ISO 27701, Clause 5.5, Support

Name: ISMS.online
Telephone: +441273041140
Price range: ££
Location: ISMS.online

ISO 27701 – Clause 5.5 – Support

ISO 27701 Clause 5.5 outlines the necessary support mechanisms for a Privacy Information Management System (PIMS), covering resources, competence, awareness, and communication, aligning with ISO 27001 requirements.

How Clause 5.5 Strengthens Your Privacy Framework

Alongside the implementation of specific policies and the PIMS itself, organisations need to be mindful of how to both support and disseminate their broader privacy protection and PIMS-related activities, both internally and externally, to ensure continued adherence.

ISO 27701 5.5 addresses the concept of support in four main areas:

Resources – How well placed an organisation is to implement a PIMS from a financial and manpower perspective.
Competence – The skills and proficiencies required to operate within a secure data environment.
Awareness – Ensuring that staff understand both the policies themselves, and what is expected of them.
Communication – How privacy protection activities and events are communicated both within and outside the organisation.

What’s Covered in ISO 27701 Clause 5.5

To articulate the various privacy protection, PII and PIMS-related guidelines, ISO 27701 5.5 relies heavily on the guidance contained within ISO 27001 section 7 (Support).

ISO 27701 5.5 contains four sub-clauses that take each element of organisational support activity in turn:

ISO 27701 5.5.1 – Resources (References ISO 27001 Control 7.1)
ISO 27701 5.5.2 – Competence (References ISO 27001 Control 7.2)
ISO 27001 5.5.3 – Awareness (References ISO 27001 Control 7.3)
ISO 27001 5.5.4 – Communication (References ISO 27001 Control 7.4)

Unlike most other clauses in ISO 27701, clause 5.5 doesn’t contain any additional guidance that is applicable to the implementation of a PIMS, nor are any of its sub-clauses relevant to articles contained within GDPR legislation.

Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27701 Clause 5.5.1 – Resources

References ISO 27001 Control 7.1

Organisations need to ensure that they have adequate resources to plan, implement and improve a PIMS that meets their stated privacy protection objectives.

ISO 27701 Clause 5.5.2 – Competence

References ISO 27001 Control 7.2

Anyone who works on controls, policies and/or procedures that deal with organisational privacy protection should have the necessary competence to do so.

To safeguard PII and prevent against accidental exposure or loss of data, organisations should:

Ensure that anyone doing work that has the potential to impact privacy protection and PII has the requisite skillset(s) to do so.
Keep in mind three factors that denote an individual’s level of competence:

Education.
Training.
Experience.

Take steps to recruit, train and/or otherwise acquire the necessary competence levels.
Maintain thorough documentation that is able to demonstrate compliance with the requisite level of competence, as is required by the organisation’s PIMS and/or privacy protection policy.

ISO 27701 Clause 5.5.3 – Awareness

References ISO 27001 Control 7.3

Promoting awareness of a PIMS and organisational privacy protection policy is paramount in ensuring adherence to broader information security and PII objectives.

Individuals doing work that has the potential to impact privacy protection should be explicitly aware of:

The organisation’s privacy protection policy.
Their obligations towards maintaining an efficient and compliant PIMS.
The consequences of weather wilfully or accidentally bypassing any of the organisation’s privacy protection controls – both for themselves, the organisation and the data subjects.

Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

ISO 27701 Clause 5.5.4 – Communication

References ISO 27001 Control 7.4

As with most other business functions, efficient communication (both internal and external) should be front and centre of any organisational privacy protection efforts.

When implementing or changing a privacy protection policy or procedure, or making announcements about a PIMS or PII-related matter, organisation’s should decide:

Precisely what needs to be communicated.
When to communicate internally and externally (e.g. to a data subject, or group of subjects, following a PII-related event).
Who to communicate to (e.g. staff members affected by a policy change).
Who from the organisation should be communicating.

how to communicate (i.e. what channels or media, and any processes that need to be followed, including initial drafting and approval).

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause Identifier	ISO 27701 Clause Name	ISO 27001 Requirement	Associated GDPR Articles
5.5.1	Resources	7.1 – Resources for ISO 27001	None
5.5.2	Competence	7.2 – Competence for ISO 27001	None
5.5.3	Awareness	7.3 – Awareness for ISO 27001	None
5.5.4	Communication	7.4 – Communication for ISO 27001	None

How ISMS.online Helps

The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to achieve ISO 27701 is substantially reduced.

You will also benefit from a range of powerful time-saving features.

See all our features in action by booking a demo.