BSI launches new code of practice to protect vulnerable customers from fraud and financial abuse

BSI, the business standards company, has launched a new code of practice that gives recommendations to organizations for protecting vulnerable customers from financial harm that might occur as a result of fraud or financial abuse.

Sponsored by NatWest, the code of practice, PAS 17271: Protecting customers from financial harm as a result of fraud or financial abuse, gives guidance on how to recognize customers who might be at particular risk from fraud and financial abuse and how to assess the potential risks to the individual. This can include those in vulnerable circumstances, either temporarily or permanently, which can affect their ability to communicate, understand, make decisions, or take actions that are in their best interests.

The guidance in BSI’s new code of practice distinguishes between fraud – a criminal act involving deception intended to result in financial gain, such as ID theft or online scams – and financial abuse. Financial abuse is the criminal act of controlling a person’s property, money, pension book or other valuables intended to result in the financial or personal gain of the abuser. It is typically carried out by people in a position of trust, such as partners, relatives, friends of carers.

How an organization treats its customers can contribute to levels of financial harm.  Inadequate systems and procedures that fail to identity, inform, protect and support customers can make it more likely that vulnerable customers are susceptible to fraud or financial harm. The code of practice provides detailed recommendations, guidance and a comprehensive checklist to organizations that want to implement change, to achieve or maintain levels of good practice. Recommendations cover organizational principles, culture and strategy.

In cases where fraud or financial abuse has already occurred, PAS 17271 gives guidance on how to help and support customers, and how to minimize future risks. Fraud and financial abuse are widespread; in 2016, there were over 1.85 million cases of financial fraud in the UK. During 2016, financial fraud losses across payment cards, remote banking and cheques totalled £768.8 million, an increase of 2% over the prior year.^[1] Experts believe this is only the tip of the iceberg, with only a fraction of all fraud cases reported.^[2]

The code of practice is applicable to organizations of all types and sizes operating in the UK that manages the money or other financial assets of UK consumers – in particular banks, building societies, credit card providers, credit unions, and pension providers.

Anne Hayes, Head of Governance and Resilience at BSI, said: “Financial institutions have a responsibility to assist the vulnerable. Anyone can be a victim of fraud or financial abuse – but we know from experience that some people are uniquely at risk. Individuals with a

history of financial problems; learning difficulties; those recovering from addictions; and the young are just some of the diverse types of people most susceptible.

“PAS 17271 was created to help organizations protect customers from financial harm. The bottom line is that best practice in systems and procedures can help prevent and detect fraud and financial abuse.”

David Lowe, Head of Fraud Prevention at NatWest said: “Being victim of fraud can be devastating and sadly we are seeing the complexity and sophistication of these crimes increase. We know that it is our collective responsibility to support consumers and help prevent

them from falling victim to fraud which is why we took the initiative to sponsor a BSI PAS in 2016. The BSI PAS provides the best platform to join forces with the government, other banks and industry partners to work towards a common goal.’’

Ben Wallace, Security Minister at the Home Office, said: “Protecting vulnerable people from becoming victims of fraud or financial harm is a key priority for this Government and I really welcome this new guidance which will drive best practice in this area.

“It is an excellent example of the collaborative nature of the Joint Fraud Taskforce which sees Government, law enforcement and industry working together to tackle some of the toughest fraud issues in order to protect the public, particularly those that are at a higher risk

of becoming victims.

“The national Take Five to Stop Fraud campaign raises further awareness of how the public can take simple steps to protect themselves against the most common types of fraud.”

The development of Pas 17271 was sponsored by NatWest, with a steering group comprising financial institutions and consumer bodies. The broad consensus and buy-in from industry includes involvement in the development of the PAS by: Barclays; Building

Societies Association; Consumer & Public Interest Network; Financial Fraud Action UK; Home Office Joint Task Force; KMB Telemarketing Ltd; Metropolitan Police; National Trading Standards; Office of the Public Guardian; Santander UK plc; Scottish Business

Resilience Centre; The Co-Operative Bank plc. 

Solving market fragmentation through standards in the Security sector 

CEN and CENELEC were present at the high-level event ‘Security Research, Innovation and Education Event’ (SRIEE 2017), organized by the Estonian presidency and the European Commission which took place in Tallinn on 14-15 November. The main focus of the discussions was how to reduce the gap between research and the market, so that innovative solutions can meet the needs of practitioners and other users. Participants included researchers, industry representatives, public security providers and practitioners (i.e. fire departments, intelligence agencies, etc.) and policy makers from across Europe.

Estonian Prime Minister Jüri Ratas opened the event and gave the welcoming speech emphasizing the need to identify ways to improve innovation uptake.

Two high-level panels focusing on "Conveying the future needs of Practitioners to the Research Community" and on "The future of security research" took place following the welcoming speech.
Elena Santiago Cid, CEN and CENELEC Director General, was invited as a speaker in High-level Panel 1 – From Research to Practitioners and End-users.

The panellists focused on the fragmentation of the European security market and what European research in the security sector can do to increase competitiveness and offer harmonized solutions.

In response to these concerns, Ms Santiago explained that market segmentation can be reduced through standards. She confirmed the important role that standardization plays as a voluntary tool that can deploy or bring innovation to the market and the strength of the CEN and CENELEC systems to bring all stakeholders together to reach consensus.

Addressing the role of standardization in Horizon2020 research projects, Ms Santiago shared the approach taken by ZONeSEC, an FP7 security research project which is in the process of initiating a CEN-CENELEC Workshop (CWA) on the ‘Interoperability of Security Systems for the Surveillance of Widezones’.

Widezones are critical public infrastructures such as highways, energy lines or pipelines (i.e. gas pipelines), etc. that spread over large areas covering wide geographic zones. The kick-off meeting of the CWA for ZONeSEC will take place in Athens on 11 December.

Concluding her contribution to the high level panel of SRIEE, Ms Santiago invited the security sector to reach out to the standardization community and join forces in developing solutions which support the competitiveness of the sector in Europe.

Solving market fragmentation through standards in the Security sector 

CEN and CENELEC were present at the high-level event ‘Security Research, Innovation and Education Event’ (SRIEE 2017), organized by the Estonian presidency and the European Commission which took place in Tallinn on 14-15 November. The main focus of the discussions was how to reduce the gap between research and the market, so that innovative solutions can meet the needs of practitioners and other users. Participants included researchers, industry representatives, public security providers and practitioners (i.e. fire departments, intelligence agencies, etc.) and policy makers from across Europe.

Estonian Prime Minister Jüri Ratas opened the event and gave the welcoming speech emphasizing the need to identify ways to improve innovation uptake.

Two high-level panels focusing on "Conveying the future needs of Practitioners to the Research Community" and on "The future of security research" took place following the welcoming speech.
Elena Santiago Cid, CEN and CENELEC Director General, was invited as a speaker in High-level Panel 1 – From Research to Practitioners and End-users.

The panellists focused on the fragmentation of the European security market and what European research in the security sector can do to increase competitiveness and offer harmonized solutions.

In response to these concerns, Ms Santiago explained that market segmentation can be reduced through standards. She confirmed the important role that standardization plays as a voluntary tool that can deploy or bring innovation to the market and the strength of the CEN and CENELEC systems to bring all stakeholders together to reach consensus.

Addressing the role of standardization in Horizon2020 research projects, Ms Santiago shared the approach taken by ZONeSEC, an FP7 security research project which is in the process of initiating a CEN-CENELEC Workshop (CWA) on the ‘Interoperability of Security Systems for the Surveillance of Widezones’.

Widezones are critical public infrastructures such as highways, energy lines or pipelines (i.e. gas pipelines), etc. that spread over large areas covering wide geographic zones. The kick-off meeting of the CWA for ZONeSEC will take place in Athens on 11 December.

Concluding her contribution to the high level panel of SRIEE, Ms Santiago invited the security sector to reach out to the standardization community and join forces in developing solutions which support the competitiveness of the sector in Europe.

Gesicherte Qualität

Neue Normenreihe DIN 77200 ermöglicht erstmals die Zertifizierung von Wach- und Sicherheitsdienstleistungen

Die Normenreihe DIN 77200 „Sicherungsdienstleistungen“ soll die Qualität von Dienstleistungen im Wach- und Sicherheitsbereich nachhaltig erhöhen. Im November hat DIN die Teile eins und drei der Reihe veröffentlicht: Teil 1 beschreibt Mindestanforderungen und Qualitätskriterien für Sicherheitsdienstleister, Teil 3, wie akkreditierte Zertifizierungsstellen diese Kriterien prüfen. Der Normteil DIN 77200-2 enthält weitere Anforderungen an Sicherheitsdienstleister für besondere Leistungsbereiche, beispielsweise öffentliche Veranstaltungen und den Personenverkehr, und ist derzeit noch in Bearbeitung. Der Norm-Entwurf wird voraussichtlich im Sommer 2018 veröffentlicht.

Die neue Normenreihe DIN 77200 formuliert klare Anforderungen, nach denen sich Sicherheitsdienstleister zertifizieren lassen können“, erklärt Sven Middelhauve, Referent und Leiter der Rechtsabteilung der Securitas Deutschland und Obmann des für die Normenreihe zuständigen Arbeitsausschusses. „Sie fördert das einheitliche Verständnis zwischen Sicherheitsfirmen und deren Auftraggebern, sorgt für Transparenz bei der Definition des Auftragsumfangs, steigert die Qualität der angebotenen Leistungen und kann damit letztlich auch das Vertrauen in die Sicherheitsbranche steigern.“ Die Normenreihe deckt Wach- und Sicherheitsdienstleistungen ab, die unterschiedlichen Zwecken dienen können, beispielsweise zur Abwehr von Gefahren durch Straftaten, durch Betriebsausfälle oder Naturereignisse.

Der Normteil DIN 77200-1 enthält Mindestanforderungen an Sicherheitsdienstleister und deren Niederlassungen in Bezug auf Organisation, Prozesse und Personal. So müssen sie unter anderem nachweisen können, dass ihre mit Sicherheitsdienstleistungen beauftragten Mitarbeiter die Sachkundeprüfung nach § 34a GewO erfolgreich abgelegt haben. Ebenso müssen sie belegen, dass sie über ein schriftlich dokumentiertes Verfahren verfügen, um die Aus- und Weiterbildung der Mitarbeiter sicherzustellen. Normteil DIN 77200-3 beschreibt die Anforderungen an Zertifizierungsstellen und den Ablauf des Verfahrens, mit dem sich prüfen lässt, ob die in Teil 1 beschriebenen Kriterien eingehalten werden.

Informationsveranstaltungen zur Norm

Die DIN-Akademie bietet drei Informationsveranstaltungen an, bei denen Teilnehmer aus erster Hand wichtige Informationen rund um die Anwendung der Normenteile DIN 77200-1 und DIN 77200-3 erhalten. Wissensvermittlung, Diskussion und praktischer Austausch stehen im Fokus der Veranstaltungen.

New draft of ISO 50001 energy management standard

Since 2011, organizations have been able to follow a systematic approach in achieving continual improvement of energy performance, including energy efficiency, energy use and consumption, thanks to ISO 50001.

Like all International Standards, ISO 50001 has come under periodic review to ensure that it continues to meet the rapidly changing needs of the energy sector. This work is being carried out by the ISO technical committee responsible for energy management and energy savings (ISO/TC 301), whose secretariat is held by ANSI, ISO’s member for the USA, in a twinning arrangement with the ISO member for China, SAC. Here, we explain the main changes with the help of Deann Desai, Professor at the Georgia Institute of Technology and Convenor of the working group tasked with revising the standard. 

“Perhaps the most important change for the 2018 version is the incorporation of the high-level structure, which provides for improved compatibility with other management system standards.” The high-level structure (HLS) is a simple and effective concept. “Because organizations often implement a number of management system standards, the use of a shared structure, as well as many of the same terms and definitions, helps to keep things simple,” explains Prof. Desai. This is particularly useful for those organizations that choose to operate a single (sometimes called “integrated”) management system that can meet the requirements of two or more management system standards simultaneously.

Prof. Desai continues: “There are other improvements in the 2018 version to help ensure that the key concepts related to energy performance are clear for small and mid-sized businesses (SMEs).” This is important in encouraging uptake of the use of management system standards by SMEs, which sometimes assume that the benefits of International Standards mostly apply to multinational businesses. That’s not the case, with SMEs around the world using ISO standards to build customer confidence and reduce costs across all aspects of their business, including meeting regulation requirements.

With energy efficiency playing such a key role in meeting social and environmental targets for all sizes of business, promoting uptake of ISO 50001 is also an important part of Prof. Desai’s work. She tells us about a number of different initiatives that have helped increase the use of ISO 50001 around the world, including the Clean Energy Ministerial (CEM) and the United Nations Industrial Development Organization (UNIDO). 

The Clean Energy Ministerial is a global awards programme that recognizes leading organizations for their energy management achievements and use of ISO 50001 to address energy and climate challenges. Organizations certified to ISO 50001 are invited to submit case studies for recognition. If that sounds like your organization, then you should know that the Clean Energy Ministerial is now accepting entries for its 2018 Energy Management Leadership Awards.

ISO 30500 to boost global health in places without sewers

In many places around the world, rural and urban populations have to use toilets that aren’t connected to mains sewers. In many cases, city planners are working hard to address this by investing in infrastructures. But for millions of people, non-sewered systems are the only option and with waterborne diseases posing major risks to human health, it’s important to get it right. That’s where an upcoming Draft International Standard comes in.

ISO 30500, Non-sewered sanitation systems – Prefabricated integrated treatment units – General safety and performance requirements for design and testing, seeks to provide general safety and performance requirements for the product design and performance testing of non-sewered sanitation systems for prefabricated integrated treatment units. It will apply to any integrated sanitation system¹⁾ that is not attached to a sewer. 

In an integrated system like the ones covered by ISO 30500, the frontend collects, conveys and fully treats the specific input within the non-sewered sanitation system, to allow for safe reuse or disposal of the generated solid, liquid and gaseous output. The crucial distinction of this International Standard is that the backend is not connected to a networked sewer system. 

ISO 30500 will contain criteria for the safety, functionality, usability, reliability and maintainability of non-sewered sanitation systems, as well as the system’s compatibility with environmental protection goals. It excludes guidelines for selection, installation, operation and maintenance procedures, or management of non-sewered sanitation systems, and neither incorporates nor substitutes for manufacturers’ instructions and user manuals. 

Non-sewered sanitation systems can be used in a number of different places around the world. These include urban and rural communities without access to sewer systems and urban communities pursuing sustainable sanitation solutions. They are suitable for use in temporary or permanent settlements, including refugee camps, and are equally suited to both public or private use in isolated locations.

Improving public health is just the beginning

It’s a straightforward fact that human waste contains numerous germs. As the perfect habitat for bacteria, viruses, fungi, worms and other pathogens, human waste needs to be treated carefully to avoid risks to health. The outputs of sanitation systems that meet ISO 30500’s requirements will be free of these pathogens; thus the standard will help protect individuals, communities and resources such as drinking water from pollution and outbreaks of potentially lethal diseases. 

It additionally enables the development of stand-alone non-sewered sanitation systems that promote economic, social and environmental sustainability. This can be achieved by minimizing resource consumption (particularly water use) and enabling the production of useful by-products, such as liquid and solid nutrients, water for reuse, material for the generation of fuel and other reusable outputs, depending on the system. 

Benefits for manufacturers 

In general, International Standards are strategic tools that reduce costs by minimizing waste and errors, increasing productivity and facilitating free and fair global trade. ISO 30500 will give assurance to manufacturers of non-sewered sanitation systems, governments, regulators and end users that the non-sewered facilities they use are safe, reliable and of good quality. 

With the publication of ISO 30500, manufacturers of non-sewered sanitation systems gain from the wide range of well-established benefits that International Standards bring. First among these is the time and resource savings that go with following a tried-and-tested formula agreed to by industry experts. Once the fundamentals have been taken care of, it leaves more time for further development of the features that really make a product stand out in the marketplace. 

Creating a level playing field among manufacturers has the twofold advantage of reassuring consumers and stimulating competitive innovations on a technically solid, industry-wide base. At the same time, International Standards are a great facilitator of cross-border trade, as they provide an internationally recognized system that favours compatibility and consistency while giving customers the reassurance of the ISO name. That same recognition is also a help when it comes to marketing, since the ISO brand is trusted the world over.

In a sector where regulations may vary significantly by country, or even municipality, manufacturers can feel more secure with their innovation, research and development in sanitation systems. If they so choose, they can promote their systems towards the public, users and clients as being ISO 30500 certified. 

Better policy for user protection

The new standard can also provide a sound basis for the development of national or local regulation for non-sewered systems. That’s because, in common with all ISO standards, ISO 30500 represents best practices and reflects the consensus of regulators, manufacturers and users from across the world. That makes International Standards a useful resource when developing regulations, and gives regulators the benefit of the consolidated opinion of experts without having to call on their services directly. It will enable regulators and government to tap into a constantly updated source of information and experiences. 

And more than anyone else, it’s toilet users in non-sewered areas who are going to experience the widest benefits. The requirements of the standard will drive innovation, meaning better toilets will be available in areas where infrastructure such as plumbing and electricity are not feasible. In homes and communities, users of toilets that conform to the standard can be sure their non-sewered sanitation systems will be reliable, safe, hygienic, odour-free, and may even produce by-products that can be reused by the community. When this happens, everyone wins!

Developed by experts

Experts from 31 countries worldwide representing a broad range of stakeholder categories, such as industry, government, academia and non-governmental organizations, have come together to form consensus on the standard. The draft of ISO 30500 was prepared by ISO/PC 305, the project committee on non-sewered sanitation systems, with two liaison organizations, the African Water Association (AfWA) and the Toilet Board Coalition (TBC), also contributing to the standard’s development. 

ISO 30500 is expected to be published in 2018.

Setting standards for good governance in the latest ISO focus

Abuse of office for private gains. Trust undermined. Poor governance can have disastrous consequences. It can also threaten market integrity, distort competition and endanger economic development.

How can organizations improve good governance? In its November/December 2017 issue,ISOfocus gives an overview of the most interesting, important and complex changes needed to implement and sustain good governance. It looks at ways to improve business

practices and policies and where ISO standards can contribute.  

This edition offers coverage of key issues ranging from risk management and business continuity to sustainable procurement. It also provides a complete picture of ISO 37001 on anti-bribery management systems, particularly useful in today’s governance matters.

Updated throughout, this November/December 2017 issue contains testimonials from some of today’s most important companies, highlighting why ISO standards are good for business, what key considerations are needed for implementing them and their role in

building a trusted, resilient organization. Along the way, it illuminates many key benefits thus far overlooked.

For Judd Hesselroth, Programs Director in Microsoft’s Office of Legal Compliance, ISO 37001 equips organizations to strengthen their fight against bribery. “We think ISO 37001 is going to be an important tool for improving anti-corruption efforts worldwide,” he says. “The fact that the standard will be consistent across borders is also very important for companies doing business globally.”

Good governance is essential for an organization’s long-term survival – but what form should it take? There are no simple solutions but defining an appropriate approach to governance is fundamental to ensure favourable outcomes for society, organizations and stakeholders alike.

In the magazine’s opening comment, ISO Secretary-General Sergio Mujica underlines the importance of good governance for the future of ISO itself. “Yet, to be perceived as the best in the international class is not enough; we must be on a constant quest for progress and the regular evaluation of our stakeholders’ needs, expectations and satisfaction. Updating our set of governance documents at the last ISO General Assembly in Berlin was the occasion to do just that: provide increased clarity on important issues that were unresolved with the previous governance reviews.”

Finally, this latest issue puts the spotlight on the recently held 40^th ISO General Assembly and the winner of this year’ Lawrence D. Eicher Award for excellence and superior performance.

If you’re thinking about using ISO standards or want to get ahead of the governance curve, look no further than the latest ISOfocus. We hope this issue gives you inspiration, insight and some new ideas of your own.Abuse of office for private gains. Trust undermined. Poor governance can have disastrous consequences. It can also threaten market integrity, distort competition and endanger economic development.

How can organizations improve good governance? In its November/December 2017 issue,ISOfocus gives an overview of the most interesting, important and complex changes needed to implement and sustain good governance. It looks at ways to improve business practices and policies and where ISO standards can contribute.  

This edition offers coverage of key issues ranging from risk management and business continuity to sustainable procurement. It also provides a complete picture of ISO 37001 on anti-bribery management systems, particularly useful in today’s governance matters.

Updated throughout, this November/December 2017 issue contains testimonials from some of today’s most important companies, highlighting why ISO standards are good for business, what key considerations are needed for implementing them and their role in building a trusted, resilient organization. Along the way, it illuminates many key benefits thus far overlooked.

For Judd Hesselroth, Programs Director in Microsoft’s Office of Legal Compliance, ISO 37001 equips organizations to strengthen their fight against bribery. “We think ISO 37001 is going to be an important tool for improving anti-corruption efforts worldwide,” he says. “The fact that the standard will be consistent across borders is also very important for companies doing business globally.”

Good governance is essential for an organization’s long-term survival – but what form should it take? There are no simple solutions but defining an appropriate approach to governance is fundamental to ensure favourable outcomes for society, organizations and stakeholders alike.

In the magazine’s opening comment, ISO Secretary-General Sergio Mujica underlines the importance of good governance for the future of ISO itself. “Yet, to be perceived as the best in the international class is not enough; we must be on a constant quest for progress and the regular evaluation of our stakeholders’ needs, expectations and satisfaction. Updating our set of governance documents at the last ISO General Assembly in Berlin was the occasion to do just that: provide increased clarity on important issues that were unresolved with the previous governance reviews.”

Finally, this latest issue puts the spotlight on the recently held 40^th ISO General Assembly and the winner of this year’ Lawrence D. Eicher Award for excellence and superior performance.

If you’re thinking about using ISO standards or want to get ahead of the governance curve, look no further than the latest ISOfocus. We hope this issue gives you inspiration, insight and some new ideas of your own.

International Standard looks to curb theft of personal data

Uber is making headlines for its reaction to the theft of the personal data of 57 million drivers and users

Geneva, Switzerland, 27 November 2017 – The July 2017 breach of Equifax, a large US credit bureau, exposed the social security numbers, birthdates and addresses of 143 million people. Yahoo last month – just prior to its acquisition by Verizon – shared new intelligence that a data breach in 2013 thought to have affected a billion users had in fact compromised all three billion Yahoo user accounts.

The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation to come into force in May 2018, with global implications.
Privacy has taken on new dimensions in our hyper connected world. The need to protect personal data is increasing in urgency with the digital transformation of sectors such as healthcare and financial services. More and more organizations are processing personal data, all of them dealing with an increasing amount of this data.
Personal data custodians have received new guidance from IEC, ISO and ITU – the three leading international standards bodies – in the form of an International Standard providing a ‘Code of Practice for the Protection of Personally Identifiable Information’.
The voluntary standard, ISO/IEC 29151 | ITU-T X.1058 provides a valuable point of reference to government and industry as they intensify their bid to guarantee the protection of personal data. 
It establishes the objectives of data-protection controls, specifies the controls required and provides guidelines for their implementation. It shows how arrangements of these controls can meet the requirements identified by organizations’ risk and impact assessments relevant to the protection of personal data.  
An Annex integral to ITU X.1058 provides an extended set of controls for personal data beyond the standard’s augmented provisions of ISO/IEC 27002.
The Annex details control objectives relevant to ‘consent and choice’ and the related ‘participation of personal data principals’, the people with whom data can be identified. They look at ‘purpose legitimacy’ to provide guidance as to whether or not the retention of personal data is appropriate. They encourage the pursuit of ‘collection limitation’ and ‘data minimization’ as well as the ‘openness and transparency’ of organizational policy with respect to personal data.
ISO/IEC 29151 | ITU-T X.1058   was developed in collaboration by the ISO/IEC standardization expert group for ‘security techniques’, ISO/IEC JTC 1/SC 27 and  ITU-T Study Group 17  ‘building confidence and security in the use of ICTs’.

International Standard looks to curb theft of personal data

Uber is making headlines for its reaction to the theft of the personal data of 57 million drivers and users

Geneva, Switzerland, 27 November 2017 – The July 2017 breach of Equifax, a large US credit bureau, exposed the social security numbers, birthdates and addresses of 143 million people. Yahoo last month – just prior to its acquisition by Verizon – shared new intelligence that a data breach in 2013 thought to have affected a billion users had in fact compromised all three billion Yahoo user accounts.

The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation to come into force in May 2018, with global implications.
Privacy has taken on new dimensions in our hyper connected world. The need to protect personal data is increasing in urgency with the digital transformation of sectors such as healthcare and financial services. More and more organizations are processing personal data, all of them dealing with an increasing amount of this data.
Personal data custodians have received new guidance from IEC, ISO and ITU – the three leading international standards bodies – in the form of an International Standard providing a ‘Code of Practice for the Protection of Personally Identifiable Information’.
The voluntary standard, ISO/IEC 29151 | ITU-T X.1058 provides a valuable point of reference to government and industry as they intensify their bid to guarantee the protection of personal data. 
It establishes the objectives of data-protection controls, specifies the controls required and provides guidelines for their implementation. It shows how arrangements of these controls can meet the requirements identified by organizations’ risk and impact assessments relevant to the protection of personal data.  
An Annex integral to ITU X.1058 provides an extended set of controls for personal data beyond the standard’s augmented provisions of ISO/IEC 27002.
The Annex details control objectives relevant to ‘consent and choice’ and the related ‘participation of personal data principals’, the people with whom data can be identified. They look at ‘purpose legitimacy’ to provide guidance as to whether or not the retention of personal data is appropriate. They encourage the pursuit of ‘collection limitation’ and ‘data minimization’ as well as the ‘openness and transparency’ of organizational policy with respect to personal data.
ISO/IEC 29151 | ITU-T X.1058   was developed in collaboration by the ISO/IEC standardization expert group for ‘security techniques’, ISO/IEC JTC 1/SC 27 and  ITU-T Study Group 17  ‘building confidence and security in the use of ICTs’.