Topic-specific policies
ISO/IEC 27555

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion



“This document contains guidelines for developing and establishing  policies and procedures for deletion of personally identifiable  information (PII) in organisations by specifying: a harmonized terminology for PII deletion; an approach for defining deletion rules in an efficient way; a description of required documentation; a broad definition of roles, responsibilities and processes. This document is intended to be used by organisations where PII is stored or processed. This document does not address: specific legal provision, as given by national law or specified in contracts; specific deletion rules for particular clusters of PII that are defined by PII controllers for processing PII; deletion mechanisms; reliability, security and suitability of deletion mechanisms; specific techniques for de-identification of data.”
[Source: ISO/IEC 27555:2021]


This standard gives guidance on the deletion of Personally Identifiable Information using a systematic approach supporting ISO/IEC 29100 “Privacy framework”.


Scope of the standard

The standard is intended for organisations that store and process PII “and other personal data”, in particular PII Controllers who are primarily accountable for compliance with privacy laws.

It does not address:

  • Specific provisions in laws and contracts (although it will reflect the general thrust of GDPR and other privacy laws and regulations based on the OECD privacy principles);
  • Specific deletion rules for particular types (“clusters”) of PII;
  • Deletion mechanisms such as those for cloud storage;
  • Security of the deletion mechanisms; nor
  • Specific techniques for de-identification (anonymisation) of data.

Standardizing the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data.


Content of the standard

In ~30 pages, the standard offers guidance on policies and procedures including:

  • Harmonised terminology for PII deletion;
  • An approach for defining efficient deletion/de-identification rules;
  • Required documentation; and
  • Roles, responsibilities and processes.



The standard was published towards the end of 2021.


Personal notes

Thankfully, the standard goes beyond merely ‘establishing a concept’ as was originally envisaged, offering pragmatic advice as well. 

The standard discusses ‘clusters’ of PII, an intriguing yet complex concept relating to how PII is used for various business purposes.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.