ISO 27701 – Clause 5.2 – Context of the Organisation

Understanding ISO 27701 Clause 5.2: Context of the Organisation

Privacy protection is a complicated legislative topic that incorporates non-judicial and judicial guidance from a wide range of sources.

Throughout its entire series of controls, ISO makes constant reference to the unique commercial, privacy-based and logistical needs of any organisation that deals with PII.

ISO 27701 5.2 covers what can broadly be described as a series of mapping exercises for organisations seeking to understand their obligations to internal and external employees, and how they interact with third-party organisations from a compliance and PII perspective.

What’s Covered in ISO 27701 Clause 5.2

ISO 27701 5.2 contains four sub-clauses that relate to privacy protection and the processing/control of PII, each of which correspond to a linked clause within ISO 27001 (which acts as the master guidance document).

In addition, ISO 27701 contains extra guidance points for organisations seeking to implement a PIMS, with pointers on how to apply both the ISO 27701 and ISO 27001 guidelines to this specific topic.

Organisations need to view and implement ISO 27701 alongside the articles contained within governmental GDPR guidelines. Where applicable, we’ve highlighted the relevant GDPR articles alongside their adjoining subclauses.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

ISO 27701 Clause 5.2.1 – Understanding the Organisation and Its Context

References ISO 27001 Control 4.1

Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.

The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.

Additional PIMS and PII Guidance

Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.

This includes:

1. Reviewing any prevailing privacy laws, regulations or ‘judicial decisions’;
2. Taking into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures;
3. Any administrative factors, including the day-to-day running of the company;
4. Third party agreements or service contracts that have the potential to impact upon PII and privacy protection.

Applicable GDPR Articles

• Article 24 – Responsibility of the controller
• Applicable section – (3)
• Article 25 – Data protection by design and default
• Applicable section – (3)
• Article 28 – Processor
• Applicable sections – (5), (6), (10)
• Article 32 – Security of processing
• Applicable section – (2)
• Article 40 – Codes of conduct
• Applicable sections – (1), (2)(a), (2)(b), (2)(c), (2)(d), (2)(e), (2)(f), (2)(g), (2)(h), (2)(i), (2)(j), (2)(k), (3), (4), (5), (6), (7), (8), (9), (10), (11)
• Article 41 – Monitoring of approved codes of conduct
• Applicable sections – (1), (2)(a), (2)(b), (2)(c), (2)(d), (3), (4), (5), (6)
• Article 42 – Certification
• Applicable sections – (1), (2), (3), (4), (5), (6), (7), (8)

ISO 27701 Clause 5.2.2 – Understanding the Needs and Expectations of Interested Parties

References ISO 27001 Control 4.2

PII and privacy protection has the potential to impact a large number of employees, users, customers, both internally and externally.

Organisations need to gain a firm understanding of the needs of any affected personnel and what ISO deems as ‘interested parties’.

Organisation’s need to establish and document:

• Any ‘interested parties’ that are relevant the broader topic of privacy protection;
• What the unique requirements are of said individuals within the scope of a PIMS;

Organisations should also take into account any legal, regulatory or contractual obligations, alongside practical and operational requirements.

Additional PIMS and PII Guidance

When implementing a PIMS, organisations need to map out a list of interested parties that are either affected by a PIMS, or have a role to play in processing PII.

Where PII is concerned, an interested party could be one of the following (but not limited to):

1. An employee;
2. A customer;
3. Regulatory, judicial or supervisory authorities;
4. Other PII controllers and processors.

It’s important to note that PII requirements – as related to a PIMS – often emanate from a wide range of sources, including:

1. Internal processes and goals;
2. Governmental and/or regulatory bodies;
3. Contractual obligations with third-party organisations.

It can often be difficult for governing and regulatory organisations to confirm adherence to published privacy protection standards on the part of an organisation, in its role as a PII processor and controller.

As such, organisations need to expect such bodies to call for independent reviews of any relevant Management System, in order to satisfy their own auditing requirements.

Applicable GDPR Articles

• Article 31 – Cooperation with the supervisory authority
• Article 35 – Data protection impact assessment
• Applicable section – (9)
• Article 36 – Prior consultation
• Applicable sections – (1), (2), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (5)

ISO 27701 Clause 5.2.3 – Determining the Scope of the Information Security Management System

References ISO 27001 Control 4.3

ISO recommends a thorough scoping exercise, so that organisations are able to produce a PIMS that firstly meets its privacy protection requirements, and secondly does not creep into areas of the business that aren’t in need of attention.

Organisations should establish and document:

1. Any external or internal issues, as outlined in ISO 27001 4.1;
2. Third-party requirements as outlined in ISO 27001 4.2;
3. How the organisation interacts with both itself and external bodies (e.g customer touchpoints, ICT interfaces).

Additional PIMS and PII Guidance

All scoping exercises that map out a PIMS implementation should include a thorough assessment of PII processing and storage activities.

Applicable GDPR Articles

• Article 32 – Security of processing
• Applicable section – (2)

ISO 27701 Clause 5.2.4 – Information Security Management System

References ISO 27001 Control 4.4

Organisations should seek to implement, manage and optimise a PIMS, in-line with published ISO standards.

Applicable GDPR Articles

• Article 32 – Security of processing
• Applicable section – (2)

Supporting Controls From ISO 27001 and GDPR

How to Achieve ISO 27701 Compliance Through ISMS.online

The ISMS.online platform offers a customisable PIMS facility that monitors, reports and audits against both ISO 27001 and ISO 27701 at the click of a button.

Our solution features a dynamic Records of Processing Activity tool that removes the headaches involved with data mapping, data recording and auditing, with a built-in risk bank that offers practical assistance throughout the assessment and management process.

ISO 27701 5.2 features a range of guidance points on third party privacy standards and the relationship between a PII controller and a data subject, via a mandated Data Subjects Rights Request (DRR). Our DRR management system offers a centralised administrations hub that deals with everything from requests through to reporting and analytics.

Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online by booking a demo.