ISO 27701, Clause 5.3 – Leadership

ISO 27701 Controls and Clauses Explained

Book a demo

young,business,people,group,have,meeting,and,working,in,modern

Organisational leadership and management is a recurring theme throughout all of ISO’s various information security management system-related standards.

Policies and procedures are only effective if they are both acknowledged and uniformly adhered to. Senior management plays a key role in ensuring that PII and PIMS-related activities are given the level of respect and professionalism that is warranted by their role in minimising risk, and improving information security across the board.

What’s Covered in ISO 27701 Clause 5.3

Clause 5.3 deals directly with senior management’s role in establishing a PIMS that meets an organisation’s external obligations and PII requirements from the ground up, through three key operational areas:

  • Leadership and commitment.
  • Policy.
  • Organisational roles, responsibilities and authorities.

To achieve this, ISO 27701-5.3 contains three sub-clauses that reference guidance from 27001:2013.

All of these clauses should be viewed through the prism of establishing and maintaining a PIMS, PII security and privacy protection, rather than broadly applied to information security as a concept.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 5.3.1 – Leadership and Commitment

References ISO 27001 Control 5.1

ISO 27001:2013-5.1 contains 7 main guidance points that provide top management with help on demonstrating ‘leadership and commitment’ when drafting an information security policy relating to PII.

Throughout the process of establishing a PIMS, top management should:

  1. Keep in mind the operational objectives of the management system as a whole, and ensure that PIMS-related activities are aligned with what the company is attempting to achieve;
  2. Ensure that the organisation’s PIMS is embedded within the company’s set of information security processes;
  3. Make available an adequate amount of resources to implement a functioning PIMS – including budget space and the right amount of employees to implement and maintain it;
  4. Evangelise the benefits of a PIMS to all staff within the organisation – not merely those who directly interact with it – to maximise employee buy-in and improve adherence;
  5. Agree upon a clear set of outcomes, in order to measure the performance of a PIMS and its impact upon PII security;
  6. Provide leadership and support to any employee who plays a role in improving the performance of the PIMS, and nurture a proactive attitude towards safeguarding PII;
  7. Offer guidance and support to members of the junior management team, within areas of their job that relate directly to PIMS-related activities and PII security.

ISO 27701 Clause 5.3.2 – Policy

References ISO 27001 Control 5.2

Information policies are the bread and butter of an organisation’s wider privacy protection efforts.

Senior management uses protocols and procedures to not only improve information security risk management as a whole, but also as a tool to measure staff performance and demonstrate to legal and regulatory authorities that the organisation is fulfilling its obligations towards PII.

Information security policies relating to privacy protection, PII and PIMS should:

  1. Remain relevant and appropriate to the unique commercial and resource-related needs of the organisation;
  2. Outline a clear set of PII-related objectives, or where this isn’t relevant, helps to establish a framework for the setting of future security and privacy goals (see ISO 27001 Clause 6.2*);
  3. Be mindful of any specific organisational requirements relating to PII, including those from third-party legal, advisory and regulatory bodies;
  4. Promote a proactive approach towards the ongoing evaluation of the organisation’s PIMS, including and improvements that can be made;

Once established, policies should be made readily available to all relevant staff as version-controlled documents, and be widely communicated throughout the organisation – either at the point of creation, or when any amendments are made that have the potential to impact PII security.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 5.3.3 – Organisational Roles, Responsibilities and Authorities

References ISO 27001 Control 5.3

Throughout its family of information security standards, ISO makes continual reference to role-based activities, based on a person’s job type and assigned responsibilities.

ISO 27701-5.3.3 asks organisations to ensure that anyone who uses PII, interacts with a PIMS, or is responsible for privacy protection has a clearly defined role and understands precisely what they are responsible for Including that of senior management themselves).

Senior management should ensure that all PIMS and PII-related procedures conform to ISO 27001 standards, and delegate reporting responsibilities to staff members that dissect the performance of the organisation’s PIMS at regular intervals.

Supporting Controls From ISO 27001 and GDPR

*Control 6.2 – Information security objectives and planning to achieve them (referenced within ISO 27701 Clause 5.3.2)

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27001 RequirementAssociated GDPR Articles
5.3.1Leadership and Commitment5.1 – Leadership and Commitment for ISO 27001None
5.3.2Policy5.2 – Information Security Policy for ISO 27001None
5.3.3Organisational Roles, Responsibilities and Authorities5.3 – Organisational Roles, Responsibilities & Authorities for ISO 27001None

How ISMS.online Can Help

With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

You’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.

We’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.

Find out more by booking a demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.