ISO/IEC INTERNATIONAL STANDARD 29151 First edition 2017-08 Information technology Security techniques Code of practice for personally identifiable information protection Technologies de I'information - Techniques de sécurité - Code de bonne pratique pour la protection des donnees a caractere personnel Reference number IEC ISO/IEC 29151:2017(E) @IS0/IEC2017 JACKEY, MA ut license from IHS IS0/IEC 29151:2017(E) COPYRIGHTPROTECTEDDOCUMENT ISO/IEC2017,PublishedinSwitzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org @ IS0/IEC 2017 - All rights reserved licensee=NanyangTechnological Univ/5926867100,User=JACKEY,MA Noreprodu mitted without license from IHS IS0/IEC 29151:2017(E) CONTENTS Page 1 1 2 Normativereferences.. 3 Definitions and abbreviated terms.... 3.1 Definitions.. 3.2 Abbreviated terms.. 4 2 4.1 Objective for the protection of PII 2 4.2 Requirement for the protection of PII .. 2 4.3 乙 4.4 Selecting controls.. 2 4.5 Developing organization specific guidelines.. 3 4.6 Life cycle considerations..... 3 4.7 Structure of this Specification..... 3 5 Information security policies ... 4 5.1 Management directions for information security 4 6 Organization of information security.. 4 6.1 Internal organization . 4 6.2 Mobile devices and teleworking.. 5 7 Human resource security .. 6 7.1 Prior to employment.. 6 7.2 During employment ... 6 7.3 Termination and change of employment. 6 8 Asset management.... 7 8.1 Responsibility for assets. 8.2 Information classification.. 7 8.3 Media handling... 8 9 Access control 9 9.1 Business requirement of access control. 9 9.2 User access management.... 9 9.3 User responsibilities ... 10 9.4 System and application access control . 10 10 Cryptography.... 11 10.1 Cryptographic controls.. 11 11 Physical and environmental security 11 11.1 Secure areas.... 11 11.2 Equipment. 12 12 Operations security.... 12 12.1 Operational procedures and responsibilities... 12 12.2 Protection from malware.... 13 12.3 13 12.4 Logging and monitoring. 13 12.5 Control of operational software... 14 12.6 14 12.7 Information systems audit considerations... 14 13 Communications security .... 15 13.1 Network security management... 15 13.2Information transfer....... 15 14 Systemacquisition,developmentandmaintenance 15 14.1 Security requirements of information systems .. 15 14.2 Security in development and support processes ... 16 Rec. ITU-T X.1058 (03/2017) ii Copyright International Organization for Standardization iv/5926867100, User=JACKEY, MA I without license from IHS Not for Resal