What does control A.1.4.5 require?
The organisation shall define and document data minimization objectives and what mechanisms (such as de-identification) are used to meet those objectives.
This control sits within the PII minimization objective (A.1.4) and serves as the planning layer for all minimisation activities. While controls like A.1.4.2 (limit collection) and A.1.4.3 (limit processing) address specific aspects of minimisation, A.1.4.5 requires the organisation to take a step back and define what it is trying to achieve overall and which tools it will use to get there.
What does the implementation guidance say?
Annex B (section B.1.4.5) provides the following guidance:
- Identify minimisation mechanisms — The organisation should consider a range of techniques including de-identification, pseudonymisation, aggregation and deletion of unnecessary fields
- Map mechanisms to PII categories — Document which minimisation mechanism is applied to each category of PII, creating a clear record of how data is reduced or protected
- Review periodically — Minimisation objectives and the mechanisms used should be reviewed at regular intervals to ensure they remain appropriate as processing activities, technology and risks evolve
- The choice of mechanism should reflect the sensitivity of the PII, the purposes for which it is processed and the risks to PII principals
- See also A.1.4.4: Accuracy and Quality for related requirements
- See also A.1.4.10: PII Transmission Controls for related requirements
This control is about having a deliberate, documented strategy rather than applying minimisation techniques on an ad-hoc basis. The organisation should be able to show auditors a clear picture of its minimisation approach across all PII categories.
How does this map to GDPR?
Control A.1.4.5 maps to two GDPR articles:
- Article 5(1)(c) — Data minimisation: personal data must be adequate, relevant and limited to what is necessary
- Article 5(1)(e) — Storage limitation: personal data should be kept in a form which permits identification of data subjects for no longer than is necessary
Together, these principles require organisations to think strategically about minimisation, which is exactly what A.1.4.5 demands through its requirement to define objectives and select appropriate mechanisms.
How does this relate to ISO 29100 privacy principles?
This control supports two ISO 29100 principles:
- Data minimization — The overarching requirement to minimise PII processing to what is strictly necessary
- Use, retention and disclosure limitation — Limiting the use and retention of PII, which minimisation mechanisms such as de-identification and aggregation directly support
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
What evidence do auditors expect?
When assessing compliance with A.1.4.5, auditors will typically look for:
- Minimisation policy or strategy — A documented statement of the organisation’s minimisation objectives, including what outcomes it aims to achieve
- Mechanism register — A record mapping each PII category to the minimisation mechanism applied (e.g. pseudonymisation for analytics data, aggregation for reporting data, deletion for temporary processing data)
- Technique selection rationale — Evidence that the choice of minimisation technique was considered against the sensitivity, purpose and risk, not applied arbitrarily
- Periodic review records — Evidence that objectives and mechanisms are reviewed as part of the management review cycle, with updates when processing activities change
- Implementation evidence — Proof that the documented mechanisms are actually in use (e.g. pseudonymisation configurations, aggregation outputs, deletion logs)
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.4.2 Limit collection | Collection limitation is one of the tactical controls that minimisation objectives govern |
| A.1.4.3 Limit processing | Processing limitation is driven by the minimisation objectives |
| A.1.4.6 De-identification and deletion | De-identification is a key mechanism for meeting minimisation objectives |
| A.1.4.7 Temporary files | Disposal of temporary files is part of the minimisation strategy |
| A.1.4.8 Retention | Retention periods define the time dimension of minimisation |
| A.1.4.9 Disposal | Secure disposal is the final step in the minimisation lifecycle |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, minimisation objectives were covered under Clause 7.4.4 (PII minimization objectives). The 2025 control is substantively the same, with the same focus on defining objectives and selecting mechanisms. The restructured format provides clearer implementation guidance in Annex B, and the explicit mention of de-identification as an example mechanism in the control statement itself gives stronger direction. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII minimisation objectives?
ISMS.online helps you move from ad-hoc minimisation to a structured, auditable strategy:
- Objective setting framework — Define minimisation objectives at the organisational and processing-activity level, creating a layered strategy that auditors can follow
- Mechanism mapping — Link each PII category to its assigned minimisation technique (pseudonymisation, aggregation, deletion) with documentation of the rationale
- Technique library — Access a reference library of minimisation techniques to help you select the most appropriate mechanism for each use case
- Review workflows — Schedule periodic reviews of minimisation objectives with automated reminders and structured review templates
- Cross-control visibility — See how your minimisation objectives connect to collection limits, processing limits, de-identification, retention and disposal in a unified view
- Progress tracking — Monitor implementation of minimisation mechanisms with status dashboards and task assignments
FAQs
What is the difference between de-identification and pseudonymisation?
De-identification is the broader term for removing or obscuring identifying information so that PII principals cannot be identified. Pseudonymisation is a specific type of de-identification where direct identifiers are replaced with artificial identifiers (pseudonyms), but the data can still be re-linked to the individual using a separate key. Pseudonymised data remains PII under most regulations because re-identification is possible. Fully de-identified data that cannot be re-identified may fall outside the scope of privacy regulations, depending on the jurisdiction.
Do minimisation objectives need to be measurable?
The standard requires objectives to be defined and documented but does not mandate quantitative targets. However, measurable objectives (such as “reduce the number of PII fields collected by 20% within 12 months” or “pseudonymise all analytics data within 30 days of collection”) are more useful for tracking progress and demonstrating commitment to auditors. Where possible, set objectives that can be verified.
How does this control relate to data protection by design?
A.1.4.5 is a core part of data protection by design. By defining minimisation objectives upfront and selecting mechanisms before processing begins, the organisation embeds privacy into the design of its processing activities rather than retrofitting it. This proactive approach is exactly what GDPR Article 25 (data protection by design and by default) requires.
