Placing access restrictions upon business critical tasks, assets and procedures is a fundamental aspect of both protecting PII, and ensuring that privacy-related applications and systems are free from corruption, misuse or deletion.
ISO 27701 6.6.4 outlines a variety of measures – from authentication controls through to source code management and the use of privileged utility programs – that allow organisations to exercise granular control over who and what is allowed to access their network, and through what means.
ISO 27701 6.6.4 contains five sub-clauses that deal with the above topics. Each sub-clause contains guidance information from a variety of sub-clauses within ISO 27002, but delivered within the context of PII security, and privacy protection:
Sub-clause 6.6.4.2 contains further guidance on applicable articles within UK GDPR legislation (Article 5 [1][f]).
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
To control PII and privacy-related information, and in support of access restriction measures, organisations should:
ISO advocates for a dynamic approach to information access, that extends to PII and privacy systems.
Dynamic access management allows organisations to share or use internal data with external users, to affect faster incident resolution times (a key requirement of PII-related incidents).
Organisations should consider implementing dynamic access management when:
Dynamic access management should protect data by:
PII and privacy-related assets need to be stored on a network that features a range of authentication controls, including:
To prevent and minimise the risk of unauthorised access to PII, organisations should:
Authentication details should be distributed and managed so that:
Any personnel who uses organisational authentication information should ensure that:
Organisations should implement a password management system that:
To safeguard PII and improve organisational privacy protection efforts, passwords should follow four guiding principles:
Organisations should also consider the use of authentication protocols such as Single Sign-On (SSO) to improve password security, but such measures should only be considered alongside the organisations unique technical and operational requirements.
To protect PII and privacy-related assets – and simultaneously improve network integrity – organisations should:
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.
Access to source code and development tool should be tightly controlled, so that privacy-related applications are not compromised, and PII is not exposed to public viewing, or any form of unauthorised access.
Source code and ‘associated items’ includes:
Development tools include:
ISO recommends that organisations store and manage source code via a dedicated ‘source code management system’ that protects IP, code and development tools and manages access to restricted material. Source code should be managed with varying degrees of read and write access, based on an individual’s job role.
To prevent corruption and safeguard the PIMS, PII and privacy-related information and assets, organisations should:
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.6.4.1 | 8.3 | 8.3 – Information Access Restriction for ISO 27002 | None |
6.6.4.2 | 8.5 | 8.5 – Secure Authentication for ISO 27002 | Article (5) |
6.6.4.3 | 5.17 | 5.17 – Authentication Information for ISO 27002 | None |
6.6.4.4 | 8.18 | 8.18 – Use of Privileged Utility Programs for ISO 27002 | None |
6.6.4.5 | 8.4 | 8.4 – Access to Source Code for ISO 27002 | None |
ISO 27701 shows you how to build a Privacy Information Management System that complies with most privacy regulations, including the EU’s GDPR, BS 10012 and South Africa’s POPIA.
Our simplified, secure, sustainable software helps you easily follow the approach outlined by the internationally recognised standard.
Our all-in-one-platform ensures your privacy work aligns with and meets the needs of each section of the ISO 27701 standard. And because it’s regulation agnostic, you can map it onto any regulation you need to.
Find out more by booking a hands on demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo