behavioural, locational and other types of PII. In such cases, the use of PII protection controls that allow access and collection to be managed based on consent and that allow the PII principal to exercise appropriate control over such access and collection, should be considered.

Information security, cybersecurity and privacy protection – Controls and guidance for personally identifiable information protection

This Recommendation | International Standard establishes controls, purpose, and guidance for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this Recommendation | International Standard specifies guidance based on ISO/IEC 27002, taking into consideration the controls for processing PII that can be applicable within the context of an organization's information security risk environment(s).

This Recommendation | International Standard is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate a privacy information management system.

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls

ISO/IEC 29100:2024, Information technology — Security techniques — Privacy framework

For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27002, ISO/IEC 29100 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https://www.iso.org/obp

— IEC Electropedia: available at https://www.electropedia.org/

3.1.1

chief privacy officer

CPO

senior management individual who is accountable for the protection of personally identifiable information (PII) (3.1.4) in an organization (3.1.3)

3.1.2

de-identification

process of removing the association between a set of identifying data and the data principal, using de-identification techniques

3.1.3

organization:

person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.

3.1.4

personally identifiable information

PII

information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or might be directly or indirectly linked to a natural person

Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.3). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.

[SOURCE: ISO/IEC 29100:2024, 3.7]

3.1.5

PII controller

privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) (3.1.4) other than natural persons who use data for personal purposes

Note 1 to entry: A PII controller sometimes instructs others [e.g. PII processors (3.1.7)] to process PII on its behalf while the responsibility for the processing remains with the PII controller.

[SOURCE: ISO/IEC 29100:2024, 3.8]

3.1.6

PII principal, data subject

natural person to whom the personally identifiable information (PII) (3.1.4) relates

[SOURCE: ISO/IEC 29100:2024, 3.9]

3.1.7

PII processor

privacy stakeholder that processes personally identifiable information (PII) (3.1.4) on behalf of and in accordance with the instructions of a PII controller (3.1.5)

[SOURCE: ISO/IEC 29100:2024, 3.10]

For the purposes of this document, the following abbreviations apply.

This document provides a set of controls for PII protection. The objective of the controls for protection of PII is to enable organizations to put in place a set of controls as part of their overall PII protection programme. Controls can be used in a framework for demonstrating compliance with privacy-related laws and regulations, managing privacy risks and meeting the expectations of PII principals, regulators or clients, in accordance with the privacy principles described in clauses in ISO/IEC 29100.

An organization should identify its PII protection requirements. ISO/IEC 29100:2024 can be applied to identify of PII protection requirements. There are four main factors of PII protection requirements:

— legal and regulatory factors for the safeguarding of the PII principal’s privacy and the protection of their PII;

— contractual factors such as agreements between and among several different actors, company policies and binding corporate rules;

— risk assessment findings: Privacy risk assessment is a systematic process that evaluates the potential risks to PII principal’s privacy. To be considered in a privacy risk assessment includes external and internal context which can be determined through business strategy and objectives; and

— corporate policies: an organization can also choose voluntarily to go beyond the criteria that are derived from previous requirements.

PII protection controls (including information security controls) should be selected on the basis of a risk assessment. The results of a privacy impact assessment (PIA), as specified in ISO/IEC 29134, can help determine, prioritize and implement the appropriate controls for managing risks to the protection of PII and for implementing controls selected to protect against these risks.

A PIA document as defined in ISO/IEC 29134 provides PIA guidance, including advice on privacy risk assessment, privacy risk treatment plan, privacy risk acceptance and privacy risk review.

Privacy risk assessment is a process that identifies and evaluates potential risks to PII principal’s privacy. It helps organizations protect the confidentiality, integrity, and availability of PII. Data breach can cause significant harm to both organizations and individuals. Organizations should identify and implement controls to treat the risks identified by the risk impact process. Privacy risk assessment report should describe at least system requirements, system design and operational plans and procedures. ISO/IEC 29134 provides information on what should be documented in a privacy risk assessment. Some jurisdictions require privacy risk assessments depending on the level of the risk of PII processing, the nature of the organization (e.g., government agencies), etc.

Controls can be selected from this document which includes by reference the controls from ISO/IEC 27002, creating a combined reference control set. If required, controls can also be selected from other control sets or new controls can be designed to meet specific needs, as appropriate.

The selection of controls is dependent upon organizational decisions based on the criteria for risk treatment options and the general risk management approach, applied to the organization and, through contractual agreements, to its customers and suppliers.

NOTE Legal requirements can also apply for selection of controls. Organizations shall consider control set for PII protection in Annex A for selecting controls to implement the privacy risk treatment option(s) chosen.

The selection and implementation of controls is also dependent upon the organization's role in the provision of infrastructure or services. Many different organizations may be involved in providing infrastructure or services. In some circumstances, selected controls may be unique to a particular organization. In other instances, there may be shared roles in implementing controls. Contractual agreements should clearly specify the PII protection responsibilities of all organizations involved in providing or using the services.

The controls in this document can be used as reference for organizations that process PII, and are intended to be applicable for all organizations acting as PII controllers. Organizations acting as PII processors should apply the controls in this document, according to the instructions of the PII controller. PII controllers should ensure that their PII processors are able to implement all the necessary controls included in their PII processing agreement, in accordance with the purpose of PII processing. PII controllers using cloud services as PII processors may review ISO/IEC 27018 to identify relevant controls to implement.

The controls in this document are explained in more detail in Clauses 5 to 8, along with implementation guidance. Implementation may be made simpler if requirements for the protection of PII have been considered in the design of the organization's information systems, services and operations. Such consideration is an element of the concept that is often called privacy by design (PBD). More information about selecting controls and other risk treatment options can be found in ISO/IEC 29134. Other relevant references are listed in [1] to [15] in the bibliography.

This document can be regarded as a starting point for developing organization specific guidelines. The controls and guidance in this document are not applicable to all organizations.

Furthermore, additional controls and guidelines not included in this document can be required. When other documents are developed containing additional guidelines or controls, it can be useful to include cross-references to the clauses in this document, where applicable, to facilitate compliance checking for auditors and business partners.

PII has a natural life cycle, from creation or origination, collection, through to storage, use and transfer to its eventual disposal (e.g. secure destruction). The value of, and risks to, PII may vary during its life cycle, but protection of PII remains important at all stages and in all contexts of its life cycle.

Information systems also have life cycles within which they are conceived, specified, designed, developed, tested, implemented, used, maintained, and eventually retired from service and disposed of. PII protection should also be taken into account at each of these stages. New system developments and changes to existing systems present opportunities for organizations to update and improve information security controls as well as controls for the protection of PII, taking actual incidents, and current and projected information security and privacy risks into account.

Control descriptions in ISO/IEC 27002:2022 are structured as follows. Each control has the following elements:

a) control title: short name of the control;

b) attribute table: a table showing the value(s) of each attribute for the given control;

c) control: what the control is;

d) purpose: why the control should be implemented;

e) guidance: how the control should be implemented;

f) other information: explanatory text or references to other related documents.

Subheadings are used in the guidance text for some controls to aid readability where guidance is lengthy and addresses multiple topics. Such headings are not necessarily used in all guidance text. Subheadings are underlined.

The Clauses 5 to 8 contain additional guidance and other information for certain relevant existing controls described in ISO/IEC 27002. The format of Clause 5 to 8 uses the relevant clause headings and numbering from ISO/IEC 27002 to allow cross-reference to ISO/IEC 27002.

Specifically, the following rules have been used in mirroring the controls in ISO/IEC 27002:2022 in this document.

— In cases where the various elements of the control layout (described in clause 4.2) for a control are identical, only a reference is provided to the corresponding control in ISO/IEC 27002:2022.

— For controls that require additional guidance and related information in the context of PII protection, additional guidance is provided under the headings “Guidance for the protection of PII” and “Other information for the protection of PII” respectively. This type of guidance is also referred to using the term “PII protection-specific implementation guidance”.

— The clause numbers in this document are aligned with the corresponding clause numbers in ISO/IEC 27002:2022.

The Annexe A contains a specific control set for PII protection specified in Annex A, following the structure of ISO/IEC 27002, which specifies its control followed by its purpose and guidance and other information that can be relevant. It uses the same format as ISO/IEC 27002, which specifies its control followed by its purpose and guidance and other information that can be relevant.

NOTE Annex B provides the correspondence of ISO/IEC 29151:202X (this document) with ISO/IEC 29151:2017.

Control descriptions are structured as follows.

Control title

Short name of the control

Control

What the control is.

Purpose

Why the control should be implemented

Guidance for the protection of PII

The text under this heading provides more detailed information to support the implementation of the control and meeting the control objectives. It is possible that the guidance provided in this document is not be entirely suitable or sufficient in all situations and does not fulfil the organization's specific control requirements. Alternative or additional controls, or other forms of risk treatment (avoiding or transferring risks), can therefore be appropriate.

Other information for the protection of PII

The text under this heading provides further information for consideration, such as legal considerations and references to other standards.

Table 1 provides the location of PII protection specific guidance and other information for implementing controls in ISO/IEC 27002:2022.

Table 1 — Location of PII protection specific guidance and other information for implementing controls in ISO/IEC 27002:2022

Control 5.1 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.1 apply.

Guidance for the protection of PII

The information security policies should include appropriate statements of information security measures for the protection of PII.

When designing, implementing and reviewing information security policy, organizations should consider the privacy safeguarding requirements described in ISO/IEC 29100.

Organizations may specify the elements of PII protection not related to information security as a separate privacy policy. See the guidance in A.2.

Control 5.2 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.2 apply.

Guidance for the protection of PII

Roles and responsibilities for the protection of PII should be defined, documented and appropriately communicated. Specifically:

a) a clearly identified senior individual, sometimes referred to as the chief privacy officer (CPO), within the organization should be allocated the accountability for the coordination of PII protection activities and processes;

b) a clearly identified individual or individuals (e.g. PII protection function) should be assigned responsibility for coordinating with the information security functions within the organization; and

c) all individuals that are involved with the processing of PII (including users and support personnel) should have appropriate PII protection requirements included in their job documents.

The established PII protection function should work closely with:

— other functions processing PII,

— the information security function, which implements information security requirements that include ones arising from PII protection laws, and

— the legal function, which assists in interpreting laws, regulations and contract terms, and in handling data breaches.

The organization should examine the need for and establish, as appropriate, a cross-functional council or committee comprising senior members from functions that process PII. As protection of PII is a multi-disciplinary function, such a group can help proactively identify opportunities for improvements, identifying new risks and areas for conducting PIAs, planning preventive actions, detection and reaction measures for any breaches, etc. Such a group should meet periodically and be chaired by the person responsible for PII protection as identified in a).

The PII controller should require its PII processor(s) to designate a point of contact to address questions regarding the processing of PII under the PII processing contract.

Individuals responsible for PII protection functions should report to the CPO in order to ensure they have sufficient authority to fulfil their responsibilities.

Control 5.3 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.3 apply.

Guidance for the protection of PII

Duties and area of responsibilities for PII protection should be segregated between different individuals in order to prevent one individual from executing potential conflicting duties on their own. While recognizing the importance of information security for the protection of PII, duties and area of responsibilities of the information security and PII protection should be as independent of each other as possible. If necessary or helpful, in the interest of PII protection, coordination and cooperation of those responsible for information security and for PII protection should be facilitated.

Organizations should determine which duties and areas of responsibility need to be segregated. Organizations should control access to PII through policies and access enforcement mechanisms.

Processing of PII and the capability of deleting or changing log files should be separate duties.

Control 5.4 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.4 apply.

Control 5.5 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.5 apply.

Guidance for the protection of PII

Where applicable, organizations should have procedures in place that specify when and by whom authorities (including data protection authorities) should be contacted, e.g. to report privacy breaches or to report processing details.

Some jurisdictions require organizations to report data breaches promptly to authorities.

Control 5.6 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.6 apply.

Control 5.7 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.7 apply.

Control 5.8 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.8 apply.

Guidance for the protection of PII

Any new project initiation should trigger at least a threshold analysis to determine whether a PIA needs to be conducted. Projects include the implementation or modification of new or existing technology, product, service, programme, information system, process or project. Projects include the changes following incidents and for preventing them.

When developing or making significant changes to information systems that process PII, a PIA should be conducted. The results of the PIA should be used to determine the controls to treat the risks identified during the PIA process.

Other information

Further guidance can be found in the PIA specified in ISO/IEC 29134.

Control 5.9 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.9 apply.

Guidance for the protection of PII

Organizations should establish, maintain, and update an inventory of assets using, for example, the information given from the PIA report, if any, as specified in ISO/IEC 29134. This should include the PII assets and all systems that process PII.

When developing and maintaining the inventory, organizations should extract the following information elements from PIAs concerning information systems processing PII. The following list is given as an example additions or subtractions can be made to the final implemented lists:

a) name of and acronym for each identified asset;

b) types of PII processed by those systems;

c) classification (see 5.12) of all types of PII, both as individual information elements and as combined in those information systems;

d) purpose(s) for collecting the PII;

e) whether PII processing will be outsourced to a PII processor;

f) whether PII is transmitted to other PII controllers, and if so, to whom (or to which group of recipients);

g) retention period of PII;

h) geographical area where the PII was collected or processed; and

i) whether trans-border data transfer is involved.

Organizations should provide regular updates of the PII inventory to the person accountable for protection of PII to support the establishment of appropriate information security controls for all new or updated information systems processing PII.

Control 5.10 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.10 apply.

Guidance for the protection of PII

If organizations allow people under their control to be able to omit the information labelling for the classification category related to PII, organizations should make people under their control handle all information containing PII as the information of the assigned classification category.

Control 5.11 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.11 apply.

Control 5.12 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.12 apply.

Guidance for the protection of PII

Organizations should classify all information containing PII, using an existing classification category or newly created classification categories. New classification categories should include, but are not limited to, general ones such as sensitive and non-sensitive PII. A classification scheme may also include more specific categories such as personal health information, personal financial information. If organizations create new classification categories, then levels of protection for those should also be defined. The actual categories used should consider the requirements defined in relevant data protection legislation and regulations, other legal (e.g. contractual) obligations, the nature and sensitivity of the information, and the risk of harm that can arise in the event of a breach.

Some PII that may be classified non-sensitive in one country can be treated as sensitive elsewhere, depending on the applicable data protection laws.

The classification for an element of PII can require re-evaluation and modification when associated with one or more additional attributes. Appropriate guidance and procedures should be put in place.

Control 5.13 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.13 apply.

Guidance for the protection of PII

Where an organization does not classify PII to a classification category, the organization should ensure that people under its control are made aware of the definition of PII and how to recognize whether information is PII.

Control 5.14 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.14 apply.

Guidance for the protection of PII

Appropriate measures should be put in place to reduce the risk of PII leakage during information transfer. This is generally solved by implementing encryption and other preliminary measures can include de-identification, masking or obfuscation.

Control 5.15 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.15 apply.

Control 5.16 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.16 apply.

Guidance for the protection of PII

Procedures for user registration and de-registration as well as user life cycle management should provide measures to address a compromise of user access control, such as the corruption or compromise of passwords or other user registration data (e.g. as a result of inadvertent disclosure).

Control 5.17 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.17 apply.

Control 5.18 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.18 apply.

Guidance for the protection of PII

Organizations should provide users with an appropriate right of access to the information systems processing PII, in accordance with the data minimization principle, according to the data minimization principle (see ISO/IEC 29100).

Organizations should restrict access to information systems processing PII to the minimum number of individuals needed to carry out the specified purposes for that processing, according to the data minimization principle.

Organizations should adopt strong authentication methods for sensitive PII and PII processing (e.g. health data).

Other information

Minimization principle is described in ISO/IEC 29100.

Control 5.19 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.19 apply.

Guidance for the protection of PII

The PII controllers should ensure that their PII processors do not undertake any further subcontracting of processing (e.g. make use of sub-processors) without prior approval of the PII controller. The PII controller should implement appropriate measures showing how applicable legal requirements are met .

The PII controllers should ensure that their PII processors do not process the PII for any purposes other than those specified in the contract or other legal agreement.

The PII controllers should ensure that their PII processors securely dispose of PII, in accordance with the PII controller's policies and relevant legislation and regulations (e.g. specific agency requirements).

Other information

Further guidance can be found in ISO/IEC 27036-3.

Control 5.20 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.20 apply.

Guidance for the protection of PII

In the event that an organization needs to make use of the services of a PII processor, PII processors should be evaluated on the basis of experience, trustworthiness and their ability to meet PII protection requirements as stipulated by applicable legislation, regulation, or in contracts or other legal agreements.

The organization acting as a PII controller should have a written contract with any supplier acting as a PII processor. The contract should clearly allocate roles and responsibilities between the PII controller and the PII processor and should contain appropriate clauses relating to PII protection.

The PII controller contract should at least:

— provide an appropriate declaration on the scale, nature and purpose of the processing under contract;

— support duties of the PII processor by providing support to the PII controller to ensure that the PII principal's right (including the ability to access and review their PII) is fulfilled for the fulfilling of PII principals right (including the ability to access and review their PII) and any complaints raised by PII principals are handled (see A.10.3);

— ensure other organizational measures are taken to fulfil legal or regulatory requirements;

— authorize the PII controller to conduct audits on the premises of the PII processor;

— report obligations in cases of data breaches, unauthorized processing or other non-performance of contractual terms and condition, including identification of the points of contact in both parties;

— transfer instruction from the PII controller to the PII processor; and

— apply measures on termination of the contract, especially with regard to the secure deletion of PII on premise or returning of PII and physical media.

Control 5.21 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.21 apply.

Control 5.22 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.22 apply.

Control 5.23 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.23 apply.

Control 5.24 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.24 apply.

Guidance for the protection of PII

Organizations should be capable of providing (and be prepared to provide) an organized and effective response to a privacy incident. Organizations should therefore develop and implement a privacy incident response plan.

An organizational privacy incident response plan should include:

a) the definition of privacy incident and the scope of privacy incident response;

b) the establishment of a cross-functional privacy incident response team that develops, implements, tests, executes and reviews the privacy incident response plan (approval of the plan should rest with senior management within the organization);

c) clearly defined roles, responsibilities and authorities for all members of the privacy incident response team;

d) procedures for clarifying the legal grounds for cooperation with external organizations (national and international) in the event of a cross-border incident;

e) procedures to ensure prompt reporting by all individuals subject to the internal privacy policy (e.g. employees, contractors) of any privacy incident to information security officials and CPO, if CPO is appointed, according to organizational incident management direction;

f) an incident impact assessment (tasks) to determine the nature and extent of any potential or actual harms to affected individuals (e.g. embarrassment, inconvenience or unfairness) or to the organization;

g) a process to identify measures that should be taken to mitigate the harms identified above and to reduce the likelihood of their recurrence; and

h) procedures to determine whether notice to affected individuals and other designated entities (e.g. regulators) is required, the timing for such notice and the form of that notice and, where appropriate, to provide that notice.

Organizations may choose to integrate their privacy incident response plans with their information security incident response plans or keep them separate. An information security incident should trigger a review by the PII controller, as part of its information security incident management process, to determine if a privacy incident has taken place.

Control 5.25 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.25 apply.

Guidance for the protection of PII

It is possible that an information security event does not trigger a review. An information security event may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks and packet sniffing. An information security event will not necessarily result in probable or actual compromise of PII or equipment or facilities processing PII.

Control 5.26 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.26 apply.

Guidance for the protection of PII

When PII is compromised, the rights and interests of the PII principal cannot be protected without immediate measures.

Jurisdictions can impose specific requirements (e.g. in legislation or regulations) related to the reporting or notification of security incidents involving PII (e.g. unauthorized processing, breach). If an organization becomes aware of a security incident involving PII or privacy breach, the details of the incident, including list of PII disclosed, when and how PII breached is made, and measures taken by organizations and remedial procedure (the disclosure of which may be subject to certain limitations), etc. should be reported to relevant authorities within the time period (e.g. 72 hours) specified by laws. If an organization becomes aware of a security incident involving PII or privacy breach, it should implement measures to notify the affected PII principals within the time period (e.g. 72 hours) specified by laws of the following, if applicable:

— list of PII disclosed;

— when and how PII breach is made;

— any information about how the PII principal can minimize the risk of privacy breach;

— measures taken by organizations and remedial procedure; and

— contact points of organizations for the PII principal to report damage.

Organizations should provide affected PII principals access to appropriate and effective remedies, such as correction or deletion of incorrect information, if a privacy breach has occurred.

Control 5.27 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.27 apply.

Control 5.28 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.28 apply.

Control 5.29 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.29 apply.

Control 5.30 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.30 apply.

Control 5.31 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.31 apply.

Guidance for the protection of PII

Organizations should develop PIAs, if applicable, and implement the resulting privacy treatment plans in order to help ensure that programmes and services related to PII processing comply with privacy safeguarding requirements. Further guidance can be found in ISO/IEC 29134.

Audits can be conducted by the organization (e.g. through an internal audit function) or they can be conducted by a qualified independent third party.

Control 5.32 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.32 apply.

Control 5.33 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.33 apply.

Control 5.34 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.34 apply.

Guidance for the protection of PII

Organizations should identify the laws and regulations related to PII protection to which they are subject. If these are identified, then organizations should take necessary measures showing how applicable legal requirements are met. The following cases are examples of such requirements.

a) Where additional protection for certain categories of PII (e.g. national identifier, passport number or credit card numbers) is required, cryptographic techniques such as encryption should be used. The type, strength and quality of the cryptographic algorithm required should be taken. Cryptographic algorithms should only be selected from lists of approved algorithms.

The information security control related to this requirement is specified in 8.24.

b) Jurisdictions can impose a minimum frequency of data backup for information including PII as well as a minimum frequency of reviews of backup and recovery procedures.

The information security control related to this requirement is specified in 8.13.

Control 5.35 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.35 apply.

Guidance for the protection of PII

Organizations should establish an audit programme to help verify that PII processing complies with relevant privacy safeguarding requirements.

The programme should specify the frequency with which audits must be conducted.

If audits by individual interested parties are impractical or can increase risks to information security, organizations should make available to prospective interested parties, prior to entering into a contract, independent evidence that information security is implemented and operated according to the PII controller's policies and procedures. A relevant independent audit selected by the PII controller should normally be an acceptable method for fulfilling the interested parties' interest in reviewing the PII controller's processing operations, as long as sufficient transparency is provided.

Other information for the protection of PII

While in many jurisdictions it is the PII controller who is ultimately responsible for ensuring compliance, all actors involved in the processing of PII should take a proactive approach in identifying relevant privacy safeguarding requirements arising from legal or other factors.

A mechanism to ensure the PII processor supports and manages compliance is provided by the contract between the PII controller and the PII processor. The contract should call for independently audited compliance, acceptable to the PII processor, e.g. via the implementation of the relevant controls in this document, and those in ISO/IEC 27002 and ISO/IEC 27018.

Control 5.36 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.36 apply.

Control 5.37 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 5.37 apply.

Control 6.1 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Control 6.2 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Control 6.3 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Guidance for the protection of PII

Measures should be put in place to make relevant personnel aware of the possible consequences of breaching privacy or security rules and procedures, especially those addressing the processing of PII. These include consequences for:

— the PII controller (e.g. legal consequences, loss of business, or brand or reputational damage);

— the personnel member (e.g. disciplinary consequences); and

— the PII principal (e.g. physical, material and emotional consequences) of breaching privacy or information security rules and procedures, especially those addressing the processing of PII.

Just as with information security awareness, education and training, organizations should provide for the appropriate training, education and awareness regarding the protection and the processing of PII.

Control 6.4 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Guidance for the protection of PII

Organizations should establish a formal disciplinary policy. This policy in case of privacy breaches should be clearly communicated to affected individuals. Organizations should enforce this policy in all cases of significant privacy breaches.

Control 6.5 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Control 6.6 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Guidance for the protection of PII

Organizations should specify the conditions under which external processing of PII may take place. These conditions should be part of an appropriate agreement (e.g. contract, confidentiality or non-disclosure agreement).

Control 6.7 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Guidance for the protection of PII

Organizations should specify the conditions under which PII can be processed in remote working. Organizations should protect PII processes in remote working contexts through the configuration of endpoint devices, regulations to personnel, limiting the access to PII, etc.

Organizations should strictly limit remote access to PII and in cases where remote access is unavoidable, ensure that the communications for remote access are encrypted, message and personnel are authenticated, and integrity is protected.

Control 6.8 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022 apply.

Control 7.1 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.1 apply.

Control 7.2 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.2 apply.

Control 7.3 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.3 apply.

Control 7.4 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.4 apply.

Control 7.5 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.5 apply.

Control 7.6 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.6 apply.

Control 7.7 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.7 apply.

Control 7.8 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.8 apply.

Control 7.9 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.9 apply.

Control 7.10 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.10 apply.

Guidance for the protection of PII

Some jurisdictions can require removable media containing PII to be encrypted. Whether or not it is required by law, encryption is recommended to reduce the risk of PII leakage.

If data confidentiality or integrity are important considerations, cryptographic techniques should be used to protect PII on removable media. A risk assessment should be performed to identify the required level of protection, which in turn will help determine the necessary type, strength and quality of cryptographic algorithm to be used.

The procedures for secure disposal of media containing PII should be proportional to the sensitivity of the information, as well as the level of impact from inappropriate processing of that information. Some jurisdictions can impose criteria on procedures used to dispose of media containing PII or specific types of PII (e.g. health data, financial data).

Whenever physical media are used for information transfer, a measure should be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, any identifying numbers (e.g. serial numbers or inventory tag numbers), the authorized sender/recipients, the date and time, the number of physical media, and the types of PII they contain and to detect loss of physical media. The purpose and extent of the transfer, the person responsible for its authorization and the legal/contractual basis for the transfer should also be documented.

Control 7.11 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.11 apply.

Control 7.12 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.12 apply.

Control 7.13 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.13 apply.

Control 7.14 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 7.14 apply.

Guidance for the protection of PII

For the purposes of secure disposal or re-use, equipment containing storage media that can contain PII should be physically destroyed or the PII should either be destroyed, deleted or overwritten using approved techniques, according to well-defined and documented procedures, to render the original PII unrecoverable rather than simply using the standard delete or format function. For equipment containing storage media that can contain encrypted PII, the controlled destruction of decryption keys or key holders (such as smart cards), can be sufficient.

Control 8.1 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.1 apply.

Guidance for the protection of PII

Organizations should strictly limit access to PII from portable and mobile devices, such as laptops, mobile phones, universal serial bus (USB) devices, and personal digital assistants (PDAs) that may generally be exposed to higher risk than non‑portable devices (e.g. desktop computers at the organization's facilities), depending on the risk assessment.

Control 8.2 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.2 apply.

Control 8.3 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.3 apply.

Guidance for the protection of PII

Before allowing individuals such as operators and administrators to use query languages that enable automated massive retrieval of PII from databases that contain PII, organizations should review the necessity to use such languages when processing PII.

Where the use of query languages is consistent with the protection requirement, organizations should provide technical measures to limit the use of such languages to the minimum necessary to fulfil the specified purpose(s).

This can mean, for example, that access restrictions limit the use of query language to a few predefined sensitive fields of the records.

Where individuals require access to areas for which they normally are not authorized (e.g. the operational area), approval should be given by more than one person. Organizations should maintain a record of all such approvals.

Organizations should take special care when assigning access rights for high risk operations or operations that involve big amount of PII (e.g. batch queries, batch modification, batch export, batch deletion, customers in CRM, telemarketing prospect customers databases), which can increase the risk of a privacy incident. In order to prevent the abuse of PII, privileged access rights for PII processing (especially high risk PII processing) should be assigned on a strictly limited basis. They should also be assigned in a way that helps reduce the risk of collusion between two or more individuals. The granting and use of such rights should be recorded in relevant log files. All access approvals should be for a specified period. Organizations should review all such approvals on a regular basis and as appropriate, renew, revoke or expire approvals as appropriate.

Control 8.4 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.4 apply.

Control 8.5 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.5 apply.

Control 8.6 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.5 apply.

Control 8.7 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.7 apply.

Control 8.8 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.8 apply.

Control 8.9 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.9 apply.

Control 8.10 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.10 apply.

Control 8.11 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.11 apply.

Control 8.12 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.12 apply.

Control 8.13 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.13 apply.

Guidance for the protection of PII

Information systems processing PII should use additional or alternative mechanisms, such as off-site backups for protection against loss of PII, ensuring continuity of PII processing operations, and providing the ability to restore PII processing operations after a disruptive event, if only strictly necessary.

NOTE – Given that time passes between backup and recovery operations. It is possible that PII stored in a backup is no longer up to date when it is accessed in order to be restored. Any operations based on out-of-date PII can lead to incorrect results and pose a privacy risk.

Control 8.14 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.14 apply.

Control 8.15 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.15 apply.

Guidance for the protection of PII

Where possible, the event log should record which PII was accessed, what was done to the PII (e.g. read, print, add, modify, delete), when and by whom, especially for certain types of PII (e.g. health data). Where multiple service providers are involved in providing a service, there can be varied or shared roles in implementing this guidance.

The PII controller should define procedures regarding whether, when and how log information can be made available to or usable by the administrators for purposes such as security monitoring and operational diagnostics.

Log information recorded for purposes such as security monitoring and operational diagnostics may contain PII. Measures, such as access control (see 8.2), should be put in place to ensure that logged information is only used for its intended purposes. Measures should be put in place to ensure log file integrity.

Organizations should monitor privileged access (e.g. by system administrators and operators) to PII and any subsequent processing by those individuals. Such monitoring should form part of the overall monitoring of information systems processing PII.

Control 8.16 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.16 apply.

Guidance for the protection of PII

A process should be put in place to review the event log with a specified, documented periodicity to identify irregularities and propose remediation efforts.

Organizations should define what they consider to be anomalous activity and should implement automated procedures to report such activity to relevant individuals within the organization.

Control 8.17 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.17 apply.

Control 8.18 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.18 apply.

Control 8.19 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.19 apply.

Control 8.20 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.20 apply.

Control 8.21 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.21 apply.

Control 8.22 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.22 apply.

Control 8.23 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.23 apply.

Control 8.24 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.24 apply.

Control 8.25 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.25 apply.

Control 8.26 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.26 apply.

Control 8.27 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.27 apply.

Control 8.28 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.28 apply.

Control 8.29 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.29 apply.

Control 8.30 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.30 apply.

Control 8.31 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.31 apply.

Guidance for the protection of PII

Organization should assess the risk of using removable media and devices containing PII with wireless capabilities, which are used for development, test and production, regardless of the environment in which they will be used.

Control 8.32 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.32 apply.

Control 8.33 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.33 apply.

Guidance for the protection of PII

Operational data containing PII should not normally be used for development and testing. The use of real PII in these environments increases the risk of information compromise. Instead, organizations should either use synthetic data or should take steps to ''hide'' (e.g. mask, obfuscate, de-identify) any real PII in use.

Control 8.34 and the associated purpose, guidance and other information specified in ISO/IEC 27002:2022, 8.34 apply.

1. 
   (normative)
   
   Extended control set for PII protection
   1. General

This annex provides new objectives, new controls and new guidance making up an extended control set to the controls specified in ISO/IEC 27002 to meet the specific requirements for the protection of PII.

The guidance in this document builds on that provided in clause 6 in ISO 29100:2024 and assumes that the guidance there has been implemented. These additional controls are classified according to the 11 privacy principles of ISO/IEC 29100:2024.

• 1. General policies for the use and protection of PII

This clause describes general policies for the protection of PII while A.3 to A.13 reflect the privacy principles described clause 6 in in ISO/IEC 29100:2024.

Control

Organizations involved in the processing of PII shall establish a policy for the use and protection of PII.

Purpose

To provide management direction and support for PII protection according to business requirements and relevant laws and regulations.

Guidance for the protection of PII

The privacy policy should include appropriate statements (in separate privacy policies or as additions to existing policies) concerning support for and commitment to managing compliance with applicable PII protection legislation, contractual requirements and other internal policies.

It is possible that privacy and information security policies do not cover the same topics, although they are closely related. Both information security policies and privacy policies should address the confidentiality, integrity and availability of information, and in addition privacy policies should address topics such as consent and individual access.

ISO/IEC 29100 provides guidance on implementing a privacy framework. The PII protection policy should:

— be appropriate to the purpose(s) of the organization;

— be transparent about the organization's collection and processing of PII;

— provide the framework for setting objectives for the protection of PII;

— define rules for making decisions in issues of protection of PII;

— define criteria on privacy risk acceptance (see also ISO/IEC 29134:2023 6.3.1);

— include a commitment to satisfy applicable privacy safeguarding requirements;

— include a commitment to continual improvement;

— be communicated within the organization; and

— be available to interested parties, as appropriate.

• 1. Consent and choice
     1. Consent

Control

If consent is needed for PII processing, organizations shall provide the means necessary for PII principals to exercise meaningful, informed, unambiguous and freely given consent.

Purpose

To make PII principals active participants in the decision-making process regarding the processing of their PII, taking legal requirements into consideration, through the exercise of meaningful, informed and freely given consent.

Implementation guidance for the protection of PII

Organizations should:

a) determine the practical means to be implemented to obtain the consent of the PII principals and analyse the cases where the practical means chosen are no longer operational and determine alternate solutions if necessary, in order to ensure that consent is obtained before any processing begins;

b) provide means, where feasible and appropriate taking legal requirements into consideration , for PII principals to provide consent, in order to ensure that consent is obtained before any processing begins – the processing includes collection, storage, alteration, retrieval, consultation, disclosure, de-identification, anonymization, dissemination or otherwise making available, deletion or destruction of PII;

c) where consent is being provided by a legal agent (e.g. on behalf of child or legally incapacitated persons), store information about the legal agent with the record of consent;

d) where necessary, inform PII principals of all instances of PII transfer to third parties and provide appropriate means for PII principals to provide their consent to such transfers;

e) obtain consent, where feasible and appropriate taking legal requirements into consideration , from PII principals prior to any new uses or disclosure of previously collected PII, and ensure that consent is obtained before any further processing begins;

f) ensure that the consent is obtained in an informed, transparent manner in terms of the purposes of the processing and ensure that consent is obtained for a specific purpose;

g) achieve awareness of consent, e.g. through updated public notices;

h) provide a mechanism for PII principals to modify the scope of their consent – any modification of consent should be acted upon in a timely manner and processing should be modified or cease, according to the revised consent;

i) ensure that consent adheres to all applicable legal requirements, including where appropriate the requirement for explicit consent for sensitive PII;

j) where appropriate, allow for implied consent, where PII principals have been made clearly aware of the processing and have not objected, as this behaviour may indicate agreement;

k) give prior notice for all processing operations prior to their implementation; and

l) confirm, where needed, the identity of the PII principal or that of a PII principal's authorized agent, submitting consent to processing – the information requested for verification should be kept to the minimum essential for that purpose, should only be retained for as long as necessary for that purpose and should be securely disposed of when no longer required.

Other information for the protection of PII

Organizations should obtain consent through opt-in or implied consent. Opt-in consent is the preferred method, but it is not always feasible. Opt-in requires that PII principals take affirmative action to allow organizations to collect or use PII. If the consent is collected using electronic media, the organization should determine whether simple opt-in is appropriate or double opt-in is needed.

With opt-out mechanisms, organizations can assume that the PII principal has implicitly consented to the processing of their PII, unless the PII principal takes affirmative action to signal otherwise.

Implied consent is usually inferred by an individual's actions or lack thereof, or their particular circumstances.

Example The customer provides the shipping address to the online retailer, and the retailer uses the information strictly for the purpose of delivery of the goods the customer purchased.

Organizations should provide practical means to be implemented to obtain the separate consent of the PII principals when national identification numbers (e.g. social security number, resident registration number, passport number) are collected.

Organizations may provide, for example, PII principals' itemized choices as to whether they wish to be contacted for any of a variety of purposes. In this situation, organizations construct consent mechanisms to ensure that the organizational operations comply with the PII principal's choices as far as possible.

Consent may be electronic or in hard copy depending on applicable regulatory requirements and practical considerations.

If the PII was transferred to or from another organization, organizations should establish a process to update their records to mirror content updates and consent changes (e.g. modification, revocation) made by PII principals and to ensure that these updates/changes are passed on to the organizations with whom the PII was shared. Only the minimum amount of information necessary to ensure that the correct records are updated should be collected from the PII principal and shared with other organizations. Organizations should periodically review their processes to ensure that no unnecessary PII is being processed.

• • 1. Choice

Control

If consent is needed for PII processing, organizations shall provide PII principals with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice with respect to the processing of their PII except where the PII principal cannot freely withhold consent or where taking into account applicable legal requirements that specifically allow the processing of PII without the PII principal’s consent.

Purpose

To present to PII principals, where appropriate and feasible, the choice not to allow the processing of their PII, to refuse or withdraw consent or to oppose a specific type of processing, and to explain to PII principals the implications of granting or refusing consent.

Guidance for the protection of PII

Organizations should:

a) ensure that PII principals exercising a choice regarding the processing of their PII can do so before any processing takes place;

b) not withhold service from a PII principal who declines to provide PII that is not relevant to that service.

c) Being aware of relevant legal requirements, determine the practical means that will be implemented to enable PII principals to exercise their right to object to processing of their PII – PII principals should be given multiple means by which to exercise this right (e.g. by postal mail, e‑mail, phone);

d) acknowledge the statement of objection within the time frames taking legal requirements into consideration or as defined in organizational policy;

e) analyse the cases where the practical means chosen are no longer operational and identify back-up solutions, if necessary, to allow PII principals to continue to exercise their right to object in a timely manner;

f) ensure that PII is classified, labelled and stored in a manner that facilitates the exercising of the right to object and ensure that PII principals can exercise their right to object in a timely manner and at no cost;

g) confirm the identity of the PII principal, or that of a PII principal's authorized agent, submitting an objection to processing – the information requested for verification should be kept to the minimum essential for that purpose, should only be retained for as long as necessary for that purpose and should be securely disposed of when no longer required;

h) ensure that PII principals exercising their right to object provide reasonable grounds for the objection being aware of legal requirements. Any refusal to comply with the objection should detail the reasons why the PII controller does not consider those grounds as legitimate;

i) ensure that all organizations with whom the PII has been shared are made aware of any objections submitted by the PII principal, and that they abide by any valid objections; and

j) where possible, provide PII principals with the ability to object to selected aspects of the PII processing, rather than having to accept or object to the processing in its entirety.

Other information for the protection of PII

In many situations, being aware of legal requirements, it is possibly not necessary or practicable to provide a mechanism to exercise choice when collecting publicly available information. For example, it would not be necessary to provide a mechanism to offer a choice to PII principals when collecting their name and address from a public record or a newspaper.

• 1. Purpose legitimacy and specification
     1. Purpose legitimacy

Control

Organizations shall implement appropriate measures identifying and documenting legal compliance.

Purpose

To ensure that the purpose(s) for processing of PII are identified and documented taking into account legal requirements

Implementation guidance for the protection of PII

Organizations should:

a) determine whether the proposed processing can be undertaken on the basis of a legal ground other than consent (e.g. law enforcement, public safety, legal obligation or a legitimate interest of the PII controller);

b) determine whether the proposed processing is governed by a legal ground (e.g. law enforcement, public safety or legal obligation) that prohibits PII principals from exercising their choice regarding the processing of their PII; and

c) determine the legal authority (ground) that permits the processing of PII, either generally or in support of a specific programme or information system..

Organizations should develop procedures which ensure that processing of PII is not carried out in a way which breaches or potentially breaches any legal obligations, including statutory provisions, common law or contractual terms.

If the organization has a works council or trade union, applicable laws can require consultation with such bodies when establishing the legitimacy of a purpose in case of employees.

Programme officials should consult with the individual accountable for PII protection (sometimes referred to as the CPO) or equivalent and legal counsel regarding the appropriate legal ground of any programme or activity to process PII. The legal ground for processing PII should be documented.

Other information for the protection of PII

If collection or processing of PII is executed internationally, the need for consent and the proper way to process it can differ over the different legal frameworks that apply.

• • 1. Purpose specification

Control

Organizations shall communicate to the PII principal from whom they are going to collect PII, the purpose(s) for which that PII is being collected and the purpose(s) for which the PII will be processed. Such communication should take place at or before the PII is collected and before the PII is processed for any purpose(s) not previously communicated to the PII principal.

Purpose

To specify the purposes for which PII are collected not later than at the time of PII collection and limit the subsequent use to the fulfilment of original purposes.

Guidance for the protection of PII

Organizations should communicate the purpose(s) to the PII principal before the information is collected or used for the first time for a new purpose, use language for this document that is both clear and appropriately adapted to the circumstances, and give sufficient explanations for the need to process sensitive PII.

Often, statutory language expressly authorizes specific collections and uses of PII. When statutory language is written broadly and thus subject to interpretation, organizations should ensure, in consultation with the CPO and legal counsel, that there is a clear connection between the general authorization and any specific collection of PII.

Organizations should:

a) identify the PII processing needed for each business process;

b) separate the PII, as appliable, so processes that don’t need them cannot process them;

c) manage the different access rights according to the business processes (including payroll management, vacation request management and career advancement) and establish a dedicated IT environment for systems that process the most sensitive PII; and

d) regularly confirm that PII are separated effectively and that recipients and interconnections have not been added.

• 1. Collection limitation

Control

Organizations shall implement appropriate measures to limit the collection of the type and amount of PII to the minimum elements for the purposes described in the notice (See A.9.1).

Purpose

To limit the collection of PII to that which is strictly necessary for the specified purpose(s) being aware of legal requirements.

Guidance for the protection of PII

Organizations should:

a) limit the collection of PII to the minimum elements identified for the purposes described in the notice (See A.9.1);

b) not collect sensitive PII unless collection of sensitive PII is legally authorized or consent is obtained; and

c) limit the amount of information that they collect from or about a PII principal indirectly (e.g. through web logs, system logs).

Organizations should define the purpose(s) for processing PII, identify the PII necessary to achieve that purpose, identify information that does should not be collected and confirm that only essential information is being collected.

Organizations should carefully consider which PII should be collected to realize a particular purpose before proceeding with collection. Organizations should not collect PII indiscriminately.

Organizations should regularly review the purpose(s) for which they are collecting PII to ensure that they are still valid. They should also regularly review the PII they are collecting to ensure that it is still only the minimum essential for the purpose(s).

Organizations should not collect sensitive PII, e.g. national identification number, unless collection of such information is legally authorized or explicit consent is obtained.

Other information for the protection of PII

Some jurisdictions can define certain categories of PII (e.g. racial origin, political opinions or religious or other beliefs, personal data on health, sex life or criminal convictions, and so on) as sensitive. These jurisdictions can impose restrictions or conditions on the collection of this kind of PII and organizations should take these restrictions and conditions into account when deciding which PII to collect.

• 1. Data minimization

Control

Organizations shall implement appropriate measures to minimize the amount of PII being processed.

Purpose

To minimize the PII which is processed to what is strictly necessary for the stated processing purposes.

Guidance for the protection of PII

Organizations should:

a) ensure adoption of a “need-to-know” principle, e.g. individuals should be given access only to the PII which is necessary for the conduct of their official duties in the framework of the legitimate purpose of the PII processing;

b) use or offer as default options, wherever possible, interactions and transactions which do not involve the identification of PII principals;

c) limit the linkability of the PII collected;

d) conduct an initial evaluation of PII retained by the organization and establish and follow a schedule for regularly reviewing those to ensure that only PII identified in the notice is collected, and that the PII continues to be necessary to accomplish the current business purposes;

e) restrict the transmission of electronic documents containing PII to a minimum of interested parties who need them in connection with their work;

f) determine which PII should be anonymized or de-identified based on the context, the form in which the PII is stored (e.g. database fields or excerpts from texts) and the risks identified;

g) de-identify the data that require such de-identification based on the form of the data to be de-identified (e.g. structured data such as databases and textural record and unstructured data such as image) and the risks identified;

h) de-identify or anonymize publicly available data that is used for AI training, where consent from PII principal cannot be obtained to process it directly from the PII principals;

i) delete and dispose of PII whenever the purpose for PII processing has expired, when there are no legal requirements to keep the PII or whenever it is practical to do so; and

j) consider whether, and which, privacy enhancing technologies (PETs) may be used.

The minimum set of PII elements required to support a specific organization business process may be a subset of the PII the organization is authorized to collect.

The PII should be classified into mandatory PII and optional PII for collection. Organizations should collect only the mandatory PII required for providing service and obtain appropriate opt-in consent from PII principals when collecting optional PII. Organizations should not decline to provide service when PII principals decline to give optional PII.

The organization should ensure that the minimum PII is processed according to the stated purpose.

Often during analysis of anonymized data when the output is a small data set, the identity of PII principals can be revealed. Therefore, it is good practice to prevent output when the number of records is less than a threshold number – e.g. 10 records. The threshold should be carefully arrived at, based on a data distribution pattern.

Organizations should reduce their privacy and information security risks by also reducing their inventory of PII, where appropriate. Organizations should conduct both an initial review and subsequent reviews of their PII archives to ensure, to the maximum extent practicable, that such data stacks are accurate, relevant, timely, and complete.

Organizations should also be directed to reduce their PII archives to the minimum necessary for the proper performance of a documented organizational business purpose. Organizations should develop and publicize a schedule for periodic reviews of their data stack to supplement the initial review.

It is important to describe and design de-identification measures using a description of privacy-enhancing data de-identification techniques as in ISO/IEC 20889 and framework of de-identification process for telecommunication service providers as in ITU-T X.1148, according to the privacy principles in ISO/IEC 29100. As a general rule, in order to conclude that a de-identification process complies with the law, organization should carry out de-identification, e.g. deleting or generalizing attributes, together with strong organizational and technical measures. In addition, organization should implement measures to ensure that combining de-identified datasets shared by multiple organizations is compliant with the law, and organizations should use robust organizational and technical measures to combine datasets shared by multiple organizations, taking into account security guidelines for combining de-identified data using a trusted third party described in X.1771. To this end, a third party organization can be assigned to carry out the combining de-identified datasets.

Other information for the protection of PII

Anonymization, as defined in ISO/IEC 29100, is a process involving an irreversible loss of information. In some cases, simply deleting part of the data can achieve the desired objective.

When a PII is processed for a purpose, the extent of the PII processed is minimized so as to only serve the intended purpose, without revealing excessive information about the principal e.g. if the geographical area of a respondent to a traffic-related survey is required, consider collecting only nearby landmarks rather than a precise address.

By performing periodic evaluations, organizations reduce risk, ensure that they are collecting only the data specified in the notice, and ensure that the data collected is still relevant and necessary.

• 1. Use, retention and disclosure limitation
     1. Use, retention and disclosure limitation

Control

Organizations shall implement appropriate measures to limit the processing of PII for legitimate and intended purposes and to retain PII only as long as necessary to fulfil the stated purposes being aware of legal requirements.

Purpose

To limit the use and disclosure of PII for specific, explicit and legitimate purposes and to retain PII no longer than necessary to fulfil the stated purposes being aware of legal requirements.

Guidance for the protection of PII

Organizations should:

a) limit the use, retention, and disclosure (including transfer) of PII to that which is necessary in order to fulfil specific, explicit and legitimate purposes; and

b) configure its information systems to record the date when PII is collected, created, or updated and when PII must be deleted or archived under an approved record retention schedule.

Guidance on use for the protection of PII

Organizations should:

a) lock (e.g. archive, secure and exempt from further processing) any PII when the stated purposes have expired but retention is required ;

b) use appropriate techniques or methods to ensure secure deletion or destruction of PII (including originals, copies and archived records);

c) limit external party access to organizational systems and PII to that which is strictly necessary and which has been formally authorized. If access is really necessary for the business, appropriate approval procedures should be followed;

d) confirm the external party systems that are permitted to connect to organizational systems have implemented appropriate safeguards prior to being allowed to connect;

e) periodically review the safeguards implemented by third parties to ensure that they continue to meet the organization's information security requirements – if, as a result of such a review, the safeguards are found to be inadequate, third parties should be disconnected until such time as they demonstrate that adequate safeguards have been restored;

f) implement appropriate access authentication mechanism when PII is accessed through remote interfaces. Logs of PII access should be recorded; and

g) provide notice to inform the PII principals of any significant changes in PII archives collected during the security monitoring process.

Guidance on retention for the protection of PII

There can be circumstances in which a legal requirement to retain PII results in the retention of PII beyond that required for specified business purposes.

Organizations should:

a) only retain PII for an authorized time period to fulfil the purpose(s) identified in the privacy notice and, if applicable, by applicable laws and delete the PII promptly when the retention period expires;

b) where required to retain PII for longer than required for specified business purposes, implement measures such as de-identification to protect the PII;

c) define PII retention periods that are time limited and appropriate to the purpose of the processing;

d) confirm that the information systems can detect the expiration of the retention period;

e) ensure that agreed retention periods are implemented and PII disposed of in accordance with the retention periods;

f) develop an automated or semi-automated functionality that deletes PII when its retention period expires. This deletion should occur immediately or as soon as it is practical to do;

g) determine what should be de-identified based on the context, the form in which the PII is stored (including database fields or excerpts from texts) and the risks identified;

h) de-identify the data that require such de-identification based on the form of the data to be de-identified (including databases and textual records) and the risks identified; and

i) choose tools (including partial deletion, hashing, key hashing and index) for the protection of PII if that data cannot be de-identified.

Guidance on disclosure for the protection of PII

Organizations should:

a) not disclose PII to external parties without the prior knowledge and consent of the PII principal, unless such disclosure is otherwise permitted by relevant legislation. It is possible that knowledge and consent of the PII principal is not required where disclosure is to internal parties (e.g. employees) who have a need to know; and

b) provide strong protection mechanisms when PII is transferred, including data encryption, data authentication, and integrity protection.

Employee PII should be disposed of (e.g. securely deleted or archived) in accordance with applicable legislation and regulations, as well as according to organizational disposal policies and where appropriate, employee consent.

• • 1. Secure erasure of temporary files

Control

Temporary files and documents that may contain PII shall be disposed of within a specified, documented period.

Purpose

To provide technical measures for temporary files to be deleted within the specific period.

Guidance for the protection of PII

Information systems may create temporary files that contain PII in the normal course of their operation. Such files are system- and application-specific, but may include a file system with roll-back capability and temporary files associated with the updating of databases and the operation of other application software. Temporary files are not typically needed after the related information processing task has completed, but there are circumstances in which they are not deleted automatically. The length of time for which these files remain in use is not always deterministic but a “garbage collection” procedure should identify the relevant temporary files and determine how long since they were last used.

PII processing information systems should implement a periodic check to ensure that unused temporary files above a specified age are deleted.

• • 1. PII disclosure notification

Control

The contract between the PII controller and the PII processor shall require the PII processor to notify the PII controller, according to any procedure and time periods agreed in the contract, of any request for disclosure of PII by law enforcement or other authority, taking into account legal requirements.

Purpose

To ensure the PII processor notifies the PII controller of any legally binding request for disclosure of PII.

Guidance for the protection of PII

Organizations should implement measures (e.g. contractual obligations) to ensure that:

a) PII processors consult the relevant PII controller prior to accepting any legally binding requests for disclosure of PII, unless otherwise prohibited by law; and

b) PII processors accept any contractually agreed requests for PII disclosures, as authorized by the relevant PII controller, unless otherwise prohibited by law.

• • 1. Recording of PII disclosures

Control

Disclosures of PII to third parties shall be recorded, including which PII has been disclosed, to whom, at what time and for which purpose.

Purpose

To ensure that disclosures of PII to third parties are recorded.

Guidance for the protection of PII

PII may be disclosed to third parties from lawful investigations or external audits. Disclosure should be recorded. The records should include the source of the disclosure and the source of the authority to make the disclosure.

• • 1. Disclosure of subcontracted PII processing

Control

The use of subcontractors by the PII processor to process PII should be disclosed to the PII controller prior to any such use.

Purpose

To ensure that PII processors disclose any use of subcontractors to the PII controller.

Guidance for the protection of PII

Provisions for the use of subcontractors to process PII should be specified in the contract between the PII processor and the PII controller. The contract should specify that subcontractors may only be commissioned with the prior authorization of the PII controller. The PII processor should inform the PII controller in a timely fashion of any intended changes in this regard, so that the PII controller can object to such changes or to terminate the consent.

Information disclosed should cover the fact that subcontracting is used, and include the names of relevant subcontractors, but not any business-specific details. The information disclosed should also include the countries in which subcontractors may process data and the means by which subcontractors are obliged to meet or exceed the obligations of the PII processor.

Where public disclosure of subcontractor information is assessed to increase information security risk beyond acceptable limits, disclosure should be made under a non-disclosure agreement or on the request of the PII controller. The PII controller should be made aware that information about subcontractors being used is available.

• 1. Accuracy and quality

Control

Organizations shall implement appropriate measures to ensure that PII collected from a PII principal, either directly or indirectly, is of appropriate quality.

Purpose

To ensure that the PII processed is accurate, complete, up to date, adequate and relevant for the purpose of use.

Guidance for the protection of PII

Achieving data quality means that the PII being processed is accurate, of adequate precision, complete, up to date, adequate and relevant for the purpose of use.

Organizations should:

a) establish PII collection procedures to help ensure accuracy and quality;

b) collect PII in a manner that any modifications are detectible after it has left the authoritative source;

c) confirm to the greatest extent practicable upon collection or creation of PII, the accuracy, relevance, timeliness, and completeness of the PII;

d) ensure the reliability of PII collected from a source other than from the PII principal before it is processed;

e) verify, through appropriate means, the validity and correctness of the requests for correction made by the PII principal prior to making any changes to the PII, where it is appropriate to do so;

f) periodically check for, and correct as necessary, any inaccurate or outdated PII used by its programmes or systems; and

g) issue guidelines ensuring and maximizing the accuracy, completeness, adequacy and relevance of disseminated information. Organizations should take reasonable steps to confirm the accuracy of PII. Such steps may include, for example, editing and validating addresses as they are collected or entered into information systems using automated address verification look-up application programming interfaces (APIs).

To minimize the scope for data inaccuracy, to the extent possible, information systems, if possible, should have double-check or double validation mechanisms. In the case of double validation mechanisms, one of the validator should be the PII principal.

Other information for the protection of PII

The types of measures taken to protect data quality may be based on the nature and context of the PII, how it is to be used, and how it was obtained. Measures taken to validate the accuracy of any sensitive PII should be more comprehensive than those used to validate less sensitive PII. Additional steps can be necessary to validate PII that is obtained from sources other than PII principals or the authorized representatives of PII principals.

• 1. Openness, transparency and notice
     1. Privacy notice

Control

Organizations shall implement appropriate measures to provide PII principals with appropriate notice of the purposes of PII processing.

Purpose

To ensure that privacy notices contain the appropriate level of details, are written in plain language, and are easily accessible.

Guidance for the protection of PII

Organizations should:

a) provide effective notice to PII principals regarding:

1) their activities that impact privacy, including, but not limited to, their collection, use, sharing, safeguarding and secure disposal of PII,

2) legal ground for collecting PII,

3) the choices, if any, PII principals may have regarding how the organization uses PII and the consequences of exercising or not those choices, and

4) the ability to object to the processing, if applicable;

c) revise their notices to reflect changes in practice or policy that affect PII or changes in their activities that impact privacy, before or as soon as practicable after the change;

d) ensure that the notification is complete and appropriate to the target audience based on the nature of the PII, the practical means chosen for providing the notice, and the nature of the relationship between the PII controller and PII principal;

e) present the information in clear manner that can be understood by a person who is not familiar with information technologies, the Internet or legal jargon;

f) ensure that the notification is provided before or at the time of PII collection, if possible;

i) provide a means by which to show that notification was provided, if possible;

j) where a privacy notice is provided by physical means, post this information on a sign that PII principals should see or require that a notice or document be signed or initialled; and

k) provide a policy for the provision of labels and signs needed to inform PII principals about relevant technology use [e.g. Closed-Circuit Television (CCTV) systems, WiFi, and radio frequency identification (RFID)].

To the extent possible, the notice should be prominently displayed at the point of collection (e.g. on the organization’s website or in a physical location), without the need for the PII principal to specifically request it.

• • 1. Openness and transparency

Control

Organizations shall implement appropriate measures to provide PII principals with appropriate information about their PII processing policies, procedures and practices with respect to the handling of PII.

Purpose

To provide PII principals with clear and easily accessible information about the PII controller’s policies, procedures and practices with respect to the handling of PII.

Guidance for the protection of PII

Organizations should:

a) provide PII principals with clear and easily accessible information about the PII controller's policies, procedures and practices with respect to the processing of PII;

b) disclose the choices and means offered by the PII controller to PII principals for the purposes of limiting the processing of, and for accessing, correcting and removing their information.

In addition, organizations should describe:

a) the PII the organization collects and the purpose(s) for which it collects that information;

b) how the organization uses PII internally;

c) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing,

d) whether PII principals can consent to specific uses or sharing of PII and how to exercise any such consent;

e) how long the PII will be retained;

f) whether the organization on-sells or forwards data for processing by data analytics organizations and the details applicable to PII risks;

g) how PII principals may obtain access to PII for the purpose of having it amended or corrected, where appropriate;

h) appropriate information about how PII will be protected;

i) ensure that PII principal has access to information about its privacy activities and can communicate with its CPO;

j) provide, where requested, information relating to privacy incidents that have impacted the requestors PII and, if available, actions that the requestor could take to mitigate the impacts arising from the incident.

Organizations should also employ different mechanisms for informing the public about their privacy practices including, but not limited to, PIA reports, privacy reports, publicly available web pages, email distributions, blogs and periodic publications (e.g. quarterly newsletters). Organizations should also employ publicly facing email addresses or phone lines that enable the public to provide feedback or to direct questions to privacy offices regarding privacy practices.

Other information for the protection of PII

Organizations should periodically notify PII principals of the content of their processing of PII (e.g. purpose of processing PII, items of PII collected, the third parties to whom the PII is provided, etc.) to provide transparency in their processing, if applicable.

• 1. PII principal participation and access
     1. PII principal access

Control

Appropriate measures shall be implemented by organizations to provide PII principals with the ability to have access to their PII, and to obtain rectification of the PII or deletion of the PII.

Purpose

To give PII principals the ability to access and review their PII and to challenge its accuracy and completeness.

Guidance for the protection of PII

Organizations should:

a) determine the practical means that will be implemented to allow PII principals to exercise their right of access (where allowed by applicable legislation). Individuals should be able to exercise this right in a timely manner, in a form understandable and accessible to the PII principal and similar to the means used to collect the PII originally (e.g. by paper mail or by email);

b) analyse the cases in which the practical means chosen are no longer operational and identify back-up solutions, if necessary;

c) provide PII principals the ability to access to their PII as held by the organization, in order to assess its accuracy and to request corrections as necessary;

d) to the extent possible, responses should be provided in a form equivalent to that in which the request was made (e.g. if the request is made by paper mail, the response should be provided by paper mail);

e) publish rules and regulations governing how PII principals may request access to records maintained in its system;

f) allow PII principals to challenge the accuracy and completeness of the PII directly or indirectly and have it amended, corrected or removed as appropriate and possible in the specific context;

g) establish procedures to enable PII principals to exercise these rights in a simple, fast and efficient way, which does not entail undue delay (e.g. responses should be provided as specified in organizational policy) or cost;

h) establish a process to inform PII principals submitting requests about the status of their request and the necessary processing (e.g. by postal mail or email, noting that the request has been received and the date by which they can expect to receive a response) – in the case of stored archives, there may be some leeway regarding the response date if the PII controller informs the PII principal submitting the request of the timescale for request processing and has provided a reasonable response time;

i) ensure that the right of access can always be exercised;

j) ensure that PII is only accessed by the individual to whom that information relates or an authorized agent of that individual. This can require that individuals requesting access to identify and authenticate themselves in a satisfactory manner. Requirements for such identification and authentication may be defined in applicable legislation or regulation;

k) where identification and authentication of requestors is required, determine the appropriate form of identification and authentication. Organizations should request only the minimum information necessary to ensure correct identification. This information should be secured and should only be retained as long as necessary;

l) ensure that PII is only sent to the relevant PII principal and that it is sent in a secure manner;

m) ensure that all information that PII principals may request can be provided, while still protecting the PII of other PII principals;

n) communicate in privacy notices if they intend to levy any fees for access, as may be permitted by law in some jurisdictions; and

o) require any PII processor to support the PII controller in facilitating the exercise of PII principal's rights to access, correct or delete their data.

Access gives PII principals the ability to review PII about them held within organizational systems of records. Access includes timely, simplified and inexpensive access to data. Organizational processes for allowing access to records may differ based on resources, legal requirements or other factors.

• • 1. Rectification

Control

Unless prohibited by relevant legislation or regulation, organizations shall implement appropriate measures to provide PII principals with the ability to correct, amend or delete PII maintained by organizations. Organization shall also establish a mechanism by which any corrections, amendments or deletions are notified to PII processors and, as far as possible, to third parties to whom PII had been disclosed.

Purpose

To ensure correction, amendment or deletion of PII.

Guidance for the protection of PII

Organizations should:

a) ensure that the principal can always exercise the right to correct;

b) analyse the cases in which the practical means chosen are no longer operational and identify back-up solutions, if necessary;

c) to the extent permissible by relevant legislation or regulation, ensure that PII principals can exercise their right to correction;

d) ensure the accuracy of the corrections requested;

e) ensure that the PII principals submitting requests receive confirmation;

f) ensure that the third parties to whom the PII have possibly sent are informed of the corrections made; and

g) provide PII principals with access only to the PII they need to correct, amend and delete.

• • 1. Complaint management

Control

Organizations shall implement appropriate measures to efficiently handle complaints received from PII principals.

Purpose

To set up efficient internal complaint handling and redress procedures for use by PII principals.

Implementation guidance for the protection of PII

Organizations should implement a complaint management process and maintain a point of contact for receiving and responding to complaints, concerns, or questions from PII principals about organizational privacy practices.

Organizations should provide complaint mechanisms that:

a) are readily accessible by the PII principals,

b) include all information necessary for successfully filing complaints (including contact information for the CPO or other official designated to receive complaints), and

c) are easy to use.

Organizational complaint management processes should include tracking mechanisms to ensure that all complaints received are reviewed and appropriately addressed in a timely manner. Complaint management should also include corrective action triggered from the complaint.

Other information for the protection of PII

Complaints, concerns, and questions from PII principals can serve as a valuable source of external input that ultimately improves operational models, uses of technology, data processing practices, and privacy and information security safeguards.

• 1. Accountability
     1. Governance

Control

Organizations shall implement appropriate measures to establish efficient governance related to PII processing.

Purpose

To establish efficient governance for PII processing.

Guidance for the protection of PII

Organizations should:

a) appoint a person accountable for developing, implementing and maintaining an organization-wide governance and privacy programme to ensure compliance with all applicable laws and regulations regarding PII processing by programmes and information systems. The appointed person can be designated as a CPO. As another option, a dedicated member of the board of directors may assume accountability, with the support of a dedicated member of personnel that may be subcontracted;

b) ensure that the appointed person has the necessary expertise to oversee PII processing;

c) ensure that the appointed individual is involved in all issues that relate to the protection of PII and can directly report to senior management in a timely manner;

d) provide the appointed individual with personnel, premises, equipment and other resources necessary to carry out his tasks;

f) develop, disseminate and implement operational PII protection policies and procedures that govern PII protection and information security controls for programs, information systems, or technologies involving PII;

g) update PII protection plans, policies, and procedures periodically; and

h) monitor periodically the performance of the organization on PII protection. A senior management representative or member of the board should govern it with visibility into aspects such as quantitative metrics, risks and breaches. While such review can be performed as needed, it should also be periodic without the need for any triggers.

• • 1. Privacy impact assessment

Control

If an organization is processing PII, then the organization shall establish the procedures necessary to conduct a PIA.

Purpose

To establish a privacy impact assessment process and to perform a privacy impact assessment as necessary.

Guidance for the protection of PII

A privacy risk assessment should be conducted by an organization that takes its responsibility seriously and treats PII principals adequately. In some jurisdictions, a PIA can be necessary to meet legal and regulatory requirements.

Organizations should consider assets, threats, vulnerabilities and safeguards (existing and proposed) when performing privacy risk assessment. Organizations should document:

a) the criteria for carrying on a PIA (e.g. for the processing of sensitive data, for large scale processing, when new technologies are used);

b) the results of a PIA including, but not limited to, the PII being processed;

c) the identified privacy risks; and

d) the proposed mitigation measures.

Other information for the protection of PII

ISO/IEC 29134 may be used as guidance for PIA.

• • 1. Privacy requirement for contractors and PII processors

Control

Organizations shall implement appropriate measures to ensure contractors and PII processors have implemented adequate levels of PII protection.

Purpose

To ensure, through contractual or other means such as mandatory internal policies, that third party recipients provide at least equivalent levels of PII protection.

Guidance for the protection of PII

Organizations should:

a) document in the service level agreement the PII protection requirements that PII processors are required to meet;

b) monitor and audit the implementation of those requirements by contractors;

c) establish PII protection roles and responsibilities for contractors and PII processors;

d) determine by contract the subject and time frame of the service to be provided, the extent, manner and purpose of the processing of PII by the PII processor as well as the types of PII processed;

e) specify the conditions under which a PII processor should return or securely dispose of PII upon completion of service, termination of any governing agreement or otherwise upon the request of the PII controller;

f) include a confidentiality clause, binding both upon the provider and any of its employees who can access the PII;

g) ensure that the service provider does not communicate the PII to third parties, even for preservation purposes, unless specifically permitted in the contract;

h) clarify the responsibilities of the service provider to notify the PII controller in the event of any data breach that affects the PII;

i) fix by contract that the service provider should notify the PII controller of any relevant changes concerning the service such as the implementation of additional functions; and

j) document and communicate as appropriate all PII protection-related policies, procedures and practices.

Organizations should consult with legal counsel, the CPO, and contracting officers about applicable laws, directives, policies or regulations that can impact implementation of this control.

NOTE – Additional implementation guidance of 5.20 is also implemented.

Other information for the protection of PII

Contractors and PII processors may include, but are not limited to, service bureaus, information providers, information processors, and other organizations providing information system development, information technology services and other outsourced applications.

• • 1. Privacy monitoring and auditing

Control

Organizations shall implement appropriate measures to periodically monitor and audit privacy controls and the effectiveness of internal privacy policy.

Purpose

To monitor and audit PII protection controls and the effectiveness of internal PII protection policy.

Guidance for the protection of PII

Organizations should:

a) regularly monitor and audit PII processing operations, especially those involving sensitive PII, to ensure that they conform to applicable laws, regulations and contractual terms;

b) regularly monitor and audit PII protection controls and policies to ensure that they conform to applicable laws, regulations and contractual terms;

c) ensure that audits are conducted by qualified, independent parties (either internal or external to the organization); and

d) if conducting audits using internal resources, periodically have an external party conduct the audit for an independent assessment.

• • 1. PII protection awareness and training

Control

Organizations shall implement appropriate measures to provide suitable training for the personnel of the PII controller.

Purpose

To provide suitable training and awareness concerning PII protection for the personnel of the PII controller who will have access to PII.

Guidance for the protection of PII

Organizations should:

a) implement and maintain a comprehensive training and awareness strategy aimed at ensuring that personnel understand their PII protection responsibilities and procedures;

b) create mechanisms to keep the personnel with PII protection responsibilities updated on developments in the regulatory, contractual and technological environment that could impact privacy compliance by the organization;

c) administer basic and targeted role-based PII protection training on a regular (e.g. annual) or as required (e.g. after an incident) basis – this is particularly important for activities that only process PII on an infrequent basis; and

d) ensure that personnel certify (manually or electronically) acceptance of responsibilities for PII protection requirements periodically.

• • 1. PII protection reporting

Control

Organizations shall develop, disseminate as appropriate and update reports (e.g. reporting on breaches, investigations, audits) to senior management and other personnel with responsibility for monitoring PII protection in order to demonstrate accountability with specific statutory and regulatory PII protection programme mandates.

Purpose

To develop, disseminate and update PII protection reports.

Guidance for the protection of PII

Through external and internal PII protection reporting, organizations should promote accountability and transparency in organizational PII protection operations. Reporting should identify progress in meeting PII protection compliance requirements and PII protection controls, compare performance across the organization, identify vulnerabilities and gaps in policy and implementation, and identify success models.

• 1. Information security

Control

PII in the care and custody of the organization shall be protected by appropriate controls, according to the results of a privacy and information security risk assessment and treatment or PIA.

Purpose

To ensure that PII is appropriately safeguarded according to the results of privacy and information security risk assessment and treatment.

Guidance for the protection of PII

Organizations should:

a) protect PII with appropriate controls at the operational, functional and strategic level to ensure the integrity, confidentiality and availability of the PII, and protect it against risks such as unauthorized access, destruction, use, modification, disclosure or loss throughout the whole of its life cycle;

b) choose PII processors and appropriate contracts that provide sufficient guarantees with regard to organizational, physical and technical controls for the processing of PII, and ensuring compliance with these controls;

c) base information security controls on applicable legal requirements, information security standards, the results of systematic information security risk assessments as described in ISO 31000 and the results of a cost–benefit analysis;

d) limit access to PII to individuals who require such access to perform their duties and limit the access to those individuals who have to only the PII that they require access to in order to perform their duties;

e) resolve risks and vulnerabilities that are discovered through privacy risk assessments and audit processes; and

f) subject the controls to periodic review and reassessment in an ongoing information security risk management process.

Information security requirements are sometimes prescribed by certain data privacy laws in which case these legal requirements should be communicated to the data security function.

Due diligence should be taken when designing and implementing information security controls.

• 1. Privacy compliance
     1. Compliance

Control

Organizations shall implement appropriate measures to ensure PII processing meets compliance requirements.

Purpose

To avoid breaches of legal, statutory, regulatory, privacy policy or contractual obligations related to privacy and to any privacy requirements.

Guidance for the protection of PII

Organizations should:

a) produce an annual report detailing existing risks, stating the compliance position and including a summary of outstanding actions;

b) follow well-defined breach response processes that can, in some jurisdictions, include the requirement to notify PII principals and other authorities (e.g. data protection authorities); and

c) encrypt particular kinds of PII at rest and in transit, such as health data, resident registration numbers, passport numbers and driver's licence numbers, if some jurisdiction requires.

• • 1. Cross border data transfer restrictions in certain jurisdictions

Control

Organization shall, for any transfer of PII across borders, implement appropriate measures to protect PII.

Purpose

To protect PII when it is being transferred across borders.

Guidance for the protection of PII

When PII must be transferred to a country other than the territory where the PII currently resides, data privacy regulations of certain jurisdictions may impose restrictions, which can be typically one or more of the following:

a) notification to the data protection authority;

b) approval from the data protection authority, particularly if data is sensitive;

c) conducting appropriate due diligence to ensure that PII transferred across a border is afforded protection equivalent to that required in the originating country; and

d) implementation of specific data transfer instruments such as standard contractual clauses, or binding corporate rules (BCRs).

Organizations should implement measures to check whether specific restrictions apply to any planned transfer and comply before carrying it on.

1. 
   (informative)
   
   Correspondence between this document and ISO/IEC 29151:2017

The purpose of this annex is to provide backwards compatibility with ISO/IEC 29151:2017 for organizations that are currently using that standard and now wish to transition to this edition.

Table B.1 provides the correspondence of the controls specified in Clauses 5 to 8 with those in ISO/IEC 29151:2017.

Table B.1 — Correspondence between controls in this document and controls in ISO/ IEC 29151:2017

Bibliography

[1] ISO/IEC 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary

[2] ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements

[3] ISO/IEC 27005:2022, Information security, cybersecurity and privacy protection — Guidance on managing information security risks

[4] ISO/IEC 27018:2019, Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

[5] ISO/IEC 27036‑3:2023, Cybersecurity — Supplier relationships — Part 3: Guidelines for hardware, software, and services supply chain security

[6] ISO/IEC/FDIS 27701, Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance

[7] ISO/IEC 29134:2023, Information technology — Security techniques — Guidelines for privacy impact assessment

[8] ISO 31000:2018, Risk management — Guidelines

[9] ITU-T X.1148 (09/2020), Framework of de-identification process for telecommunication service providers

[10] ITU-T X.1771 (04/2024), Security guidelines for combining de-identified data using trusted third party

[11] European Commission, Evaluation report on the data retention directive (Directive 2006/24/EC), 2011.

[12] BSI 10012, Specification for a personal information management system.

[13] KCS, Personal information management system, December, 2011.

[14] NIST Special Publication 800-53 Appendix J, Security and privacy controls for federal information systems and organizations, July, 2011.

[15] NIST Special Publication 800-122, Guide to protecting the confidentiality of personally identifiable information (PII), April 2010.