ISO 27701, Clause 6.15 – Compliance

ISO 27701 Controls and Clauses Explained

Book a demo

office,colleagues,having,casual,discussion,during,meeting,in,conference,room.

Compliance is a vital part of any privacy protection operation – organisations need to be able to demonstrate that they are fulfilling their obligations towards PII, and the systems that are used to store and process privacy-related material.

What’s Covered in ISO 27701 Clause 6.15

ISO 27701 6.15 deals with compliance in two main areas – compliance with legal and contractual requirements, and information security reviews (the latter being the main vehicle to uncover instances of non-compliance, and resolve any privacy-related issues).

  • ISO 27701 6.15.1.1 – Identification of applicable legislation and contractual requirements (ISO 27002 Control 5.31)
  • ISO 27701 6.15.1.2 – Intellectual property rights (ISO 27002 Control 5.32)
  • ISO 27701 6.15.1.3 – Protection of records (ISO 27002 Control 5.33)
  • ISO 27701 6.15.1.4 – Privacy and protection of personally identifiable information (ISO 27002 Control 5.34)
  • ISO 27701 6.15.1.5 – Regulation of cryptographic controls (ISO 27002 Control 5.31)
  • ISO 27701 6.15.2.2 – Compliance with security policies and standards (ISO 27002 Control 5.36)
  • ISO 27701 6.15.2.3 – Technical compliance review (ISO 27002 Control 5.36)

Four sub-clauses contain information that is relevant to UK GDPR legislation – we’ve provided the article references underneath each sub-clause for your convenience:

  • ISO 27701 6.15.1.1
  • ISO 27701 6.15.1.3
  • ISO 27701 6.15.2.1
  • ISO 27701 6.15.2.3

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 6.15.1.1 – Identification of Applicable Legislation and Contractual Requirements

References ISO 27002 Control 5.31

Organisations should conform to legal, statutory, regulatory and contractual requirements when:

  • Drafting and/or amending privacy information security procedures.
  • Categorising information.
  • Embarking upon risk assessments relating to privacy information security activities.
  • Forging supplier relationships, including any contractual obligations throughout the supply chain.

Legislative and Regulatory Factors

Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.

Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.

Cryptography

When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:

  • Observe any laws that govern the import and export of hardware or software that has the potential to fulfil a cryptographic function.
  • Provide access to encrypted information under the laws of the jurisdiction they are operating within.
  • Utilise three key elements of encryption:
    • Digital signatures.
    • Seals.
    • Digital certificates.

Applicable GDPR Articles

  • Article 5 – (1)(f)
  • Article 28 – (1), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g), (3)(h)
  • Article 30 – (2)(d)
  • Article 32 – (1)(b)

Relevant ISO 27002 Controls

  • ISO 27002 5.20

ISO 27701 Clause 6.15.1.2 – Intellectual Property Rights

References ISO 27002 Control 5.32

To safeguard any data, software or assets that could be deemed intellectual property (IP), organisations should:

  • Adhere to a “topic-specific” policy that deals with IP rights, which takes into account IP on a case-by-case basis.
  • Adhere to procedures that define how IP integrity can be maintained whilst utilising organisational software and products.
  • Only utilise reputable sources to acquire software, when purchasing, renting or leasing software and software subscriptions.
  • Retain proof of ownership documentation (electronic or physical).
  • Adhere to software usage limits.
  • Undergo periodic software reviews to avoid utilising any unauthorised or potentially harmful applications.
  • Ensure that software licenses are valid and up to date, and fair use guidelines are being adhered to.
  • Draft procedures that ensure the safe secure and compliant disposal of software assets.
  • (Where commercial recordings are concerned), ensure that no part of the recording is extracted, copied or converted by any unauthorised means.
  • Ensure that textual data is considered alongside digital media.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.15.1.3 – Protection of Records

References ISO 27002 Control 5.33

Organisations should consider record management across 4 key areas:

  • Authenticity
  • Reliability
  • Integrity
  • Useability

To maintain a functional records system that safeguards PII and privacy-related information, organisations should:

  • Publish guidelines that deal with:
    • Storage.
    • Handling (chain of custody).
    • Disposal.
    • Preventing manipulation.

  • Outline how long each record type should be retained.
  • Observe any laws that deal with record keeping.
  • Adhere to customer expectations in how organisations should handle their records.
  • Destroy records once they’re no longer required.
  • Classify records based on their security risk, e.g:
    • Accounting.
    • Business transactions.
    • Personnel records.
    • Legal

  • Ensure that they are able to retrieve records within an acceptable period of time, if asked to do so by a third party or law enforcement agency.
  • Always adhere to manufacturer guidelines when storing or handling records on electronic media sources.

Applicable GDPR Articles

  • Article 5 – (2)
  • Article 24 – (2)

ISO 27701 Clause 6.15.1.4 – Privacy and Protection of Personally Identifiable Information

References ISO 27002 Control 5.34

Organisations should treat PII as a topic-specific concept that needs to be addressed within the scope of numerous distinct business functions.

First and foremost, organisations should implement policies that cater to three main aspects of PII processing and storage:

  • Preservation
  • Privacy
  • Protection

Organisations should ensure that all employees are aware of their obligations towards handling PII, not merely those that encounter it daily as part of their job.

Privacy Officers

Organisations should appoint a Privacy Officer, whose job it is to provide guidance to employees and third-party organisations on the subject of PII, alongside offering advice to senior management on how to maintain the integrity and availability of privacy information.

ISO 27701 Clause 6.15.1.5 – Regulation of Cryptographic Controls

References ISO 27002 Control 5.31

See ISO 27701 Clause 6.15.1.1

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

ISO 27701 Clause 6.15.2.1 – Independent Review of Information Security

References ISO 27002 Control 5.35

Organisations should develop processes that cater for independent reviews of their privacy information security practices, including both topic-specific policies and general policies.

Reviews should be conducted by:

  • Internal auditors.
  • Independent departmental managers.
  • Specialised third-party organisations.

Reviews should be independent and carried out by individuals with sufficient knowledge of privacy protection guidelines and the organisations own procedures.

Reviewers should establish whether privacy information security practices are compliant with the organisation’s “documented objectives and requirements”.

As well as structured periodic reviews, organisations may come across the need to conduct ad-hoc reviews that are triggered by certain events, including:

  • Following amendments to internal policies, laws, guidelines and regulations which affect privacy protection.
  • After major incidents that have impacted upon privacy protection.
  • Whenever a new business is created, or major changes are enacted to the current business.
  • Following the adoption of a new product or service that deals with privacy protection in any way.

Applicable GDPR Articles

  • Article 32 – (1)(d), (2)

ISO 27701 Clause 6.15.2.2 – Compliance With Security Policies and Standards

References ISO 27002 Control 5.36

Organisations need to ensure that personnel are able to review privacy policies across the full spectrum of business operations.

Management should develop technical methods of reporting on privacy compliance (including automation and bespoke tools). Reports should be recorded, stored and analysed to further improve PII security and privacy protection efforts.

Where compliance issues are discovered, organisations should:

  • Establish the cause.
  • Decide upon a method of corrective action to plug and compliance gaps.
  • Revisit the issue after an appropriate period of time, to ensure the problem is resolved.

It is vitally important to enact corrective measures as soon as possible. If issues aren’t fully resolved by the time of the next review, at a minimum, evidence should be provided to show that progress is being made.

ISO 27701 Clause 6.15.2.3 – Technical Compliance Review

References ISO 27002 Control 5.36

See ISO 27701 Clause 6.15.2.2

Applicable GDPR Articles

  • Article 32 – (1)(d), (2)

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.15.1.1Identification of Applicable Legislation and Contractual Requirements5.31 – Legal, Statutory, Regulatory and Contractual Requirements for ISO 27002Articles (5), (28), (30), (32)
6.15.1.2Intellectual Property Rights5.32 – Intellectual Property Rights for ISO 27002None
6.15.1.3Protection of Records5.33 – Protection of Records for ISO 27002Articles (5), (24)
6.15.1.4Privacy and Protection of Personally Identifiable Information5.34 – Privacy and Protection of PII for ISO 27002None
6.15.1.5Regulation of Cryptographic Controls5.31 – Legal, Statutory, Regulatory and Contractual Requirements for ISO 27002None
6.15.2.1Independent Review of Information Security5.35 – Independent Review of Information Security for ISO 27002Article (32)
6.15.2.2Compliance With Security Policies and Standards5.36 – Compliance With Policies, Rules and Standards for Information Security for ISO 27002None
6.15.2.3Technical Compliance Review5.36 – Compliance With Policies, Rules and Standards for Information Security for ISO 27002Article (32)

How ISMS.online Helps

ISO 27701 is not just a framework for organisations to adopt; it means adapting the way people understand, interface and interact with data.

At ISMS.online, we have designed our system so that you and your staff can take advantage of our easy-to-use interface for documenting your ISO journey.

We also provide video resources and access to information security professionals to help you integrate standards into your company.

‌Find out more by booking a hands on demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

Explore ISMS.online's platform with a self-guided tour - Start Now