Information security policies
ISO/IEC 27555

Search this site

Security awareness content

ISO/IEC 27555 — Information technology — Security techniques — Establishing a PII deletion concept in organizations [DRAFT]


This standard will lay out a conceptual framework for deletion of PII (Personally Identifiable Information). It will offer guidance on establishing policies that embrace concepts presented by specifying:

  • Standard terminology for PII deletion;
  • An approach for defining efficient deletion/de-identification rules;
  • Required documentation; and
  • Roles, responsibilities and processes.

Scope of the standard

The standard is intended for organizations that store and process PII “and other personal data”.

It will not address:

  • Specific provisions in laws and contracts;
  • Specific deletion rules for particular types of PII;
  • Deletion mechanisms including those for cloud storage;
  • Security of the deletion mechanisms; nor
  • Specific techniques for de-identification of data.

The standard will enable organizations to meet the increasing demands of privacy/data protection regulation, supporting them in fulfilling the requirements.

Standardizing the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data.


Content of the standard




The project started in 2018. The standard is due to be published at the end of 2021.

It is currently at Committee Draft stage.


Personal notes

The outline goes beyond merely ‘establishing a concept’: it looks to me as if it will offer fairly specific guidance - which, to this pragmatist, sounds much more useful than ‘establishing a concept’.

The abbreviation “PII” in the title is likely to be expanded when it is published.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2020 IsecT Ltd.