ISO 27701 Clause 5.6 deals with the practice of controlling the processes, controls and procedures that are necessary to operate with a robust privacy protection plan and privacy information management system.
Operational planning covers a broad range of topics – from structured change management activities to privacy protection risk assessments and risk treatment plans that improve the security of PII within the boundaries of the organisation’s network.
ISO 27701 Clause 5.6 features three sub-clauses that rely on accompanying guidance within ISO 27001:
ISO 27701 5.6 contains no other guidance points that specifically deal with the implementation of a PIMS – instead focusing its attention more broadly on organisational privacy protection – nor does it feature any adjoining GDPR articles.
ISO 27701 Control 5.6.1 outlines ISOs broader approach to privacy protection planning. Organisations should ‘plan, implement and control’ and internal procedures or processes that are relevant towards privacy protection and the storage and processing of PII (see ISO 27001 6.1 & 6.2).
ISO also asks organisations to retain documented information that evidences adherence and change across organisational privacy protection controls, including any outsourced activities.
Planning also extends to change management. ISO requires organisations to manage any internal changes to minimise the risk to PII and evaluate any unintended consequences arising from purposeful or inadvertent changes.
Organisations need to carry out periodic privacy protection risk assessments at key stages of the operation – such as a major change, or immediately after a security incident.
As with all PII-related activities, organisations should thoroughly document any risk assessment to improve its overall information security operation, and to be able to provide sufficient evidence to legal and regulatory authorities should the need arise.
Book a tailored hands-on session
based on your needs and goals
Book your demo
In addition to periodic risk assessments, organisations should also enact a privacy protection ‘risk treatment plan’, which should contain recommendations that reduce the likelihood and/or impact of any risks inherent with the storage and processing of PII.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27001 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 5.6.1 | Operational Planning and Control | 8.1 – Operational Planning and Control for ISO 27001 | None |
| 5.6.2 | Information Security Risk Assessment | 8.2 – Information Security Risk Assessment for ISO 27001 | None |
| 5.6.3 | Information Security Risk Treatment | 8.3 – Information Security Risk Treatment for ISO 27001 | None |
With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27001 and ISO 27701 at the click of a button.
Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online.
See it live with ISMS.online by booking a demo.
It helps drive our behaviour in a positive way that works for us
& our culture.
We can’t think of any company whose service can hold a candle to ISMS.online.
