ISO IEC 29151-2017 PDF

Full title and description

ISO/IEC 29151:2017 — Information technology — Security techniques — Code of practice for personally identifiable information (PII) protection. A code of practice that defines control objectives, specific controls and implementation guidance to protect personally identifiable information processed by organisations, aligned with ISO/IEC 27002 and the privacy framework in ISO/IEC 29100.

Abstract

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls to meet requirements identified by risk and impact assessments related to the protection of personally identifiable information (PII). It adapts information security controls from ISO/IEC 27002 to address privacy-specific processing requirements and provides an extended PII control set in an annex for use by PII controllers in public and private organisations of any size.

General information

• Status: Published (under review / to be revised — replacement edition under development).
• Publication date: 18 August 2017 (Edition 1).
• Publisher: ISO and IEC (ISO/IEC JTC 1/SC 27 — Information security, cybersecurity and privacy protection).
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 1.0 (2017). Note: a second edition (FDIS 29151) has been progressed through committee/approval stages and is expected to supersede the 2017 edition when published.
• Number of pages: 39 pages.

Scope

The standard applies to organisations acting as PII controllers and to systems or services that process PII. It gives guidance for selecting and implementing controls where privacy risks arise from the processing of PII, taking account of legal, regulatory and contractual requirements and an organisation’s information security risk environment. The guidance is technology- and industry-neutral and intended for use by any size of organisation.

Key topics and requirements

• Control objectives and specific controls tailored for protection of PII, mapped to ISO/IEC 27002 domains.
• Guidance for implementation of controls based on risk and privacy impact assessment outcomes.
• Extended PII control set (normative annex) covering policies, consent and choice, data minimisation, retention, de‑identification/pseudonymization, test data handling and secure disposal.
• Requirements and recommendations for governance: roles and responsibilities (e.g., chief privacy officer), supplier management and contractual protections for PII.
• Access control, cryptographic controls, operations security, logging and monitoring, and incident management for PII-related events.
• Privacy considerations in system acquisition, development and maintenance (including test data and development environments).
• Guidance on aligning PII controls with legal/contractual compliance obligations and with broader information security management (ISO/IEC 27001/27002).

Typical use and users

Used by privacy officers, information security managers, risk and compliance teams, IT architects, auditors and consultants. Typical applications include designing or reviewing PII protection controls, integrating privacy controls into an ISMS, supplier contract requirements, privacy impact assessments and establishing internal privacy governance for organisations processing personal data.

Related standards

Commonly referenced together with ISO/IEC 27001 and ISO/IEC 27002 (information security management and controls), ISO/IEC 27701 (privacy information management extension), ISO/IEC 29100 (privacy framework) and ISO/IEC 29134 (guidelines for privacy impact assessment). It is also aligned with other privacy frameworks and national/regulatory requirements as applicable.

Keywords

PII, personally identifiable information, privacy, data protection, information security, controls, risk assessment, privacy by design, de‑identification, pseudonymization, consent, ISO/IEC 27002, Annex A mapping.

FAQ

Q: What is this standard?

A: ISO/IEC 29151:2017 is an international code of practice that provides objectives, controls and guidance specifically for protecting personally identifiable information (PII) within an organisation’s information security and privacy programmes.

Q: What does it cover?

A: It covers control objectives and implementation guidance for PII protection across domains such as governance, access control, cryptography, operations, communications, system development, supplier management, incident management and compliance, plus a normative annex with an extended PII control set (consent, data minimisation, de‑identification, test data, retention and disposal, etc.).

Q: Who typically uses it?

A: Privacy officers, security managers, ISMS implementers, risk and compliance teams, auditors, legal teams and consultants who need to design, assess or demonstrate PII protection measures in organisations of all sizes that process personal data.

Q: Is it current or superseded?

A: The 2017 edition is the published baseline. The standard was scheduled for review and a revision process has been progressed — a second edition (FDIS 29151) has been developed and moved through approval stages; when that new edition is published it will supersede ISO/IEC 29151:2017. Check the catalogue of standards for the latest publication status and edition date for authoritative confirmation.

Q: Is it part of a series?

A: Yes. ISO/IEC 29151 is part of the ISO/IEC information security and privacy family (related to ISO/IEC 27000-series and ISO/IEC 29100-series) and is commonly used together with ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27701 and ISO/IEC 29134.

Q: What are the key keywords?

A: PII, personally identifiable information, privacy, data protection, information security controls, de‑identification, consent, privacy by design, risk assessment.