ISO 27701, Clause 5.7 – Performance Evaluation

ISO 27701 Clause 5.7.1 – Monitoring, Measurement, Analysis and Evaluation

References ISO 27001 Control 9.1

Organisations need to constantly monitor and evaluate how they perform from a privacy protection standpoint, and how efficient their PIMS is within the scope of their stated objectives.

In doing so, organisations need to establish:

1. Precisely what areas of their operation require monitoring;
2. How they are going to carry out said monitoring, and the mechanisms they’re going to use to analyse any data obtained;
3. When monitoring activities are to be carried out;
4. What staff members are going to be involved in monitoring activities;
5. The period of time when results are to be analysed, following any monitoring activities.

As with all other privacy protection and PII-related activities, a thorough record of all monitoring activities needs to be kept in the form of official documentation.

ISO 27701 Clause 5.7.2 – Internal Audit

References ISO 27001 Control 9.2

Organisations need to be mindful of their responsibility to their own data and processes, by carrying out planned audits at appropriate intervals.

Audits need to establish:

• Whether the PIMS is in alignment with the organisation’s privacy protection requirements and relevant ISO standards;
• That PIMS has been implemented correctly, and it being adequately maintained.

To achieve these objectives, organisations should:

1. Plan, create and maintain a programme of auditing that takes into account several key details:
• Audit frequency;
• Auditing method;
• Internal roles and responsibilities;
• Pre-implementation and planning requirements;
• Reporting of auditing data.
2. Establish the scope of each individual audit.
3. Reinforce the need for impartiality and an objective approach to data analysis, with whomever has been chosen to conduct the audit, be they internal or external staff.
4. Ensure that auditing results reach the correct internal channels (senior management etc.), so that meaningful actions can be taken to improve the organisation’s information security management system, should the need arise.
5. Keep a thorough record of all auditing activities in the form of documented information.

ISO 27701 Clause 5.7.3 – Management Review

References ISO 27001 Control 9.3

Senior management plays a key role in ensuring the viability and effectiveness of any privacy protection policy or PIMS implementation.

When reviewing organisational adherence to PII-related controls, policies and procedures, management should include:

1. Any actions remaining from the previous review.
2. Any changes to the organisation’s operation that have the potential to impact privacy protection or the processing and/or storage of PII.
3. Feedback from all relevant sources on privacy protection, that includes noticeable trends in:
• Non-adherence and corrective actions;
• Any data obtained from monitoring activities;
• The results of recent audits;
• How the organisation is meeting its stated privacy protection goals.
4. Feedback from any relevant personnel (internal or external).
5. The results of any privacy protection risk assessments, and how they are going to be addressed via a dedicated risk treatment plan.
6. How the organisation intends to develop and improve its privacy protection operation, including any changes that need to be made.

All reviews should be thoroughly documented for future analysis, and to ensure continuity from one review to the next.

Supporting Controls From ISO 27001 and GDPR

How ISMS.online Helps

The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to achieve ISO 27701 is substantially reduced.

You will also benefit from a range of powerful time-saving features.

Explore the benefits with ISMS.online by booking a demo.