ISO 27701, Clause 6.10 – Communications Security

ISO 27701 Controls and Clauses Explained

Book a demo

team,at,work.,group,of,young,business,people,in,smart

Communications security is the bread and butter of most privacy protection operations, including activities that both limit and monitor access to PII and privacy-related assets.

Organisations need to exercise tight control over who and what is able to access security and privacy-related ICT resources through widespread use of secure network controls, service management and segregation.

What’s Covered in ISO 27701 Clause 6.10

ISO 27701 contains three sub-clauses that deal with distinct areas of communication security:

  • ISO 27701 6.10.1.1 – Network controls (ISO 27002 Control 8.20)

  • ISO 27701 6.10.1.2 – Security in network services (ISO 27002 Control 8.21)

  • ISO 27701 6.10.1.3 – Segregation in networks (ISO 27002 Control 8.22)

Each clause contains adjoining information from ISO 27002, with a lengthy set of supporting clauses (particularly within sub-clause 6.10.1.1), as befitting the complex nature of the topic.

ISO offer no additional PIMS or PII-related guidance on the topic of communications security, nor are there any UK GDPR articles to take into account.

Jump to Topic
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.10.1.1 – Network Controls

References ISO 27002 Control 8.20

ISO 27701 clause 6.10.1.1 focuses on two key aspects of network security:

  • Privacy protection

  • Protection from unauthorised access

Organisations should:

  1. Categorise data (including PII) by type and classification.

  2. Ensure that only qualified personnel are asked to maintain networking equipment, in accordance with a clear set of roles and responsibilities.

  3. Keep a record of network diagrams, firmware versions and configuration files of critical devices such as routers, firewalls, WAPs and network switches.

  4. Segregate network responsibilities (see ISO 27002 Control 5.3), including the separation of administrative traffic from standard network traffic.

  5. Adhere to controls that facilitate the safe storage and transfer of data, including all connected applications and systems (see ISO 27002 Controls 5.22, 8.24, 5.14 and 6.6).

  6. Maintain security logs for the whole system, and individual components, as is required (see ISO 27002 Controls 8.16 and 8.15).

  7. Perform network management and administration duties in harmony with other business processes.

  8. Ensure that proper authorisation is sought and granted prior to staff accessing relevant parts of the network.

  9. Utilise traffic restrictions, content filtering and data rules throughout the network, for both incoming and outgoing data.

  10. Ensure that any device that is connected to the network is able to be managed by administrative staff.

  11. Have the ability to segregate and partition critical areas of the network, to ensure business continuity following critical events, including the suspension of network protocols.

Relevant ISO 27002 Controls

  • ISO 27002 5.14

  • ISO 27002 5.22

  • ISO 27002 5.3

  • ISO 27002 6.6

  • ISO 27002 8.15

  • ISO 27002 8.16

  • ISO 27002 8.24

ISO 27701 Clause 6.10.1.2 – Security in Network Services

References ISO 27002 Control 8.21

When considering the broader concept of network service security, there are three main factors to keep in mind:

  • Security features.

  • Service levels.

  • Service requirements.

Organisations should ensure that service providers understand what is expected of them, and are fulfilling their stated obligations on a consistent basis.

Organisations should be able to refer to an unambiguous set of SLAs, and monitor adherence throughout the duration of a service agreement.

References should be sought and obtained from trusted sources, with the end goal of establishing a service provider’s ability to meet the commercial and operational requirements of the organisation.

Security rules should include:

  • Any network services that are allowed to be accessed – including a thorough list of authentication prerequisites.

  • Network management controls that safeguards PII and privacy-related assets against misuse and unauthorised access.

  • Remote and onsite access.

  • The logging of key information about network service access, including access time, access location and device data.

  • Monitoring activities.

Network Service Security

Organisations are presented with various additional security measures that further safeguard the integrity and availability of PII.

Organisations should:

  1. Consider security features such as authentication, encryption and connection controls.

  2. Establish clear guidelines that govern connections to network services.

  3. Allow users to choose the amount of data cached to increase performance and minimise the privacy risks associated with excessive storage.

  4. Restrict access to network services.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 6.10.1.3 – Segregation in Networks

References ISO 27002 Control 8.22

To improve the integrity and availability of PII and privacy-related assets, organisations should segregate services, users and systems across their entire network, based upon their unique security requirements and in accordance with a topic-specific approach (see ISO 27002 Control 5.15).

To achieve this, organisations should:

  • Separate domains from any public networks, including the Internet.

  • Segregate areas of the network based upon trust, criticality and sensitivity.

  • Consider distinct operational functions when segregating the network, such as HR, finance and marketing.

  • Segregate using a combination of physical and logical controls.

  • Operate with clearly-defined network perimeters and tightly-controlled gateways.

  • Consider WiFi access in accordance with what is often a loosely-defined network perimeter, with varying access requirements, and to ensure that external traffic passes through a gateway prior to internal access being granted (see ISO 27002 Control 8.20).

  • Segregate guest and employee WiFi access, and place heavy restrictions on guest access to discourage use by personnel.

Relevant ISO 27002 Controls

  • ISO 27002 5.15

  • ISO 27002 8.20

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.10.1.1Network Controls8.20 – Network Security for ISO 27002None
6.10.1.2Security in Network Services8.21 – Security of Network Services for ISO 27002None
6.10.1.3Segregation in Networks8.22 – Segregation of Networks for ISO 27002None

How ISMS.online Help

ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA. Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.

Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard. And because it’s regulation agnostic, you can map it onto any regulation you need to.

Find out more by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now