kSIST FprEN ISO/IEC 29151:2026

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 29151:2025
01-marec-2025
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Kontrole in
smernice obnašanja pri varovanju osebnih podatkov
Information security, cybersecurity and privacy protection - Controls and guidance for
personally identifiable information protection (ISO/IEC DIS 29151:2024)
Informationstechnik - Sicherheitsverfahren - Leitfaden für den Schutz
personenbezogener Daten (ISO/IEC DIS 29151:2024)
Sécurité de l'information, cybersécurité et protection de la vie privée - Mesures de
sécurité et recommandations pour la protection des données à caractère personnel
(ISO/IEC DIS 29151:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 29151
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 29151:2025 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN ISO/IEC 29151:2025
oSIST prEN ISO/IEC 29151:2025
DRAFT
International
Standard
ISO/IEC DIS 29151
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection – Controls
Voting begins on:
and guidance for personally
2024-12-17
identifiable information protection
Voting terminates on:
ICS: 35.030
2025-03-11
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 29151:2024(en)
oSIST prEN ISO/IEC 29151:2025
DRAFT
ISO/IEC DIS 29151:2024(en)
International
Standard
ISO/IEC DIS 29151
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection – Controls
Voting begins on:
and guidance for personally
identifiable information protection
Voting terminates on:
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 29151:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
Contents Page
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and Definitions and abbreviated terms . 1
3.1 Definitions .1
3.2 Abbreviated terms .2
4 Overview . 3
4.1 Objective for the protection of PII .3
4.2 Requirement for the protection of PII .3
4.3 Controls .3
4.4 Selecting controls .3
4.5 Developing organization specific guidelines .4
4.6 Life cycle considerations .4
4.7 Structure of this document .4
5 Organizational controls . 8
5.1 Policies for information security . .8
5.2 Information security roles and responsibilities .8
5.3 Segregation of duties.9
5.4 Management responsibilities .9
5.5 Contact with authorities .9
5.6 Contact with special interest groups . .9
5.7 Threat intelligence .9
5.8 Information security in project management .10
5.9 Inventory of information and other associated assets .10
5.10 Acceptable use of information and other associated assets .10
5.11 Return of assets .11
5.12 Classification of information .11
5.13 Labelling of information .11
5.14 Information transfer .11
5.15 Access control .11
5.16 Identity management .11
5.17 Authentication information . 12
5.18 Access rights . 12
5.19 Information security in supplier relationships . 12
5.20 Addressing information security within supplier agreements . 12
5.21 Managing information security in the ICT supply chain . 13
5.22 Monitoring, review and change management of supplier services . 13
5.23 Information security for use of cloud services . 13
5.24 Information security incident management planning and preparation . 13
5.25 Assessment and decision on information security events .14
5.26 Response to information security incidents .14
5.27 Learning from information security incidents .14
5.28 Collection of evidence . . 15
5.29 Information security during disruption . 15
5.30 ICT readiness for business continuity . 15
5.31 Legal, statutory, regulatory and contractual requirements . 15
5.32 Intellectual property rights . 15
5.33 Protection of records . 15
5.34 Privacy and protection of PII . 15
5.35 Independent review of information security . 15
5.36 Conformance with policies, rules and standards for information security .16
5.37 Documented operating procedures .16
6 People controls .16

© ISO/IEC 2024 – All rights reserved
iii
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
6.1 Screening .16
6.2 Terms and conditions of employment .16
6.3 Information security awareness, education and training .16
6.4 Disciplinary process .16
6.5 Responsibilities after termination or change of employment.17
6.6 Confidentiality or non-disclosure agreements .17
6.7 Remote working .17
6.8 Information security event reporting.17
7 Physical controls . 17
7.1 Physical security perimeters .17
7.2 Physical entry .17
7.3 Securing offices, rooms and facilities .17
7.4 Physical security monitoring . .17
7.5 Protecting against physical and environmental threats .17
7.6 Working in secure areas .18
7.7 Clear desk and clear screen .18
7.8 Equipment siting and protection .18
7.9 Security of assets off-premises .18
7.10 Storage media .18
7.11 Supporting utilities .18
7.12 Cabling security .18
7.13 Equipment maintenance .18
7.14 Secure disposal or re-use of equipment .18
8 Technological controls . 19
8.1 User endpoint devices .19
8.2 Privileged access rights .19
8.3 Information access restriction .19
8.4 Access to source code .19
8.5 Secure authentication . 20
8.6 Capacity management . 20
8.7 Protection against malware . 20
8.8 Management of technical vulnerabilities . 20
8.9 Configuration management . 20
8.10 Information deletion . 20
8.11 Data masking . 20
8.12 Data leakage prevention . 20
8.13 Information backup. 20
8.14 Redundancy of information processing facilities . 20
8.15 Logging . 20
8.16 Monitoring activities .21
8.17 Clock synchronization .21
8.18 Use of privileged utility programs .21
8.19 Installation of software on operational systems .21
8.20 Networks security .21
8.21 Security of network services .21
8.22 Segregation of networks .21
8.23 Web filtering .21
8.24 Use of cryptography .21
8.25 Secure development life cycle . 22
8.26 Application security requirements . 22
8.27 Secure system architecture and engineering principles . 22
8.28 Secure coding. 22
8.29 Security testing in development and acceptance . 22
8.30 Outsourced development . 22
8.31 Separation of development, test and production environments. 22
8.32 Change management . 22
8.33 Test information . 22
8.34 Protection of information systems during audit testing . 22

© ISO/IEC 2024 – All rights reserved
iv
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
Annex A (normative) Extended control set for PII protection (This annex forms an integral part
of this Recommendation | International Standard.) .23
Annex B (informative) Correspondence of ISO/IEC 29151:202X (this document) with ISO/IEC
29151:2017 (This annex forms a non-integral part of this Recommendation | International
Standard.) .43
Bibliography .46

© ISO/IEC 2024 – All rights reserved
v
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
Introduction
The number of organizations processing personally identifiable information (PII) is increasing, as is the
amount of PII that these organizations deal with. At the same time, societal expectations for the protection of
PII and the security of data relating to individuals are also increasing. A number of countries are augmenting
their laws to address the increased number of high profile data breaches.
As the number of PII breaches increases, organizations collecting or processing PII will increasingly need
guidance on how they should protect PII in order to reduce the risk of privacy breaches occurring, and to
reduce the impact of breaches on the organization and on the individuals concerned. This document provides
such guidance.
This document offers guidance for PII controllers on a broad range of information security and PII
protection controls that are commonly applied in many different organizations that deal with protection of
PII. Other ISO/IEC standards that provide guidance or requirements on other aspects of the overall process
of protecting PII are as follows:
— ISO/IEC 27001 specifies an information security management system, which is a suitable foundation for
protecting any information, including PII.
— ISO/IEC 27002 provides guidelines for organizational, people-related, physical and technological
information security controls that can be used for the protection of all kinds of information, including PII.
— ISO/IEC 27005 provides guidance to assist organizations to address information security risks and
perform information security risk management activities, specifically information security risk
assessment and treatment.
— ISO/IEC 27018 offers guidance to organizations acting as PII processors when offering processing
capabilities as cloud services.
— ISO/IEC 27701 specifies requirements and provides guidance for establishing, implementing, maintaining
and continually improving a Privacy Information Management System (PIMS).
— ISO/IEC 29100 provides a privacy framework which: specifies a common privacy terminology, defines
the actors and their roles in processing personally identifiable information (PII), describes privacy
safeguarding considerations, provides references to known privacy principles for information technology.
— ISO/IEC 29134 provides guidelines for assessing the potential impacts on privacy of a process, information
system, programme, software module, device or other initiative which processes personally identifiable
information (PII), while ISO/IEC 27001 together with ISO/IEC 27005 provides guidance to perform
information security risk management activities.
Controls are chosen based on the risks identified as a result of a risk analysis to develop a comprehensive,
consistent system of controls. Controls are adapted to the context of the particular processing of PII.
This document contains two parts: 1) the main body consisting of clauses 1 to 8, and 2) a normative annex A
(Extended control set for PII protection) and informative Annex B (Correspondence of ISO/IEC 29151:202X
(this document) with ISO/IEC 29151:2017). This structure reflects normal practice for the development of
PII-specific extensions to ISO/IEC 27002 for the main body.
The structure of the main body of this document, including the clause titles, reflects the main body of
ISO/IEC 27002:2022. The introduction and clauses 1 to 4 provide background on the use of this document.
Headings for subclauses in clauses 5 to 8 mirror those of ISO/IEC 27002:2022, reflecting the fact that this
document builds on the guidance in ISO/IEC 27002:2022, adding new controls specific to the protection
of PII. Many of the controls in ISO/IEC 27002:2022 need no amplification in the context of PII controllers.
However, in some cases, additional implementation guidance is needed, and this is given under the
appropriate heading (and clause number) from ISO/IEC 27002:2022.

© ISO/IEC 2024 – All rights reserved
vi
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
The normative annex contains an extended set of PII protection-specific controls. These new PII protection
controls, with their associated guidance, are divided into twelve categories, corresponding to the privacy
policy and the eleven privacy principles of ISO/IEC 29100:
— consent and choice;
— purpose, legitimacy and specification;
— collection limitation;
— data minimization;
— use, retention and disclosure limitation;
— accuracy and quality;
— openness, transparency and notice;
— individual participation and access;
— accountability;
— information security; and
— privacy compliance.
Figure 1 describes the relationship between this document and other ISO/IEC standards.
Figure 1 — The relationship of this document and other ISO/IEC standards
This document includes guidelines based on ISO/IEC 27002, and adapts these as necessary to address the
privacy needs that arise from the processing of PII:
a) In different processing domains such as:
— public cloud services,
— social networking applications,
— internet-connected devices in the home,
— search, analysis,
— targeting of PII for advertising and similar purposes,

© ISO/IEC 2024 – All rights reserved
vii
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
— big data analytics programmes,
— employment processing,
— business management in sales and service (enterprise resource planning, customer relationship
management);
b) In different locations such as:
— on a personal processing platform provided to an individual (e.g., smart cards, smart phones and
their apps, smart meters, wearable devices),
— within data transportation and collection networks (e.g., where mobile phone location data is
created operationally by network processing, which may be considered PII in some jurisdictions),
— within an organization's own processing infrastructure,
— on a third party's processing platform;
c) For the collection characteristic such as:
— one-time data collection (e.g., on registering for a service),
— ongoing data collection (e.g., frequent health parameter monitoring by sensors on or in an individual's
body, multiple data collections using contactless payment cards for payment, smart meter data
collection systems, and so on).
NOTE Ongoing data collection can contain or yield behavioural, locational and other types of PII. In such
cases, the use of PII protection controls that allow access and collection to be managed based on consent
and that allow the PII principal to exercise appropriate control over such access and collection, need to be
considered.
© ISO/IEC 2024 – All rights reserved
viii
oSIST prEN ISO/IEC 29151:2025
DRAFT International Standard ISO/IEC DIS 29151:2024(en)
Information security, cybersecurity and privacy protection –
Controls and guidance for personally identifiable information
protection
1 Scope
This Recommendation | International Standard establishes controls, purpose, and guidance for implementing
controls, to meet the requirements identified by a risk and impact assessment related to the protection of
personally identifiable information (PII).
In particular, this Recommendation | International Standard specifies guidance based on ISO/IEC 27002,
taking into consideration the controls for processing PII that may be applicable within the context of an
organization's privacy risk environment(s).
This Recommendation | International Standard is applicable to all types and sizes of organizations acting as
PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities
and not-for-profit organizations that process PII, in particular, organizations that do not establish or operate
a privacy information management system.
2 Normative references
The following Recommendations and International Standards contain provisions which, through reference in
this text, constitute provisions of this Recommendation | International Standard. At the time of publication,
the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties
to agreements based on this Recommendation | International Standard are encouraged to investigate the
possibility of applying the most recent edition of the Recommendations and Standards listed below. Members
of IEC and ISO maintain registers of currently valid International Standards. The Telecommunication
Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations.
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security
controls
ISO/IEC 29100:2024, Information technology — Security techniques — Privacy framework
3 Terms and Definitions and abbreviated terms
3.1 Definitions
For the purposes of this Recommendation | International Standard, the terms and definitions that are given
in ISO/IEC 27000:2018, ISO/IEC 27002:2022, ISO/IEC 29100 and the following apply.
The ISO Online browsing platform, IEC Electropedia and ITU Terms and definitions are terminological
databases for use in standardization.
3.1.1
chief privacy officer (CPO):
Senior management individual who is accountable for the protection of personally identifiable information
(PII) in an organization.
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
3.1.2
de-identification process:
Process of removing the association between a set of identifying data and the data principal, using de-
identification techniques.
3.1.3
organization:
person or group of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives.
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not,
public or private.
3.1.4
personally identifiable information (PII):
information that (a) can be used to establish a link between the information and the natural person to whom
such information relates, or (b) is or might be directly or indirectly linked to a natural person
Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.3). To determine whether a PII principal
is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder
holding the data, or by any other party, to establish the link between the set of PII and the natural person.
[SOURCE: ISO/IEC 29100:2024, 3.7]
3.1.5
PII controller:
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for
processing personally identifiable information (PII) (3.1.4) other than natural persons who use data for
personal purposes
Note 1 to entry: A PII controller sometimes instructs others [e.g. PII processors (3.1.7)] to process PII on its behalf
while the responsibility for the processing remains with the PII controller.
[SOURCE: ISO/IEC 29100:2024, 3.8]
3.1.6
PII principal, data subject:
natural person to whom the personally identifiable information (PII) (3.1.4) relates
[SOURCE: ISO/IEC 29100:2024, 3.9]
3.1.7
PII processor:
privacy stakeholder that processes personally identifiable information (PII) (3.1.4) on behalf of and in
accordance with the instructions of a PII controller (3.1.5)
[SOURCE: ISO/IEC 29100:2024, 3.10]
3.2 Abbreviated terms
For the purposes of this document, the following abbreviations apply.
CPO Chief Privacy Officer
PIA Privacy Impact Assessment
PII Personally Identifiable Information

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
4 Overview
4.1 Objective for the protection of PII
This document provides a set of controls for PII protection. The objective of the protection of PII is to enable
organizations to put in place a set of controls as part of their overall PII protection programme. They can be
used in a framework for demonstrating compliance with privacy-related laws and regulations, managing
privacy risks and meeting the expectations of PII principals, regulators or clients, in accordance with the
privacy principles described in ISO/IEC 29100.
4.2 Requirement for the protection of PII
An organization should identify its PII protection requirements. The privacy principles in ISO/IEC 29100
apply to the identification of requirements. There are three main sources of PII protection requirements:
— legal, statutory, regulatory and contractual requirements related to protection of PII including, for
example, PII requirements that an organization, its trading partners, contractors and service providers
have to comply with;
— assessment of risks (i.e., security risks and privacy risks) to the organization and the PII principal, taking
into account the organization’s overall business strategy and objectives, through a risk assessment;
— corporate policies: an organization may also choose voluntarily to go beyond the criteria that are derived
from previous requirements.
Organizations should also adhere to the principles (i.e., privacy principles defined in ISO/IEC 29100),
objectives and business requirements for processing PII that have been developed to support their
operations.
PII protection controls (including security controls) should be selected on the basis of a risk assessment.
The results of a privacy impact assessment (PIA), e.g., as specified in ISO/IEC 29134, will help to guide and
determine the appropriate treatment action and priorities for managing risks to the protection of PII and for
implementing controls selected to protect against these risks.
A PIA document such as that in ISO/IEC 29134 may provide PIA guidance, including advice on risk
assessment, risk treatment plan, risk acceptance and risk review.
4.3 Controls
A privacy risk assessment can assist organizations in identifying the specific risks of privacy breaches
resulting from unlawful processing or of infringements of the rights and freedom of the PII principal
involved in an envisaged PII processing or from inadequate or not effective information security or privacy
controls. Organizations should identify and implement controls to treat the risks identified by the risk
impact process. The controls and treatments should then be documented, ideally in a separate risk register.
Certain types of PII processing can warrant specific controls for which the need only becomes apparent once
an envisaged operation has been carefully analysed.
4.4 Selecting controls
Controls can be selected from this document (which includes by reference the controls from ISO/IEC 27002,
creating a combined reference control set). If required, controls can also be selected from other control sets
or new controls can be designed to meet specific needs, as appropriate.
The selection of controls is dependent upon organizational decisions based on the criteria for risk treatment
options and the general risk management approach, applied to the organization and, through contractual
agreements, to its customers and suppliers, and should also be subject to all applicable national and
international legislation and regulations.
The selection and implementation of controls is also dependent upon the organization's role in the provision
of infrastructure or services. Many different organizations may be involved in providing infrastructure

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 29151:2025
ISO/IEC DIS 29151:2024(en)
or services. In some circumstances, selected controls may be unique to a particular organization. In other
instances, there may be shared roles in implementing controls. Contractual agreements should clearly
specify the PII protection responsibilities of all organizations involved in providing or using the services.
The controls in this document can be used as reference for organizations that process PII, and are intended
to be applicable for all organizations acting as PII controllers. Organizations acting as PII processors should
do so, in accordance with the instructions of the PII controller. PII controllers should ensure that their PII
processors are able to implement all the necessary controls included in their PII processing agreement, in
accordance with the purpose of PII processing. PII controllers using cloud services as PII processors may
review ISO/IEC 27018 to identify relevant controls to implement.
The controls in this document are explained in more detail in clauses 5 to 8, along with implementation
guidance. Implementation may be made simpler if requirements for the protection of PII have been
considered in the design of the organization's information systems, services and operations. Such
consideration is an element of the concept that is often called privacy by design (PBD). More information
about selecting controls and other risk treatment options can be found in ISO/IEC 29134. Other relevant
references are listed in the bibliography.
4.5 Developing organization specific guidelines
This document can be regarded as a starting point for developing organization specific guidelines. Not all of
the controls and guidance in this document are applicable to all organizations.
Furthermore, additional controls and guidelines not included in this document may be required. When
documents are developed containing additional guidelines or controls, it may be useful to include cross-
references to clauses in this d
...