ISO 27701, Clause 6.2 – Information Security Policies

ISO 27701 Clause 6.2.1.1 – Policies for Information Security

References ISO 27002 Control 5.1

ISO advocates for a dual-fronted approach to organisational privacy protection that includes:

• A general privacy protection policy.
• Topic-specific privacy protection policies.

Both types of policy can either be combined into one document, or separated out as the organisation sees fit.

Policies should be disseminated to all relevant staff members (and external personnel, if needs be), to ensure ongoing adherence with internal and external privacy protection requirements.

Anyone who receives a policy should be asked to confirm, preferably in writing, that they both understand what is being asked of them, and are willing to comply.

Policies should be reviewed when changes are made to:

1. Business strategy.
2. Operational practices/technical environments.
3. Any laws (including GDPR), regulatory stipulations or general PII-related guidelines that the organisation has a responsibility to adhere to.
4. Privacy protection risk levels and the prevailing/projected threat landscape.

Topic-Specific Policies

A topic-specific approach to privacy protection gives organisation’s the freedom to deal with individual elements of their data processing/information security operation on a topic-by-topic basis, with a distinct policy for each.

Topic-specific areas can include ICT functions such as access control, network security, BUDR planning and encryption processes.

Each topic-specific policy should be created in alignment to the organisation’s overarching privacy protection policy, and be drafted by departmental individuals (not necessarily Senior Management) who hold the relevant level of expertise and competence in the area for consideration.

General Privacy Protection Policies

Senior management should establish a top-level privacy protection policy that clearly outlines the processes and practical steps that will be taken in order to safeguard PII. Organisational privacy protection policies should contain information from, and remain relevant to:

• The overall business strategy.
• Any prevailing regulatory, legal or contractual requirements.
• Any clear and present privacy protection risks.

Privacy protection policies should define the organisation’s:

1. Operational definition of privacy protection.
2. Stated privacy protection goals.
3. Broader set of governing principles relating to the protection of PII.
4. Commitment towards meeting their PII-related objectives, and improving them on an ongoing basis.
5. Approach to delegating responsibility for all or part of the privacy protection policy to the relevant role types.
6. Approach to dealing with exceptions to the policy.
7. Plans for Senior Management to review and approve changes.

Additional PII-Specific Guidance

Organisations should implement policies and procedures that specifically deal with any prevailing PII-related legislation, regulatory guidelines or contractual agreements. Where third-party organisations are involved, policies should clearly outline PII responsibilities on both sides.

Applicable GDPR Articles

• Article 24 – (24)(2)

ISO 27701 Clause 6.2.1.2 – Review of the Policies for Information Security

References ISO 27002 Control 5.1

ISO 27701 clause 6.2.1.2 contains precisely the same guidance as ISO 27701 clause 6.2.1.1, without any additional PII-related requirements.

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in!

Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701.

Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.

Find out more and get a hands on demonstration by booking a demo.