ISO 27701 – Clause 5.4 – Planning

Planning for Privacy Compliance: Understanding ISO 27701 Clause 5.4

It’s essential that, before implementing a PIMS, organisations obtain a clear picture of what their specific privacy protection/PII objectives are, at all levels of their information security operation.

Risk assessment should be a key element of all organisation-wide privacy protection protocols, including an understanding of how to assess and analyse risks, and ‘risk treatment’ – the process of modifying risk through a series of technical measures.

What’s Covered in ISO 27701 Clause 5.4

ISO 27701 5.4 deals with the steps organisations need to take when planning a PIMS or privacy protection policy.

ISO 27701 5.4 draws on guidance from ISO 27001 6.1 (Actions to address risks and opportunities), and contains further guidance across four main sub-clauses:

• ISO 27701 Clause 5.4.1.1 (References ISO 27001 Control 6.1.1)
• ISO 27701 Clause 5.4.1.2 (References ISO 27001 Control 6.1.2)
• ISO 27701 Clause 5.4.1.3 (References ISO 27001 Control 6.1.3)
• ISO 27701 Clause 5.4.2 (References ISO 27001 Control 6.2)

Two sub-clauses (5.4.1.2 and 5.4.1.3) both contain guidance that relates directly to Article 32 of GDPR, more specifically, sections (1)(b), (2).

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

ISO 27701 Clause 5.4.1.1 – General

References ISO 27001 Control 6.1.1

In general terms, organisations need to adopt a risk-specific approach to planning a PIMS that:

1. Works towards building a PIMS that achieves a set of specific privacy protection objectives.
2. Seeks to either completely eradicate or minimise any adverse effects.
3. Strives for the continual development and incremental improvement of PII and privacy protection-related activities.

When drafting a plan, organisations need to:

1. Be mindful of the specific actions needed to address any risks, and implement them into a PIMS.
2. Constantly evaluate their approach.

Relevant ISO 27001 Controls

The guidance contained within ISO 27701 5.4.1.1 is closely linked to an organisation’s ability to understand its requirements, and the expectations of internal and external staff and PII subjects whose data the organisation holds.

• ISO 27001 4.1 – Understanding the organisation and its context.
• ISO 27001 4.2 – Understanding the needs and expectations of interested parties.

ISO 27701 Clause 5.4.1.2 – Information Security Risk Assessment

References ISO 27001 Control 6.1.2

Organisations should map out and implement a privacy protection risk assessment process that:

• Includes risk acceptance criteria, for the purposes of carrying out privacy protection assessments.
• Provides a framework for the comparable analysis of all privacy protection assessments.
• Pinpoints privacy protection risks (and their owners).
• Considers the dangers and risks inherent with the loss of ‘confidentiality, availability and integrity’ of PII.
• Analyses privacy protection risks alongside three factors:
• Their potential consequences.
• The probability of them occurring.
• Their severity.
• Analyses and prioritises any identified risks in accordance with their risk level.

Additional PIMS and PII Guidance

Organisations should focus risk assessment activities that not only address information security, but complement the implementation of a PIMS, and to the processing and storage of PII.

Organisations should keep in mind the consequences not just for the company itself, but for any PII principals, should and issues occur.

Applicable GDPR Articles

• Article 32 – Security of processing
• Applicable sections – (1)(b), (2)

ISO 27701 Clause 5.4.1.3 – Information Security Risk Treatment

References ISO 27001 Control 6.1.3

Organisations should draft and implement a privacy protection/PII ‘risk treatment process’ that:

1. implement a privacy protection ‘risk treatment plan’.
2. identifies how a PIMS should treat individual risk levels, based on a set of assessment results.
3. highlights a series of controls that are required to implement privacy protection risk treatment.
4. cross reference any controls identified with the comprehensive list provided by ISO in Annex A of ISO 27001.
5. document and justify the use of any controls used in a formal ‘Statement of Applicability’.
6. seek approval from any risk owners before finalising a privacy protection risk treatment plan that includes any ‘residual’ privacy protection and PII risks.

Applicable GDPR Articles

• Article 32 – Security of processing
• Applicable sections – (1)(b), (2)

ISO 27701 Clause 5.4.2 – Information Security Objectives and Planning to Achieve Them

References ISO 27001 Control 6.2

Organisational privacy protection objectives should:

• Be aligned with other information security policies.
• Be quantifiable, for reporting and assessment purposes.
• Incorporate data from risk assessments and risk treatments.
• Be made available to all relevant staff members and data subjects.
• Be continually improved and updated in accordance with operational results and real-world events.
• Be documented.

Throughout the planning process, organisations need to establish the following:

1. Any resources that will be required.
2. Who will be given ownership of the objectives, their in full or in part.
3. When an organisation’s stated objectives will be met.
4. How any data is to be analysed.

Supporting Controls From ISO 27001 and GDPR

How ISMS.online Helps

You must create a Privacy Information Management System (PIMS) in order to meet ISO 27701. With our prebuilt Privacy Information Management System (PIMS), you can quickly and efficiently organise and handle customer, supplier, and employee information to satisfy ISO 27701 requirements.

Privacy assessments can be set up and run with ease, ranging from data protection impact assessments to regulatory or compliance readiness ones.

See our full range of features by booking a demo.