1. Home
  2. Moldova standards
  3. STM
  4. St ISO IEC 29134-2023

ISO IEC 29134-2023 PDF

St ISO IEC 29134-2023

Name in English:
St ISO IEC 29134-2023

Name in Russian:
Ст ISO IEC 29134-2023

Description in English:

Original standard ISO IEC 29134-2023 in PDF full version. Additional info + preview on request

Description in Russian:
Оригинальный стандарт ISO IEC 29134-2023 в PDF полная версия. Дополнительная инфо + превью по запросу
Document status:
Active
Format:
Electronic (PDF)
Delivery time (for English version):
1 business day
Delivery time (for Russian version):
365 business days
SKU:
stiso26070
Choose Document Language:
€25

Full title and description

Information technology — Security techniques — Guidelines for privacy impact assessment (ISO/IEC 29134:2023). This international standard provides guidance on carrying out privacy impact assessments (PIAs), and on the recommended structure and content of PIA reports. It is intended to help organisations identify, assess and mitigate privacy risks associated with personal data processing throughout the lifecycle of systems, services and projects.

Abstract

ISO/IEC 29134:2023 gives guidelines for a process on privacy impact assessments and for the structure and content of a PIA report. The standard is applicable to organisations of all sizes and sectors, and is relevant to those designing, implementing or operating projects and systems that process personally identifiable information (PII). It supports integration of privacy risk assessment into project and system lifecycles and promotes documentation, stakeholder engagement and mitigation planning.

General information

  • Status: Published / Current
  • Publication date: 8 May 2023
  • Publisher: ISO/IEC (joint publication by the International Organization for Standardization and the International Electrotechnical Commission)
  • ICS / categories: 35.030 (IT security)
  • Edition / version: Edition 2 (2023)
  • Number of pages: 44

Scope

This document provides guidance on conducting privacy impact assessments (PIAs) and on preparing PIA reports. It covers the overall PIA process, roles and responsibilities, planning and scoping, identification and assessment of privacy risks, identification of mitigation measures, documentation and review. The guidance is generic and intended for use across sectors and organisation sizes; it can be applied to new projects, changes to existing processing, procurement and service operations that involve personal data.

Key topics and requirements

  • Definition of a PIA process: planning, scoping, assessment, mitigation, reporting and review.
  • Structure and recommended content of a PIA report (context, processing description, risk analysis, mitigation actions, decision and follow-up).
  • Identification and assessment of privacy risks to individuals arising from personal data processing.
  • Integration of PIA activities into project and system lifecycles and change management.
  • Roles and responsibilities: data controllers, processors, project sponsors, privacy officers and stakeholders.
  • Guidance on stakeholder consultation, documentation, monitoring and periodic review.
  • Consideration of legal, regulatory and contractual privacy requirements when assessing risk and defining mitigations.
  • Practical recommendations for recording assumptions, evidence and decisions to support accountability.

Typical use and users

Organisations implementing new systems, services or business processes that involve personal data use this standard to assess privacy risks and demonstrate accountability. Typical users include data protection officers (DPOs), privacy practitioners, information security teams, project managers, system designers, procurement teams, legal and compliance staff, and external consultants performing PIAs on behalf of organisations.

Related standards

Standards and guidance commonly used alongside ISO/IEC 29134:2023 include ISO/IEC 27001 and ISO/IEC 27002 (information security management and controls), ISO/IEC 27701 (privacy information management), ISO/IEC 29100 (privacy framework), and national/regional data protection laws and guidance (for example GDPR in the EU). ISO/IEC 29134:2023 replaces ISO/IEC 29134:2017 (withdrawn).

Keywords

privacy impact assessment, PIA, DPIA, personal data, PII, privacy risk assessment, privacy by design, data protection, mitigation, privacy report, accountability

FAQ

Q: What is this standard?

A: ISO/IEC 29134:2023 is an international standard that provides guidelines for performing privacy impact assessments (PIAs) and for the structure and content of PIA reports.

Q: What does it cover?

A: It covers a PIA process (planning, scoping, assessment, mitigation, reporting and review), roles and responsibilities, documentation requirements, stakeholder engagement and how to integrate PIAs into project and system lifecycles.

Q: Who typically uses it?

A: Data protection officers, privacy and security practitioners, project managers, system designers, legal/compliance teams and consultants use the standard to identify and manage privacy risks and to demonstrate accountability.

Q: Is it current or superseded?

A: It is current. ISO/IEC 29134:2023 (Edition 2) was published on 8 May 2023 and supersedes ISO/IEC 29134:2017 (the 2017 edition has been withdrawn).

Q: Is it part of a series?

A: Yes. ISO/IEC 29134 sits within the ISO/IEC JTC 1/SC 27 family of information security and privacy standards and is commonly used alongside ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27701 and ISO/IEC 29100.

Q: What are the key keywords?

A: PIA, DPIA, privacy impact assessment, personal data, PII, privacy risk assessment, privacy by design, data protection, mitigation, accountability.