Privacy protection is a complicated legislative topic that incorporates non-judicial and judicial guidance from a wide range of sources.
Throughout its entire series of controls, ISO makes constant reference to the unique commercial, privacy-based and logistical needs of any organisation that deals with PII.
ISO 27701 5.2 covers what can broadly be described as a series of mapping exercises for organisations seeking to understand their obligations to internal and external employees, and how they interact with third-party organisations from a compliance and PII perspective.
ISO 27701 5.2 contains four sub-clauses that relate to privacy protection and the processing/control of PII, each of which correspond to a linked clause within ISO 27001 (which acts as the master guidance document).
In addition, ISO 27701 contains extra guidance points for organisations seeking to implement a PIMS, with pointers on how to apply both the ISO 27701 and ISO 27001 guidelines to this specific topic.
Organisations need to view and implement ISO 27701 alongside the articles contained within governmental GDPR guidelines. Where applicable, we’ve highlighted the relevant GDPR articles alongside their adjoining subclauses.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.
The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.
Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.
This includes:
PII and privacy protection has the potential to impact a large number of employees, users, customers, both internally and externally.
Organisations need to gain a firm understanding of the needs of any affected personnel and what ISO deems as ‘interested parties’.
Organisation’s need to establish and document:
Organisations should also take into account any legal, regulatory or contractual obligations, alongside practical and operational requirements.
When implementing a PIMS, organisations need to map out a list of interested parties that are either affected by a PIMS, or have a role to play in processing PII.
Where PII is concerned, an interested party could be one of the following (but not limited to):
It’s important to note that PII requirements – as related to a PIMS – often emanate from a wide range of sources, including:
It can often be difficult for governing and regulatory organisations to confirm adherence to published privacy protection standards on the part of an organisation, in its role as a PII processor and controller.
As such, organisations need to expect such bodies to call for independent reviews of any relevant Management System, in order to satisfy their own auditing requirements.
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.
ISO recommends a thorough scoping exercise, so that organisations are able to produce a PIMS that firstly meets its privacy protection requirements, and secondly does not creep into areas of the business that aren’t in need of attention.
Organisations should establish and document:
All scoping exercises that map out a PIMS implementation should include a thorough assessment of PII processing and storage activities.
Organisations should seek to implement, manage and optimise a PIMS, in-line with published ISO standards.
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27001 Requirement | Associated GDPR Articles |
---|---|---|---|
5.2.1 | Understanding the Organisation and Its Context | 4.1 – Understanding the Organisation and Its Context for ISO 27001 | Articles (24), (25), (28), (32), (40), (41), (42) |
5.2.2 | Understanding the Needs and Expectations of Interested Parties | 4.2 – Understanding the Needs and Expectations of Interested Parties for ISO 27001 | Articles (31), (35), (36) |
5.2.3 | Determining the Scope of the Information Security Management System | 4.3 – Determining the Scope of the ISMS for ISO 27001 | Article (32) |
5.2.4 | Information Security Management System | 4.4 – Information Security Management System (ISMS) for ISO 27001 | Article (32) |
The ISMS.online platform offers a customisable PIMS facility that monitors, reports and audits against both ISO 27001 and ISO 27701 at the click of a button.
Our solution features a dynamic Records of Processing Activity tool that removes the headaches involved with data mapping, data recording and auditing, with a built-in risk bank that offers practical assistance throughout the assessment and management process.
ISO 27701 5.2 features a range of guidance points on third party privacy standards and the relationship between a PII controller and a data subject, via a mandated Data Subjects Rights Request (DRR). Our DRR management system offers a centralised administrations hub that deals with everything from requests through to reporting and analytics.
Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online by booking a demo.