ISO 27701, Clause 6.2 – Information Security Policies

ISO 27701 Controls and Clauses Explained

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

Privacy protection policies provide an operational framework for organisations to conduct themselves as a responsible data controller, and educate staff on their daily obligations where PII is concerned.

Policy documentation needs to be endorsed by Senior Management and communicated to staff so that everyone in the organisation works towards the same set of PII-related guiding principles.

What’s Covered in ISO 27701 Clause 6.2

ISO 27701 6.2 contains two sub-clauses that provide specific privacy protection guidance:

  • ISO 27701 6.2.1.1 – Policies for information security (References ISO 27002 Control 5.1)
  • ISO 27701 6.2.1.2 – Review of the policies for information security (References ISO 27002 Control 5.1)

As with other clauses in the standard, ISO 27701 clause 6.2 refers back to ISO 27002 when outlining how organisations should handle PII and PIMS-related information.

The wording of ISO 27701 6.2 contains references to ISO 27002:2013, but this standard has now been replaced with a more up-to-date version – ISO 27002:2022. Where references are made to clauses within ISO 27002:2013, we’ve cross-referenced citations with their updated versions in ISO 27002:2022.

To this effect, ISO 27701 6.2 is linked with two standards from ISO 27002:2013 (5.1.1 and 5.1.2) which have been merged into one single standard within ISO 27002:2022 (5.1).

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.2.1.1 – Policies for Information Security

References ISO 27002 Control 5.1

ISO advocates for a dual-fronted approach to organisational privacy protection that includes:

  • A general privacy protection policy.
  • Topic-specific privacy protection policies.

Both types of policy can either be combined into one document, or separated out as the organisation sees fit.

Policies should be disseminated to all relevant staff members (and external personnel, if needs be), to ensure ongoing adherence with internal and external privacy protection requirements.

Anyone who receives a policy should be asked to confirm, preferably in writing, that they both understand what is being asked of them, and are willing to comply.

Policies should be reviewed when changes are made to:

  1. Business strategy.
  2. Operational practices/technical environments.
  3. Any laws (including GDPR), regulatory stipulations or general PII-related guidelines that the organisation has a responsibility to adhere to.
  4. Privacy protection risk levels and the prevailing/projected threat landscape.

Topic-Specific Policies

A topic-specific approach to privacy protection gives organisation’s the freedom to deal with individual elements of their data processing/information security operation on a topic-by-topic basis, with a distinct policy for each.

Topic-specific areas can include ICT functions such as access control, network security, BUDR planning and encryption processes.

Each topic-specific policy should be created in alignment to the organisation’s overarching privacy protection policy, and be drafted by departmental individuals (not necessarily Senior Management) who hold the relevant level of expertise and competence in the area for consideration.

General Privacy Protection Policies

Senior management should establish a top-level privacy protection policy that clearly outlines the processes and practical steps that will be taken in order to safeguard PII. Organisational privacy protection policies should contain information from, and remain relevant to:

  • The overall business strategy.
  • Any prevailing regulatory, legal or contractual requirements.
  • Any clear and present privacy protection risks.

Privacy protection policies should define the organisation’s:

  1. Operational definition of privacy protection.
  2. Stated privacy protection goals.
  3. Broader set of governing principles relating to the protection of PII.
  4. Commitment towards meeting their PII-related objectives, and improving them on an ongoing basis.
  5. Approach to delegating responsibility for all or part of the privacy protection policy to the relevant role types.
  6. Approach to dealing with exceptions to the policy.
  7. Plans for Senior Management to review and approve changes.

Additional PII-Specific Guidance

Organisations should implement policies and procedures that specifically deal with any prevailing PII-related legislation, regulatory guidelines or contractual agreements. Where third-party organisations are involved, policies should clearly outline PII responsibilities on both sides.

Applicable GDPR Articles

  • Article 24 – (24)(2)

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.2.1.2 – Review of the Policies for Information Security

References ISO 27002 Control 5.1

ISO 27701 clause 6.2.1.2 contains precisely the same guidance as ISO 27701 clause 6.2.1.1, without any additional PII-related requirements.

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.2.1.1Policies for Information Security5.1 – Policies for Information Security for ISO 27002Article (24)
6.2.1.2Review of the Policies for Information Security5.1 – Policies for Information Security for ISO 27002None

How ISMS.online Helps

It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in!

Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701.

Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.

Find out more and get a hands on demonstration by booking a demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.