Key Elements of Clause 6.2: Policy Framework for PII Protection
Privacy protection policies provide an operational framework for organisations to conduct themselves as a responsible data controller, and educate staff on their daily obligations where PII is concerned.
Policy documentation needs to be endorsed by Senior Management and communicated to staff so that everyone in the organisation works towards the same set of PII-related guiding principles.
What’s Covered in ISO 27701 Clause 6.2
ISO 27701 6.2 contains two sub-clauses that provide specific privacy protection guidance:
- ISO 27701 6.2.1.1 – Policies for information security (References ISO 27002 Control 5.1)
- ISO 27701 6.2.1.2 – Review of the policies for information security (References ISO 27002 Control 5.1)
As with other clauses in the standard, ISO 27701 clause 6.2 refers back to ISO 27002 when outlining how organisations should handle PII and PIMS-related information.
The wording of ISO 27701 6.2 contains references to ISO 27002:2013, but this standard has now been replaced with a more up-to-date version – ISO 27002:2022. Where references are made to clauses within ISO 27002:2013, we’ve cross-referenced citations with their updated versions in ISO 27002:2022.
To this effect, ISO 27701 6.2 is linked with two standards from ISO 27002:2013 (5.1.1 and 5.1.2) which have been merged into one single standard within ISO 27002:2022 (5.1).
Get an 81% headstart
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
ISO 27701 Clause 6.2.1.1 – Policies for Information Security
References ISO 27002 Control 5.1
ISO advocates for a dual-fronted approach to organisational privacy protection that includes:
- A general privacy protection policy.
- Topic-specific privacy protection policies.
Both types of policy can either be combined into one document, or separated out as the organisation sees fit.
Policies should be disseminated to all relevant staff members (and external personnel, if needs be), to ensure ongoing adherence with internal and external privacy protection requirements.
Anyone who receives a policy should be asked to confirm, preferably in writing, that they both understand what is being asked of them, and are willing to comply.
Policies should be reviewed when changes are made to:
- Business strategy.
- Operational practices/technical environments.
- Any laws (including GDPR), regulatory stipulations or general PII-related guidelines that the organisation has a responsibility to adhere to.
- Privacy protection risk levels and the prevailing/projected threat landscape.
Topic-Specific Policies
A topic-specific approach to privacy protection gives organisation’s the freedom to deal with individual elements of their data processing/information security operation on a topic-by-topic basis, with a distinct policy for each.
Topic-specific areas can include ICT functions such as access control, network security, BUDR planning and encryption processes.
Each topic-specific policy should be created in alignment to the organisation’s overarching privacy protection policy, and be drafted by departmental individuals (not necessarily Senior Management) who hold the relevant level of expertise and competence in the area for consideration.
General Privacy Protection Policies
Senior management should establish a top-level privacy protection policy that clearly outlines the processes and practical steps that will be taken in order to safeguard PII. Organisational privacy protection policies should contain information from, and remain relevant to:
- The overall business strategy.
- Any prevailing regulatory, legal or contractual requirements.
- Any clear and present privacy protection risks.
Privacy protection policies should define the organisation’s:
- Operational definition of privacy protection.
- Stated privacy protection goals.
- Broader set of governing principles relating to the protection of PII.
- Commitment towards meeting their PII-related objectives, and improving them on an ongoing basis.
- Approach to delegating responsibility for all or part of the privacy protection policy to the relevant role types.
- Approach to dealing with exceptions to the policy.
- Plans for Senior Management to review and approve changes.
Additional PII-Specific Guidance
Organisations should implement policies and procedures that specifically deal with any prevailing PII-related legislation, regulatory guidelines or contractual agreements. Where third-party organisations are involved, policies should clearly outline PII responsibilities on both sides.
Applicable GDPR Articles
- Article 24 – (24)(2)
Compliance doesn't have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.
ISO 27701 Clause 6.2.1.2 – Review of the Policies for Information Security
References ISO 27002 Control 5.1
ISO 27701 clause 6.2.1.2 contains precisely the same guidance as ISO 27701 clause 6.2.1.1, without any additional PII-related requirements.
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.2.1.1 | Policies for Information Security |
5.1 – Policies for Information Security for ISO 27002 |
Article (24) |
| 6.2.1.2 | Review of the Policies for Information Security |
5.1 – Policies for Information Security for ISO 27002 |
None |
How ISMS.online Helps
It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in!
Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701.
Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.
Find out more and get a hands on demonstration by booking a demo.
Jump to topic
