1 Scope
2 Normative references
3 Definitions and abbreviated terms
3.1 Definitions
3.2 Abbreviated terms
4 Overview
4.1 Objective for the protection of PII
4.2 Requirement for the protection of PII
4.3 Controls
4.4 Selecting controls
4.5 Developing organization specific guidelines
4.6 Life cycle considerations
4.7 Structure of this Specification
5 Information security policies
5.1 Management directions for information security
6 Organization of information security
6.1 Internal organization
6.2 Mobile devices and teleworking
7 Human resource security
7.1 Prior to employment
7.2 During employment
7.3 Termination and change of employment
8 Asset management
8.1 Responsibility for assets
8.2 Information classification
8.3 Media handling
9 Access control
9.1 Business requirement of access control
9.2 User access management
9.3 User responsibilities
9.4 System and application access control
10 Cryptography
10.1 Cryptographic controls
11 Physical and environmental security
11.1 Secure areas
11.2 Equipment
12 Operations security
12.1 Operational procedures and responsibilities
12.2 Protection from malware
12.3 Backup
12.4 Logging and monitoring
12.5 Control of operational software
12.6 Technical vulnerability management
12.7 Information systems audit considerations
13 Communications security
13.1 Network security management
13.2 Information transfer
14 System acquisition, development and maintenance
14.1 Security requirements of information systems
14.2 Security in development and support processes
14.3 Test data
15 Supplier relationships
15.1 Information security in supplier relationships
15.2 Supplier service delivery management
16 Information security incident management
16.1 Management of information security incidents and improvements
17 Information security aspects of business continuity management
17.1 Information security continuity
17.2 Redundancies
18 Compliance
18.1 Compliance with legal and contractual requirements
18.2 Information security reviews
Annex A – Extended control set for PII protection (This annex forms an integral
part of this Recommendation | International Standard.)
A.1 General
A.2 General policies for the use and protection of PII
A.3 Consent and choice
A.4 Purpose legitimacy and specification
A.5 Collection limitation
A.6 Data minimization
A.7 Use, retention and disclosure limitation
A.8 Accuracy and quality
A.9 Openness, transparency and notice
A.10 PII principal participation and access
A.11 Accountability
A.12 Information security
A.13 Privacy compliance
Bibliography