Alongside ‘logical’ controls – software based access restrictions and server-based administrative functions, ISO also places a great deal of emphasis on the role that equipment security has to play in protection PII and privacy-related assets.
Organisations need to consider a wide range of factors, from BYOD protocols, to the location of privacy assets, how users behave when accessing them, how kit is removed and clear desk/screen policies.
ISO 27701 clause 6.8.2 is a far-reaching clause that covers many different aspects of equipment control and security.
There are 9 sub-clauses to consider, with each one containing guidance notes from an accompanying clause in ISO 27002, applied within the context of privacy protection:
ISO offers no further guidance regarding the implementation or maintenance of a PIMS, and just two sub-clauses (6.8.2.9 and 6.8.2.7) contain information that needs to be considered alongside UK GDPR legislation.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
In order to minimise the risk to PII and privacy-related assets, that may be exposed to loss or unauthorised access due to damage, organisations should:
It’s important to protect PII processing facilities from any disruptions or incidents emanating from what ISO deem as “supporting utilities” (electricity, gas, water, sewage etc).
To minimise the risk to PII, organisations should:
Book a tailored hands-on session based on your needs and goals.
PII is largely transmitted via cables. As such, organisations should put into place cable security controls that protection privacy-related information from interception and/or loss.
Cabling security is a highly specialised field, and organisations should seek expert advice where applicable. That being said, there are a few basic governing principles to adhere to.
Organisations should:
Where business critical and commercially sensitive information is concerned, there are a number of additional controls that organisations should consider:
To prevent unauthorised access to PII – or damage to any privacy-related assets – organisations should maintain all equipment in accordance with the manufacturers guidelines, including:
When developing policies that govern the removal of media assets that store PII, organisations should:
When re-purposing, re-using or disposing of storage media, organisations should:
Book a tailored hands-on session
based on your needs and goals
Book your demo
Organisations will sometimes need to sanction the use of offsite devices, that in turn have the potential to access PII and/or privacy-related information – including BYOD devices.
When managing any device that either stores or actively uses PII in a location other than officially designated sites, organisations should:
It’s sometimes necessary for an organisation to install permanent fixed assets, outside of their premises or office facilities. Such equipment includes:
When installing such kit, organisations should consider:
PII and privacy-related information is particularly at risk when the need arises to either dispose of, or re-purpose storage and processing assets – either internally, or in partnership with a specialised third-party provider.
Above all, organisations need to ensure that any storage media marked for disposal, that has contained PII, should be physically destroyed, wiped or over-written (see ISO 27002 controls 7.10 and 8.10).
To prevent PII becoming compromised in any way, when disposing of or re-using assets, organisations should:
Book a tailored hands-on session
based on your needs and goals
Book your demo
Organisations should implement topic-specific policies that deal with different categories of endpoint devices, with a focus on improving privacy protection and PII security.
Organisations should draft policies and procedures that take into account:
Offsite device users should be continually aware of any policies and procedures that apply to them, as offsite users.
As a general set of principles, users should:
Organisations who allow personnel to use their own personal devices should also consider:
When considering how to manage WiFi connectivity for offsite devices, organisations should:
PII and privacy related-information is particularly at risk when careless staff and third-party contractors fail to adhere to workplace security measures that protect against the accidental or deliberate viewing of PII by unauthorised personnel.
Organisations should draft topic-specific clear desk and clear screen policies (on a workspace-by-workspace basis if needs be) that includes:
When organisations collectively leave premises – such as during an office move or similar relocation – efforts should me made to ensure that no documentation is left behind, either in desks and filing systems, or any that may have fallen into obscure places.
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.8.2.1 | Equipment Siting and Protection | 7.8 – Equipment Siting and Protection for ISO 27002 | None |
6.8.2.2 | Supporting Utilities | 7.11 – Supporting Utilities for ISO 27002 | None |
6.8.2.3 | Cabling Security | 7.12 – Cabling Security for ISO 27002 | None |
6.8.2.4 | Equipment Maintenance | 7.13 – Equipment Maintenance for ISO 27002 | None |
6.8.2.5 | Removal of Assets | 7.10 – Storage Media for ISO 27002 | None |
6.8.2.6 | Security of Equipment and Assets Off-Premises | 7.9 – Security of Assets Off-Premises for ISO 27002 | None |
6.8.2.7 | Secure Disposal or Re-Use of Equipment | 7.14 – Secure Disposal or Re-Use of Equipment for ISO 27002 | Article (5) |
6.8.2.8 | Unattended User Equipment | 8.1 – User Endpoint Devices for ISO 27002 | None |
6.8.2.9 | Clear Desk and Clear Screen Policy | 7.7 – Clear Desk and Clear Screen for ISO 27002 | Article (5) |
We make ROPA easy
We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
Assessment templates for you
It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.
We have a built in risk bank
We’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.
Book a demo today and find out how we can help your organisation achieve ISO 27701.
It helps drive our behaviour in a positive way that works for us
& our culture.