ISO 27701, Clause 6.8.2 – Equipment

ISO 27701 Clause 6.8.2.1 – Equipment Siting and Protection

References ISO 27002 Control 7.8

In order to minimise the risk to PII and privacy-related assets, that may be exposed to loss or unauthorised access due to damage, organisations should:

• Place equipment appropriately – including privacy processing assets and facilities – to prevent the need for unauthorised personnel to access restricted areas.
• Minimise the risk of accidental or deliberate viewing of restricted material (especially PII).
• Reduce the risk of environmental or physical threats (e.g. theft, fire, flood).
• Set our clear rules that deal with eating, smoking or drinking near privacy-related assets and information.
• Ensure that privacy-related assets are kept in environments with suitable levels of heat and humidity.
• Implement lightning protection controls.
• Implement ad-hoc measures for privacy-related assets held in production areas (dust shields, secure housing, electromagnetic shielding etc).
• Segregate organisational and non-organisational privacy processing facilities.

ISO 27701 Clause 6.8.2.2 – Supporting Utilities

References ISO 27002 Control 7.11

It’s important to protect PII processing facilities from any disruptions or incidents emanating from what ISO deem as “supporting utilities” (electricity, gas, water, sewage etc).

To minimise the risk to PII, organisations should:

• Always adhere to the utility providers recommendations when configuring equipment onsite.
• Carry out periodic audits of utilities to ensure that they meet the operational and financial needs of the organisation, and accommodate the provision of all other utilities.
• Regularly test utilities to ensure business continuity, and raise any concerns with the utility provider directly.
• Ensure that utilities benefit from multiple feeds and ‘diverse routing’.
• Maintain a system that separates utilities on their own internal network from PII processing facilities, where such facilities require LAN access, and only providing them WAN access if explicitly required.
• Provide emergency utility services – such as emergency lighting, phone equipment with a dedicated circuit that’s redundant from the main comms system, emergency contact numbers and easily accessible emergency exits.
• Explore the prospect of receiving multiple routers per utility provider.

ISO 27701 Clause 6.8.2.3 – Cabling Security

References ISO 27002 Control 7.12

PII is largely transmitted via cables. As such, organisations should put into place cable security controls that protection privacy-related information from interception and/or loss.

Cabling security is a highly specialised field, and organisations should seek expert advice where applicable. That being said, there are a few basic governing principles to adhere to.

General Guidance

Organisations should:

• Run power and communication cabling underground.
• Ensure that overground cabling is protected by measures such as adequate trunking, floor housing and utility poles.
• Separate power cables from network and communication cables, to prevent interference.
• Ensure that cables are given labels at each end, to help with maintenance and connection activities.

Critical Systems

Where business critical and commercially sensitive information is concerned, there are a number of additional controls that organisations should consider:

• Armoured equipment, including alarms and secure rooms at cable termination points, including controlled and logged access.
• Electromagnetic shielding.
• Increased physical inspections.

ISO 27701 Clause 6.8.2.4 – Equipment Maintenance

References ISO 27002 Control 7.13

To prevent unauthorised access to PII – or damage to any privacy-related assets – organisations should maintain all equipment in accordance with the manufacturers guidelines, including:

• Adhering to a robust maintenance schedule, carried out by trained and authorised personnel.
• Logging all faults – including any suspected malfunctions.
• Where appropriate, subjecting external maintenance personnel to a non-disclosure agreement.
• Ensuring that third-party maintenance contractors are suitable supervised when performing their duties onsite.
• Exercising close control over remote maintenance functions, especially those carried out by third-party personnel.

ISO 27701 Clause 6.8.2.5 – Removal of Assets

References ISO 27002 Control 7.10

Removable Storage Media

When developing policies that govern the removal of media assets that store PII, organisations should:

• Monitor the transfer of PII onto storage media, for any purpose.
• Develop topic-specific policies based upon specific role requirements.
• Ensure that authorisation is sought and granted, before personnel are able to remove storage media from the network.
• Store media in accordance with the manufacturers specifications.
• Ensure that media is free from any environmental damage.
• Consider using encryption methods, and implementing additional physical security measures.
• Minimise the risk of PII becoming corrupted by transferring information between storage media to a set of best-practice guidelines.
• Introduce redundancy by storing PII on multiple assets at the same time.
• Only use storage media on approved inputs (e.g. SD cards and USB ports).
• Consider inherent risks when transferring PII between storage media, or when moving assets between personnel or premises (see ISO 27002 control 5.14).

Re-purposing And/or Disposal of Assets

When re-purposing, re-using or disposing of storage media, organisations should:

• Format storage media, and ensure that all PII is documented and removed before re-use (see ISO 27002 control 8.10).
• Securely dispose of any media that the organisation has no further use for, and has been used to store PII.
• (If disposal requires involvement of a third-party) take great care to ensure they are a fit and proper partner, in-line with the organisation’s responsibility towards PII and privacy protection.
• Implement procedures that identify storage media that’s available for re-purposing, or can be safely disposed of.

Relevant ISO 27002 Controls

• ISO 27002 5.14
• ISO 27002 8.10

ISO 27701 Clause 6.8.2.6 – Security of Equipment and Assets Off-Premises

References ISO 27002 Control 7.9

Organisations will sometimes need to sanction the use of offsite devices, that in turn have the potential to access PII and/or privacy-related information – including BYOD devices.

Temporary Offsite Equipment

When managing any device that either stores or actively uses PII in a location other than officially designated sites, organisations should:

• Ask all personnel to not leave such devices unattended in public places.
• Ensure that manufacturers guidelines are being adhered to, especially any concerning device security and environmental protection.
• Keep an accurate and up-to-date log of how offsite devices are passed between personnel, should the need arise.
• (For organisational assets) require proper authorisation before equipment is removed from the premises, and keeping a log of all such activities (see ISO 27002 control 5.14).
• Ask personnel to mindful of how they use assets in public places, to prevent the unauthorised viewing of PII and privacy-related material.
• Use GPS technology and remote management to keep track of offsite devices, whilst retaining the ability to remotely wipe them.

Permanent Offsite Equipment

It’s sometimes necessary for an organisation to install permanent fixed assets, outside of their premises or office facilities. Such equipment includes:

• ATMs.
• Communication antennas.
• Radio equipment.

When installing such kit, organisations should consider:

• Around-the-clock monitoring (either in-person or via CCTV) (see ISO 27002 control 7.4).Environmental protection (ISO 27002 control 7.5).
• Software-based access controls.

Relevant ISO 27002 Controls

• ISO 27002 5.14
• ISO 27002 7.4

ISO 27701 Clause 6.8.2.7 – Secure Disposal or Re-Use of Equipment

References ISO 27002 Control 7.14

PII and privacy-related information is particularly at risk when the need arises to either dispose of, or re-purpose storage and processing assets – either internally, or in partnership with a specialised third-party provider.

Above all, organisations need to ensure that any storage media marked for disposal, that has contained PII, should be physically destroyed, wiped or over-written (see ISO 27002 controls 7.10 and 8.10).

To prevent PII becoming compromised in any way, when disposing of or re-using assets, organisations should:

• Ensure that all labels are either removed or amended, as necessary – especially those which indicate the presence of PII.
• Remove all physical and logical security controls, when decommissioning facilities or moving premises, with a view to re-using them in a new location.

Relevant ISO 27002 Controls

• ISO 27002 7.10
• ISO 27002 8.10

Applicable GDPR Articles

• Article 5 – (1)(f)

ISO 27701 Clause 6.8.2.8 – Unattended User Equipment

References ISO 27002 Control 8.1

Organisations should implement topic-specific policies that deal with different categories of endpoint devices, with a focus on improving privacy protection and PII security.

Organisations should draft policies and procedures that take into account:

• The existence of PII on an organisation’s network.
• How devices are initially registered and subsequently identified.
• Physical protection controls.
• Restrictions on software installation.
• Remote management.
• User access controls.
• Cryptography.
• Anti malware platforms.
• Backup and disaster recovery.
• Browsing restrictions and content filtering.
• User analytics (see ISO 27002 control 8.16).
• Removable storage and associated devices.
• Device-based data segregation – i.e. creating a barrier between organisational and personal data.
• Contingency plans for lost or stolen devices.

User Responsibilities

Offsite device users should be continually aware of any policies and procedures that apply to them, as offsite users.

As a general set of principles, users should:

• Close working/remote sessions when they’re no longer in use.
• Adhere to physical and logical protection measures.
• Be mindful of their physical surroundings when accessing PII or privacy-related information (i.e. avoiding ‘shoulder surfing’ in public areas).

Bring Your Own Device (BYOD) Protocols

Organisations who allow personnel to use their own personal devices should also consider:

• Installing software that assists in the separation of business and personal data.
• Enforcing a BYOD policy that includes:
• Acknowledgement of organisational ownership of PII.
• Physical and digital protection measures (see above).
• Remote deletion of data.
• Any measures that ensure alignment with PII legislation and regulatory guidance.
• IP rights, concerning company ownership of anything that has been produced on a personal device.
• Organisational access to the device – either for privacy protection purposes, or to comply with an internal or external investigation.
• EULAs and software licensing that may be affected by the use of commercial software on a privately owned device.

WiFi Guidelines

When considering how to manage WiFi connectivity for offsite devices, organisations should:

• Carefully consider how devices are able to connect to wireless networks (i.e. avoiding any unsecured networks whilst using PII).
• Ensure that WiFi have sufficient capacity to facilitate backups, cater for maintenance activities and process data without any major impediment to device performance and data security.

Relevant ISO 27002 Controls

• ISO 27002 8.9
• ISO 27002 8.16

ISO 27701 Clause 6.8.2.9 – Clear Desk and Clear Screen Policy

References ISO 27002 Control 7.7

PII and privacy related-information is particularly at risk when careless staff and third-party contractors fail to adhere to workplace security measures that protect against the accidental or deliberate viewing of PII by unauthorised personnel.

Organisations should draft topic-specific clear desk and clear screen policies (on a workspace-by-workspace basis if needs be) that includes:

• Hiding from casual view, locking away or securely storing PII and privacy-related information, when such data material isn’t required.
• Physical locking mechanisms on ICT assets.
• Digital access controls – such as display timeouts, password protected screen savers and automatic log-out facilities.
• Secure printing and immediate document collection.
• Secure, locked storage of sensitive documentation, and proper disposal of such material when they are no longer required (shredding, third-party disposal services etc.).
• Being mindful of message previews (email, SMS, calendar reminders) that may provide access to sensitive data; whenever a screen is being shared or viewed in a public place.
• Clearing physical displays (e.g. whiteboards and noticeboards) of sensitive information, when no longer required.

When organisations collectively leave premises – such as during an office move or similar relocation – efforts should me made to ensure that no documentation is left behind, either in desks and filing systems, or any that may have fallen into obscure places.

Applicable GDPR Articles

• Article 5 – (1)(f)

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

We make ROPA easy

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

Assessment templates for you

It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.

We have a built in risk bank

We’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.

Book a demo today and find out how we can help your organisation achieve ISO 27701.