In 2011, the International Organization for Standards technical committee on Information Security, Cybersecurity and Privacy Protection developed a privacy framework that was intended to propose common privacy terminology, define the roles of different organizations with respect to privacy, and establish core privacy principles.1  The result was the publication on December 15, 2011, of the ISO/IEC 29100 Privacy Framework.  The framework was last reviewed and updated in 2018.

Thinking Beyond the Law: How Many Total Controls Are Included in The ISO 29100 Privacy Framework?

The ISO 29100 privacy framework does not include formal requirements that a company must follow, but it does provide bullet points under each of its proposed principles that discuss what it means to adhere to the principle and many organizations refer to those bullet points as proposed controls.  In total, the original version of the ISO 29100 framework proposed approximately 70 controls that fall under (or can be considered subcategories of) the following 11 principles:

1. Consent and choice

2. Purpose legitimacy and specification

3. Collection limitation

4. Data minimization

5. Use, retention and disclosure limitation

6. Accuracy and quality

7. Openness, transparency and notice

8. Individual participation and access

9. Accountability

10. Information security

11. Privacy compliance

Thinking beyond the law: How many principles are in the ISO 29100?

While the privacy framework does not propose formal requirements for each of the above principles, it does provide bullet points that discuss what it means to “adhere” to each principle.  Those bullet points can be viewed as controls that an organization might consider in relation to each principle.

1 ISO/IEC 29100:2011 Information technology – Security techniques – privacy framework available at https://www.iso.org/standard/45123.html (last checked Apr. 2, 2021)