Even within the most robust and watertight of networks, failures and intrusions can and do happen.
Organisations need to assume that critical scenarios will occur at any given time, and protect PII from intrusion alongside guaranteeing business continuity with versatile and clearly understood BUDR procedures.
ISO 27701 clause 6.9.2 contains two sub-clauses which provide guidance on antimalware techniques, and BUDR functions.
Both clauses are linked to information contained within ISO 27002, with guidance offered within the scope of PII and privacy protection:
ISO 27701 6.9.3.1 features guidance points that are relevant to several articles contained within UK GDPR legislation – with a summary provided for your convenience – and extensive additional guidance on how organisations should approach both backing up and restoring PII.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
To protect PII and privacy-related assets, organisations need to deploy a range of antimalware techniques and platforms, including:
Organisations should draft topic-specific policies that directly address how the organisation backs up the relevant areas of its network in order to safeguard PII and improve resilience against privacy-related incidents.
BUDR procedures should be drafted to achieve the primary goal of ensuring that all business critical data, software and systems are able to be recovered following data loss, intrusion, business interruption and critical failures.
As a priority, BUDR plans should:
Organisations need to develop separate procedures that deal solely with PII (albeit contained within their main BUDR plan).
Regional variances in PII BUDR standards (contractual, legal and regulatory) should be taken into consideration whenever a new job is created, jobs are amended or new PII data is added to the BUDR routine.
Whenever the need arises to restore PII following a BUDR incident, organisations should take great care to return the PII to its original state, and review restore activities to resolve any issues with the new data.
Organisations should keep a log of restoration activity, including any personnel involved in the restore, and a description of the PII that’s been restored.
Organisations should check with any law-making or regulatory agencies and ensure that their PII restorations procedures are in alignment with what’s expected of them as a PII processor and controller.
Book a tailored hands-on session
based on your needs and goals
Book your demo
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
|---|---|---|---|
| 6.9.2.1 | Controls Against Malware | 8.7 – Protection Against Malware for ISO 27002 | None |
| 6.9.3.1 | Information Backup | 8.13 – Information Backup for ISO 27002 | Articles (5), (32) |
In order to achieve ISO 27701 you must build a Privacy Information Management System. With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.
You can also accommodate the growing number of global, regional and sector-specific privacy regulations we support on the ISMS.online platform.
To achieve certification to ISO 27701 (privacy) you must first achieve certification to ISO 27001 (information security). The good news is that our platform can help you do both effortlessly!
Find out more by booking a demo.
It helps drive our behaviour in a positive way that works for us
& our culture.
