Application services, information security requirements and project management activities should be developed alongside any organisational privacy protection efforts to ensure that PII and payment/ordering data is afforded the utmost of protection throughout the application and project lifecycle.
ISO 27701 Clause 6.11 contains three sub-clauses that deal with the main elements of systems acquisition, with each clause containing adjoining guidance from controls contained within ISO 27002:
One sub-clause – 6.11.1.2 – contains information that is applicable elements of UK GDPR legislation, with no further guidance offered on PIMS or PII-related topics.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Privacy protection procedures should be integrated into project management activities to ensure that PII is protected throughout, and organisational security policies are aligned.
Organisations should ensure that:
Application security procedures should be developed alongside broader privacy protection policies, usually via a structured risk assessment that takes into account multiple variables.
Application security requirements should include:
Transactional services that facilitate the flow of privacy data between the organisation and a third party organisation, or partner organisation, should:
For any applications that involve electronic ordering and/or payment, organisations should:
See ISO 27701 Clause 6.11.1.2
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.11.1.1 | Information Security Requirements Analysis and Specification | 5.8 – Information Security in Project Management for ISO 27002 | None |
6.11.1.2 | Securing Application Services on Public Networks | 8.26 – Application Security Requirements for ISO 27002 | Articles (5), (32) |
6.11.1.3 | Protecting Application Services Transactions | 8.26 – Application Security Requirements for ISO 27002 | None |
Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard. And because it’s regulation agnostic, you can map it onto any regulation you need to.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo