ISO 27701, Clause 6.9.2 – Protection from Malware

ISO 27701 Controls and Clauses Explained

Book a demo

close up,of,african,businessman,sitting,at,the,table,and,typing

Even within the most robust and watertight of networks, failures and intrusions can and do happen.

Organisations need to assume that critical scenarios will occur at any given time, and protect PII from intrusion alongside guaranteeing business continuity with versatile and clearly understood BUDR procedures.

What’s Covered in ISO 27701 Clause 6.9.2

ISO 27701 clause 6.9.2 contains two sub-clauses which provide guidance on antimalware techniques, and BUDR functions.

Both clauses are linked to information contained within ISO 27002, with guidance offered within the scope of PII and privacy protection:

  • ISO 27701 6.9.2.1 Controls against malware (References ISO 27002 control 8.7)
  • ISO 27701 6.9.3.1 Information backup (References ISO 27002 control 8.13)

ISO 27701 6.9.3.1 features guidance points that are relevant to several articles contained within UK GDPR legislation – with a summary provided for your convenience – and extensive additional guidance on how organisations should approach both backing up and restoring PII.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.9.2.1 – Controls Against Malware

References ISO 27002 Control 8.7

To protect PII and privacy-related assets, organisations need to deploy a range of antimalware techniques and platforms, including:

  • Maintaining a list of restricted/banned software and applications (see ISO 27002 controls 8.19 and 8.32).
  • Using content filtering to block access to suspect websites.
  • Deploying ‘technical vulnerability management’ measures (see ISO 27002 controls 8.8 and 8.19).
  • Regularly auditing the use of software and data, in order to detect any unauthorised or suspect applications and systems.
  • Protection against the risks associated with obtaining data and/or applications from external and third-party sources.
  • Conducting regular antimalware scans, that cover the whole network, including email, websites and removable media.
  • Giving consideration to where on the network antimalware tools should be deployed (e.g. gateway security and promoting ‘defense in depth’.
  • Monitoring incidents and critical interventions, to ensure that malware is not accidentally introduced onto the network during times when standard ICT rules are circumnavigated.
  • Operating with processes that allow for critical intervention against suspected intrusions, such as temporarily disabling critical system processes, including a thorough justification and review procedure.
  • Robust BUDR and business continuity plans, that include disabling and/or isolating operational environments (see ISO 27002 control 8.13).
  • Awareness training for all users (see ISO 27002 control 6.3).
  • Maintaining an active presence in the antimalware community and keeping abreast of the latest cybersecurity trends, including virus definitions, attack vectors and remedial actions.
  • Ensuring that all actionable communication regarding malware from external sources is independently verified and emanates from a trustworthy source.

Relevant ISO 27002 Controls

  • ISO 27002 6.3
  • ISO 27002 8.8
  • ISO 27002 8.13
  • ISO 27002 8.19
  • ISO 27002 8.32

ISO 27701 Clause 6.9.3.1 – Information Backup

References ISO 27002 Control 8.13

Organisations should draft topic-specific policies that directly address how the organisation backs up the relevant areas of its network in order to safeguard PII and improve resilience against privacy-related incidents.

BUDR procedures should be drafted to achieve the primary goal of ensuring that all business critical data, software and systems are able to be recovered following data loss, intrusion, business interruption and critical failures.

As a priority, BUDR plans should:

  • Outline restoration procedures that cover all critical systems and services.
  • Be able to produce workable copies of any systems, data or applications that are part of a backup job.
  • Serve the commercial and operational requirements of the organisation (see ISO 27002 control 5.30).
  • Store backups in an environmentally protected location that is physically separate from the source data (see ISO 27002 control 8.1).
  • Regularly test and appraise backup jobs against the organisations mandated recovery times, in order to guarantee data availability.
  • Encrypt all PII-related backup data.
  • Double-check for any data loss before executing a backup job.
  • Adhere to a reporting system that alerts staff to the status of backup jobs.
  • Seek to incorporate data from cloud-based platforms that are not directly managed by the organisation, in internal backup jobs.
  • Store backups in accordance with an appropriate PII retention policy (see ISO 27002 control 8.10).

Additional PII-Specific Guidance

Organisations need to develop separate procedures that deal solely with PII (albeit contained within their main BUDR plan).

Regional variances in PII BUDR standards (contractual, legal and regulatory) should be taken into consideration whenever a new job is created, jobs are amended or new PII data is added to the BUDR routine.

Whenever the need arises to restore PII following a BUDR incident, organisations should take great care to return the PII to its original state, and review restore activities to resolve any issues with the new data.

Organisations should keep a log of restoration activity, including any personnel involved in the restore, and a description of the PII that’s been restored.

Organisations should check with any law-making or regulatory agencies and ensure that their PII restorations procedures are in alignment with what’s expected of them as a PII processor and controller.

Relevant ISO 27002 Controls

  • ISO 27002 5.30
  • ISO 27002 8.1
  • ISO 27002 8.10

Applicable GDPR Articles

  • Article 5 – (1)(f)
  • Article 32 – (1)(c)

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.9.2.1Controls Against Malware8.7 – Protection Against Malware for ISO 27002None
6.9.3.1Information Backup8.13 – Information Backup for ISO 27002Articles (5), (32)

How ISMS.online Helps

In order to achieve ISO 27701 you must build a Privacy Information Management System. With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.

You can also accommodate the growing number of global, regional and sector-specific privacy regulations we support on the ISMS.online platform.

To achieve certification to ISO 27701 (privacy) you must first achieve certification to ISO 27001 (information security). The good news is that our platform can help you do both effortlessly!

Find out more by booking a demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now