ISO/IEC 29151:2017 pdf free.Information technology — Security techniques — Code of practice for personally identifiable information protection.
This Recommendation | International Standard establishes control objectives, controls and guidelines for implementingcontrols, to meet the requirements identified by a risk and impact assessment related to the protection of personallyidentifiable information (PI).
lIn particular, this Recommendation ( International Standard specifies guidelines based on ISOIEC 27002, taking intoconsideration the requirements for processing Pll that may be applicable within the context of an organization’sinformation security risk environment(s).
This Recommendation | International Standard is applicable to all types and sizes of organizations acting as Pll controllers(as defined in ISO/IEC 29100)，including public and private companies，government entities and not-for-profitorganizations that process PII.
The following Recommendations and International Standards contain provisions which, through reference in this text,constitute provisions of this Recommendation | International Standard.At the time of publication, the editions indicatedwere valid. All Recommendations and Standards are subject to revision, and parties to agreements based on thisRecommendation | International Standard are encouraged to investigate the possibility of applying the most recent editionof the Recommendations and Standards listed below.Members of IEC and ISO maintain registers of currently validInternational Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently validITU-T Recommendations.
This Specification provides a set of controls for Pll protection. The objective of the protection of PIl is to enableorganizations to put in place a set of controls as part of their overall Pll protection programme.They can be used in aframework for maintaining and improving compliance with privacy-related laws and regulations, managing privacy risksand meeting the expectations of PIl principals, regulators or clients, in accordance with the privacy principles describedin ISO/EC 29100.
A privacy risk assessment can assist organizations in identifying the specific risks of privacy breaches resulting fromunlawful processing or of cutting the rights of the PlI principal involved in an envisaged operation.Organizations shouldidentify and implement controls to treat the risks identified by the risk impact process.The controls and treatments shouldthen be documented, ideally separately in a separate risk register. Certain types of PlII processing can warrant specificcontrols for which the need only becomes apparent once an envisaged operation has been carefully analysed.
Controls can be selected from this Specification (which includes by reference the controls from ISOIEC27002, creatinga combined reference control set). If required,controls can also be selected from other control sets or new controls canbe designed to meet specific needs, as appropriate.
The selection of controls is dependent upon organizational decisions based on the criteria for risk treatment options andthe general risk management approach, applied to the organization and, through contractual agreements, to its customersand suppliers, and should also be subject to all applicable national and international legislation and regulations.
The selection and implementation of controls is also dependent upon the organization’s role in the provision ofinfrastructure or services. Many different organizations may be involved in providing infrastructure or services. In somecircumstances, selected controls may be unique to a particular organization. In other instances, there may be shared rolesin implementing controls.Contractual agreements should clearly specify the PlII protection responsibilities of allorganizations involved in providing or using the services.ISO/IEC 29151 pdf download.