ISO IEC 29100-2024 PDF

Full title and description

ISO/IEC 29100:2024 — Information technology — Security techniques — Privacy framework. A high-level privacy framework that defines common privacy terminology, identifies actors and roles for processing personally identifiable information (PII), describes privacy safeguarding considerations and maps to established privacy principles for ICT systems and services.

Abstract

This International Standard provides a privacy framework intended to support the protection of personally identifiable information (PII) in information and communication technology (ICT) systems. It specifies common privacy terms and definitions, describes the key actors (PII principals, controllers, processors and third parties) and their roles and interactions, sets out privacy safeguarding considerations (organizational, contractual, legal and technical), and references widely accepted privacy principles such as purpose limitation, data minimization, transparency, individual participation and accountability. The second edition (2024) updates and consolidates the 2011 edition and its amendment.

General information

• Status: Published
• Publication date: 16 February 2024
• Publisher: ISO and IEC (joint publication)
• ICS / categories: 35.030
• Edition / version: Edition 2 (2024)
• Number of pages: 22

Scope

The standard is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering and operating ICT systems or services where privacy controls are required for the processing of PII. It provides a non-prescriptive, high-level framework to align privacy terminology, roles, safeguarding considerations and principles with information security practices. The work was prepared by ISO/IEC JTC 1/SC 27 (Information security, cybersecurity and privacy protection).

Key topics and requirements

• Common privacy terminology and definitions (PII, pseudonymization, anonymization, sensitive PII, identifiability, consent, etc.).
• Identification of actors and roles: PII principals, PII controllers, PII processors and third parties, and their responsibilities and interactions.
• Guidance on recognizing PII in ICT contexts, including identifiers, linked data and metadata.
• Privacy safeguarding considerations covering organizational, legal/regulatory, contractual and technical factors that influence privacy controls.
• Reference to core privacy principles: purpose limitation, consent and choice, collection limitation and minimization, use/retention/disclosure limitation, accuracy, openness/transparency, individual participation/access, accountability and information security.
• High-level expectations for privacy policies and the relationship between privacy and information security controls (alignment with ISO/IEC 27000 family concepts).
• Non-prescriptive guidance intended to be used as a basis for specifying privacy requirements, supplier contracts, privacy impact assessments and privacy-by-design approaches.

Typical use and users

ISO/IEC 29100:2024 is used by IT architects, system designers, developers, security and operations teams, privacy officers, compliance and legal teams, procurement and vendor management, and risk assessors. Typical applications include drafting privacy-aware system requirements, structuring privacy impact assessments, defining contractual privacy obligations for suppliers, aligning information security and privacy programs, and informing privacy-by-design decisions for products and services that process PII.

Related standards

Commonly referenced and complementary standards include ISO/IEC 27001 and ISO/IEC 27002 (information security management and controls), ISO/IEC 27701 (privacy information management — PII controllers and processors), ISO/IEC 27018 (protection of PII in public cloud services), ISO/IEC 29184 (online privacy notices and consent), and other ISO/IEC JTC 1/SC 27 outputs. ISO/IEC 29100:2024 replaces ISO/IEC 29100:2011 (and its amendment).

Keywords

privacy framework, PII, personally identifiable information, privacy principles, privacy terminology, PII controller, PII processor, privacy by design, information security, data minimization, transparency, ISO/IEC JTC 1/SC 27

FAQ

Q: What is this standard?

A: ISO/IEC 29100:2024 is an international standard that provides a high-level privacy framework for protecting personally identifiable information in ICT systems, specifying terminology, actor roles, safeguarding considerations and reference privacy principles.

Q: What does it cover?

A: It covers common privacy terminology, identification of actors and roles in PII processing, guidance for recognizing PII, privacy safeguarding considerations (organizational, contractual, legal and technical), and references to established privacy principles; it does not mandate specific technical controls.

Q: Who typically uses it?

A: IT architects, system designers, developers, privacy officers, compliance and legal teams, procurement and vendor managers, security and operations teams, and risk assessors use the standard to shape privacy requirements, assessments and contracts for systems that process PII.

Q: Is it current or superseded?

A: ISO/IEC 29100:2024 is the current edition, published on 16 February 2024. It supersedes ISO/IEC 29100:2011 and the 2018 amendment; organizations using the 2011 edition should migrate to or reference the 2024 edition where relevant.

Q: Is it part of a series?

A: The standard sits within the ISO/IEC information security and privacy family (JTC 1/SC 27) and is commonly used alongside the ISO/IEC 27000 series, ISO/IEC 27701 and related privacy and cloud privacy standards.

Q: What are the key keywords?

A: Key keywords include privacy framework, PII, privacy principles, data minimization, consent, transparency, PII controller, PII processor, privacy by design and information security.