ISO 27701, Clause 6.15 – Compliance

ISO 27701 Clause 6.15.1.1 – Identification of Applicable Legislation and Contractual Requirements

References ISO 27002 Control 5.31

Organisations should conform to legal, statutory, regulatory and contractual requirements when:

• Drafting and/or amending privacy information security procedures.
• Categorising information.
• Embarking upon risk assessments relating to privacy information security activities.
• Forging supplier relationships, including any contractual obligations throughout the supply chain.

Legislative and Regulatory Factors

Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.

Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.

Cryptography

When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:

• Observe any laws that govern the import and export of hardware or software that has the potential to fulfil a cryptographic function.
• Provide access to encrypted information under the laws of the jurisdiction they are operating within.
• Utilise three key elements of encryption:
• Digital signatures.
• Seals.
• Digital certificates.

Applicable GDPR Articles

• Article 5 – (1)(f)
• Article 28 – (1), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g), (3)(h)
• Article 30 – (2)(d)
• Article 32 – (1)(b)

Relevant ISO 27002 Controls

• ISO 27002 5.20

ISO 27701 Clause 6.15.1.2 – Intellectual Property Rights

References ISO 27002 Control 5.32

To safeguard any data, software or assets that could be deemed intellectual property (IP), organisations should:

• Adhere to a “topic-specific” policy that deals with IP rights, which takes into account IP on a case-by-case basis.
• Adhere to procedures that define how IP integrity can be maintained whilst utilising organisational software and products.
• Only utilise reputable sources to acquire software, when purchasing, renting or leasing software and software subscriptions.
• Retain proof of ownership documentation (electronic or physical).
• Adhere to software usage limits.
• Undergo periodic software reviews to avoid utilising any unauthorised or potentially harmful applications.
• Ensure that software licenses are valid and up to date, and fair use guidelines are being adhered to.
• Draft procedures that ensure the safe secure and compliant disposal of software assets.
• (Where commercial recordings are concerned), ensure that no part of the recording is extracted, copied or converted by any unauthorised means.
• Ensure that textual data is considered alongside digital media.

ISO 27701 Clause 6.15.1.3 – Protection of Records

References ISO 27002 Control 5.33

Organisations should consider record management across 4 key areas:

• Authenticity
• Reliability
• Integrity
• Useability

To maintain a functional records system that safeguards PII and privacy-related information, organisations should:

• Publish guidelines that deal with:
• Storage.
• Handling (chain of custody).
• Disposal.
• Preventing manipulation.
• Outline how long each record type should be retained.
• Observe any laws that deal with record keeping.
• Adhere to customer expectations in how organisations should handle their records.
• Destroy records once they’re no longer required.
• Classify records based on their security risk, e.g:
• Accounting.
• Business transactions.
• Personnel records.
• Legal
• Ensure that they are able to retrieve records within an acceptable period of time, if asked to do so by a third party or law enforcement agency.
• Always adhere to manufacturer guidelines when storing or handling records on electronic media sources.

Applicable GDPR Articles

• Article 5 – (2)
• Article 24 – (2)

ISO 27701 Clause 6.15.1.4 – Privacy and Protection of Personally Identifiable Information

References ISO 27002 Control 5.34

Organisations should treat PII as a topic-specific concept that needs to be addressed within the scope of numerous distinct business functions.

First and foremost, organisations should implement policies that cater to three main aspects of PII processing and storage:

• Preservation
• Privacy
• Protection

Organisations should ensure that all employees are aware of their obligations towards handling PII, not merely those that encounter it daily as part of their job.

Privacy Officers

Organisations should appoint a Privacy Officer, whose job it is to provide guidance to employees and third-party organisations on the subject of PII, alongside offering advice to senior management on how to maintain the integrity and availability of privacy information.

ISO 27701 Clause 6.15.1.5 – Regulation of Cryptographic Controls

References ISO 27002 Control 5.31

See ISO 27701 Clause 6.15.1.1

ISO 27701 Clause 6.15.2.1 – Independent Review of Information Security

References ISO 27002 Control 5.35

Organisations should develop processes that cater for independent reviews of their privacy information security practices, including both topic-specific policies and general policies.

Reviews should be conducted by:

• Internal auditors.
• Independent departmental managers.
• Specialised third-party organisations.

Reviews should be independent and carried out by individuals with sufficient knowledge of privacy protection guidelines and the organisations own procedures.

Reviewers should establish whether privacy information security practices are compliant with the organisation’s “documented objectives and requirements”.

As well as structured periodic reviews, organisations may come across the need to conduct ad-hoc reviews that are triggered by certain events, including:

• Following amendments to internal policies, laws, guidelines and regulations which affect privacy protection.
• After major incidents that have impacted upon privacy protection.
• Whenever a new business is created, or major changes are enacted to the current business.
• Following the adoption of a new product or service that deals with privacy protection in any way.

Applicable GDPR Articles

• Article 32 – (1)(d), (2)

ISO 27701 Clause 6.15.2.2 – Compliance With Security Policies and Standards

References ISO 27002 Control 5.36

Organisations need to ensure that personnel are able to review privacy policies across the full spectrum of business operations.

Management should develop technical methods of reporting on privacy compliance (including automation and bespoke tools). Reports should be recorded, stored and analysed to further improve PII security and privacy protection efforts.

Where compliance issues are discovered, organisations should:

• Establish the cause.
• Decide upon a method of corrective action to plug and compliance gaps.
• Revisit the issue after an appropriate period of time, to ensure the problem is resolved.

It is vitally important to enact corrective measures as soon as possible. If issues aren’t fully resolved by the time of the next review, at a minimum, evidence should be provided to show that progress is being made.

ISO 27701 Clause 6.15.2.3 – Technical Compliance Review

References ISO 27002 Control 5.36

See ISO 27701 Clause 6.15.2.2

Applicable GDPR Articles

• Article 32 – (1)(d), (2)

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

ISO 27701 is not just a framework for organisations to adopt; it means adapting the way people understand, interface and interact with data.

At ISMS.online, we have designed our system so that you and your staff can take advantage of our easy-to-use interface for documenting your ISO journey.

We also provide video resources and access to information security professionals to help you integrate standards into your company.

‌Find out more by booking a hands on demo.