ISO 27701, Clause 6.11 – Systems Acquisition, Development and Maintenance

Name: ISMS.online
Telephone: +441273041140
Price range: ££
Location: ISMS.online

ISO 27701 Controls and Clauses Explained

business,team,meeting.,photo,professional,investor,working,new,start,up

Application services, information security requirements and project management activities should be developed alongside any organisational privacy protection efforts to ensure that PII and payment/ordering data is afforded the utmost of protection throughout the application and project lifecycle.

What’s Covered in ISO 27701 Clause 6.11

ISO 27701 Clause 6.11 contains three sub-clauses that deal with the main elements of systems acquisition, with each clause containing adjoining guidance from controls contained within ISO 27002:

ISO 27701 6.11.1.1 – Information security requirements analysis and specification (ISO 27002 Control 5.8)

ISO 27701 6.11.1.2 – Securing application services on public networks (ISO 27002 Control 8.26)

ISO 27701 6.11.1.3 – Protecting application services transactions (ISO 27002 Control 8.26)

One sub-clause – 6.11.1.2 – contains information that is applicable elements of UK GDPR legislation, with no further guidance offered on PIMS or PII-related topics.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Jump to Topic

What’s Involved With Clause 6.11?
What is Clause 6.11.1.1?
What is Clause 6.11.1.2?
What is Clause 6.11.1.3?
Supporting Controls From ISO 27002 & GDPR
How ISMS.online Helps

ISO 27701 Clause 6.11.1.1 – Information Security Requirements Analysis and Specification

References ISO 27002 Control 5.8

Privacy protection procedures should be integrated into project management activities to ensure that PII is protected throughout, and organisational security policies are aligned.

Organisations should ensure that:

Privacy protection risks are considered throughout the project life cycle, especially in the early stages.

The progress of privacy protection risk mitigation is periodically reviewed, with a focus on improving effectiveness and resilience.

Project committees take into account privacy protection controls at appropriate stages of the project.

Roles and responsibilities for privacy protection should be outlined at an early stage.

Any products that are to be delivered as part of the project have a clear set of privacy protection requirements.

Project life cycles (agile, waterfall etc.) reflect the risk requirements of said project throughout any given stage, with an emphasis on privacy protection.

ISO 27701 Clause 6.11.1.2 – Securing Application Services on Public Networks

References ISO 27002 Control 8.26

Application security procedures should be developed alongside broader privacy protection policies, usually via a structured risk assessment that takes into account multiple variables.

Application security requirements should include:

The levels of trust inherent within all network entities (see ISO 27002 Controls 5.17, 8.2 and 8.5).

The classification of data that the application is configured to process (including PII).

Any segregation requirements.

Protection against internal and external attacks, and/or malicious use.

Any prevailing legal, contractual or regulatory requirements.

Robust protection of confidential information.

Data that is ro be protected in-transit.

Any cryptographic requirements.

Secure input and output controls.

Minimal use of unrestricted input fields – especially those that have the potential to store personal data.

The handling of error messages, including clear communication of error codes.

Transactional Services

Transactional services that facilitate the flow of privacy data between the organisation and a third party organisation, or partner organisation, should:

Establish a suitable level of trust between organisational identities.

Include mechanisms that check for trust between established identities (e.g. hashing and digital signatures).

Outline robust procedures that govern what employees are able to manage key transactional documents.

Contain document and transactional management procedures that cover the confidentiality, integrity, proof of dispatch and receipt of key documents and transactions.

Include specific guidance on how to keep transactions confidential.

Electronic Ordering and Payment Applications

For any applications that involve electronic ordering and/or payment, organisations should:

Outline strict requirements for the protection of payment and ordering data.

Verify payment information before an order is placed.

Securely store transactional and privacy-related data in a way that is inaccessible to the public.

Use trusted authorities when implementing digital signatures, with privacy protection in mind at all times.

Applicable GDPR Articles

Article 5 – (1)(f)

Article 32 – (1)(a)

Relevant ISO 27002 Controls

ISO 27002 5.17

ISO 27002 8.2

ISO 27002 8.5

ISO 27701 Clause 6.11.1.3 – Protecting Application Services Transactions

References ISO 27002 Control 8.26

See ISO 27701 Clause 6.11.1.2

ISO 27701 Clause Identifier	ISO 27701 Clause Name	ISO 27002 Control	Associated GDPR Articles
6.11.1.1	Information Security Requirements Analysis and Specification	5.8 – Information Security in Project Management for ISO 27002	None
6.11.1.2	Securing Application Services on Public Networks	8.26 – Application Security Requirements for ISO 27002	Articles (5), (32)
6.11.1.3	Protecting Application Services Transactions	8.26 – Application Security Requirements for ISO 27002	None

How ISMS.online Helps

Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard. And because it’s regulation agnostic, you can map it onto any regulation you need to.