ISO 29151 - Code of practice for personally identifiable information protection

    Standards and Frameworks

    ISO 29151 - Code of practice for personally identifiable information protection

    An international standard, developed by the International Organization for Standardization (ISO), that establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

    Last Updated: July 30, 2019


  • General

    The international standard 29151 further specifies the guidelines based on ISO/IEC 27002, focusing on controls related to the protection of personally identifiable information (PII).

    This standard is applicable to PII controller and creates a code of practice meet requirements identified by risk and impact assessments related to PII, completing the framework created by ISO/IEC/29100 (Privacy Framework) and ISO/IEC/29134 (Privacy Impact Assessment).

    The specification mirrors ISO/IEC/27002, adding new controls tailored for the protection of PII or otherwise specifying when ISO/IEC/27002 controls are sufficient, while also providing implementation guidelines.

    Following the framework of ISO/IEC/29100, the controls are divided into 12 categories:

    • — consent and choice;
    • — purpose, legitimacy and specification;
    • — collection limitation;
    • — data minimization;
    • — use, retention and disclosure limitation;
    • — accuracy and quality;
    • — openness, transparency and notice;
    • — individual participation and access;
    • — accountability;
    • — information security; and
    • — privacy compliance.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.