ISO 27701, Clause 5.7 – Performance Evaluation

ISO 27701 Controls and Clauses Explained

Book a demo

business,meeting,in,a,modern,office

Part and parcel of operating with a watertight set of privacy protection controls is acknowledging the need to continually monitor, asses and improve organisational adherence with
PII-related objectives and legal/regulatory requirements.

ISO 27701 Control 5.7 sets out a clear set of guidelines that inform organisations on how to assess their own performance, and equally as important, how to enact meaningful change so that privacy protection remains at the forefront of their broader information security policy.

What’s Covered in ISO 27701 Clause 5.7

ISO 27701 Clause 5.7 contains three sub-clauses that deal with the three main constituent parts of privacy protection evaluation – monitoring, auditioning and review.

Each sub-clause is linked to an accompanying set of information security guidelines from ISO 27001:

  • ISO 27701 5.7.1 – Monitoring, measurement, analysis and evaluation (References ISO 27001 Control 9.1)
  • ISO 27701 5.7.2 – Internal audit (References ISO 27001 Control 9.2)
  • ISO 27701 5.7.3 – Management review (References ISO 27001 Control 9.3)

Clause 5.7 lacks any additional guidance on how to apply performance evaluation guidelines within the context of a PIMs, nor does it feature any guidance within the scope of GDPR.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 5.7.1 – Monitoring, Measurement, Analysis and Evaluation

References ISO 27001 Control 9.1

Organisations need to constantly monitor and evaluate how they perform from a privacy protection standpoint, and how efficient their PIMS is within the scope of their stated objectives.

In doing so, organisations need to establish:

  1. Precisely what areas of their operation require monitoring;
  2. How they are going to carry out said monitoring, and the mechanisms they’re going to use to analyse any data obtained;
  3. When monitoring activities are to be carried out;
  4. What staff members are going to be involved in monitoring activities;
  5. The period of time when results are to be analysed, following any monitoring activities.

As with all other privacy protection and PII-related activities, a thorough record of all monitoring activities needs to be kept in the form of official documentation.

ISO 27701 Clause 5.7.2 – Internal Audit

References ISO 27001 Control 9.2

Organisations need to be mindful of their responsibility to their own data and processes, by carrying out planned audits at appropriate intervals.

Audits need to establish:

  • Whether the PIMS is in alignment with the organisation’s privacy protection requirements and relevant ISO standards;
  • That PIMS has been implemented correctly, and it being adequately maintained.

To achieve these objectives, organisations should:

  1. Plan, create and maintain a programme of auditing that takes into account several key details:
    • Audit frequency;
    • Auditing method;
    • Internal roles and responsibilities;
    • Pre-implementation and planning requirements;
    • Reporting of auditing data.
  2. Establish the scope of each individual audit.
  3. Reinforce the need for impartiality and an objective approach to data analysis, with whomever has been chosen to conduct the audit, be they internal or external staff.
  4. Ensure that auditing results reach the correct internal channels (senior management etc.), so that meaningful actions can be taken to improve the organisation’s information security management system, should the need arise.
  5. Keep a thorough record of all auditing activities in the form of documented information.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 5.7.3 – Management Review

References ISO 27001 Control 9.3

Senior management plays a key role in ensuring the viability and effectiveness of any privacy protection policy or PIMS implementation.

When reviewing organisational adherence to PII-related controls, policies and procedures, management should include:

  1. Any actions remaining from the previous review.
  2. Any changes to the organisation’s operation that have the potential to impact privacy protection or the processing and/or storage of PII.
  3. Feedback from all relevant sources on privacy protection, that includes noticeable trends in:
    • Non-adherence and corrective actions;
    • Any data obtained from monitoring activities;
    • The results of recent audits;
    • How the organisation is meeting its stated privacy protection goals.
  4. Feedback from any relevant personnel (internal or external).
  5. The results of any privacy protection risk assessments, and how they are going to be addressed via a dedicated risk treatment plan.
  6. How the organisation intends to develop and improve its privacy protection operation, including any changes that need to be made.

All reviews should be thoroughly documented for future analysis, and to ensure continuity from one review to the next.

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27001 RequirementAssociated GDPR Articles
5.7.1Monitoring, Measurement, Analysis and Evaluation9.1 – Monitoring, Measurement, Analysis and Evaluation for ISO 27001None
5.7.2Internal Audit9.2 – Internal Audit for ISO 27001None
5.7.3Management Review9.3 – Management Review for ISO 27001None

How ISMS.online Helps

The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to achieve ISO 27701 is substantially reduced.

You will also benefit from a range of powerful time-saving features.

Explore the benefits with ISMS.online by booking a demo.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.