SFS-ISO/IEC 29151:2018:en

Soveltamisala

Suomenkielistä soveltamisalaa ei ole saatavissa.

This Recommendation | International Standard establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII). In particular, this Recommendation | International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the requirements for processing PII that may be applicable within the context of an organization's information security risk environment(s). This Recommendation | International Standard is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not -for-profit organizations that process PII.

Tämän julkaisun valmistelusta Suomessa vastaa SFS Suomen Standardit, puh. 09 149 9331.

Sisällysluettelo

Foreword
Introduction
1 Scope
2 Normative references
3 Definitions and abbreviated terms

3.1 Definitions
3.2 Abbreviated terms

4 Overview

4.1 Objective for the protection of PII
4.2 Requirement for the protection of PII
4.3 Controls
4.4 Selecting controls
4.5 Developing organization specific guidelines
4.6 Life cycle considerations
4.7 Structure of this Specification

5 Information security policies

5.1 Management directions for information security

6 Organization of information security

6.1 Internal organization
6.2 Mobile devices and teleworking

7 Human resource security

7.1 Prior to employment
7.2 During employment
7.3 Termination and change of employment

8 Asset management

8.1 Responsibility for assets
8.2 Information classification
8.3 Media handling

9 Access control

9.1 Business requirement of access control
9.2 User access management
9.3 User responsibilities
9.4 System and application access control

10 Cryptography

10.1 Cryptographic controls

11 Physical and environmental security

11.1 Secure areas
11.2 Equipment

12 Operations security

12.1 Operational procedures and responsibilities
12.2 Protection from malware
12.3 Backup
12.4 Logging and monitoring
12.5 Control of operational software
12.6 Technical vulnerability management
12.7 Information systems audit considerations

13 Communications security

13.1 Network security management
13.2 Information transfer

14 System acquisition, development and maintenance

14.1 Security requirements of information systems
14.2 Security in development and support processes
14.3 Test data

15 Supplier relationships

15.1 Information security in supplier relationships
15.2 Supplier service delivery management

16 Information security incident management

16.1 Management of information security incidents and improvements

17 Information security aspects of business continuity management

17.1 Information security continuity
17.2 Redundancies

18 Compliance

18.1 Compliance with legal and contractual requirements
18.2 Information security reviews

Annex A Extended control set for PII protection(This annex forms an integral part of this Recommendation | International Standard.)

Bibliography

Näytä kaikki

Foreword
Introduction
1 Scope
2 Normative references
3 Definitions and abbreviated terms

3.1 Definitions
3.2 Abbreviated terms

4 Overview

4.1 Objective for the protection of PII
4.2 Requirement for the protection of PII
4.3 Controls
4.4 Selecting controls
4.5 Developing organization specific guidelines
4.6 Life cycle considerations
4.7 Structure of this Specification

5 Information security policies

5.1 Management directions for information security

6 Organization of information security

6.1 Internal organization
6.2 Mobile devices and teleworking

7 Human resource security

7.1 Prior to employment
7.2 During employment
7.3 Termination and change of employment

8 Asset management

8.1 Responsibility for assets
8.2 Information classification
8.3 Media handling

9 Access control

9.1 Business requirement of access control
9.2 User access management
9.3 User responsibilities
9.4 System and application access control

10 Cryptography

10.1 Cryptographic controls

11 Physical and environmental security

11.1 Secure areas
11.2 Equipment

12 Operations security

12.1 Operational procedures and responsibilities
12.2 Protection from malware
12.3 Backup
12.4 Logging and monitoring
12.5 Control of operational software
12.6 Technical vulnerability management
12.7 Information systems audit considerations

13 Communications security

13.1 Network security management
13.2 Information transfer

14 System acquisition, development and maintenance

14.1 Security requirements of information systems
14.2 Security in development and support processes
14.3 Test data

15 Supplier relationships

15.1 Information security in supplier relationships
15.2 Supplier service delivery management

16 Information security incident management

16.1 Management of information security incidents and improvements

17 Information security aspects of business continuity management

17.1 Information security continuity
17.2 Redundancies

18 Compliance

18.1 Compliance with legal and contractual requirements
18.2 Information security reviews

Annex A Extended control set for PII protection(This annex forms an integral part of this Recommendation | International Standard.)

Bibliography

Tuoteryhmä(t)

35.030 Tietoturvallisuus »
96.030.20 Tietosuoja »

Sidokset

Velvoittavat viittaukset

ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls.
ISO/IEC 29100:2011 Information technology — Security techniques — Privacy framework.

Tekninen komitea

ISO/IEC JTC 1/SC 27 (SFS-julkaisut) Information security, cybersecurity and privacy protection »

Vahvistuspäivä

27.04.2018

Kumouspäivä

14.04.2022

Painos

1

Sivumäärä

40

Julkaisun kieli

englanti

SFS-ISO/IEC 29151:2018:en Kumottu