Logging and monitoring is a crucial part of an organisation’s privacy protection operation, that allows staff to both detect and analyse malicious activity across a network, and gather a body of data which serves to bolster future security initiatives.
ISO 27701 6.9.4 contains three sub-clauses, that present information security guidance from ISO 27002 within the context of privacy protection:
Sub-clauses 6.9.4.1 and 6.9.4.2 both contain extensive additional guidance on managing logging and monitoring alongside PII-related activities. Several clauses also contain information that is applicable within UK GDPR legislation, with the relevant articles provided below.
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
ISO defines an ‘event’ as any action performed by a digital or physical presence/entity on a computer system.
Event logs should contain:
ISO identifies 11 events/components that require logging (and linked to the same time source – see ISO 27002 control 8.17), in order to maintain PII security and improve organisational privacy protection:
Logs should be protected against unauthorised changes or operational anomalies, including:
Organisations should engage with the following techniques, in order to improve log-based security:
When the need arises to provide logs to external organisations, strict measures should be taken to safeguard PII and privacy-related information, in accordance with accepted data privacy standards (see ISO 27002 control 5.34 and additional guidance below).
Logs will need to be analysed from time to time, in order to improve privacy protection on the whole, and to both resolve and prevent security breaches.
When performing log analysis, organisations should take into account:
Log monitoring offers organisations the chance to protect PII at source and foster a proactive approach to privacy protection.
Organisations should:
ISO requires organisations to monitor logs pertaining to PII through a ‘continuous and automated monitoring and alerting process‘. This may necessitate a separate set of procedures that monitor access to PII.
Organisations should ensure that – as a priority – logs provide a clear account of access to PII, including:
Organisations should decide ‘if, when and how‘ PII log information should be made available to customers, with any criteria being made freely available to the principals themselves and great care taken to ensure that PII principals are only able to access information pertaining to them.
See ISO 27701 Clause 6.9.4.1
Organisations should dedicate a lot of attention towards ensuring that logs which contain PII are properly controlled, and benefit from secure monitoring.
Automated procedures should be put in place that either deletes or ‘de-identifies’ logs, in line with a published retention policy (see ISO 27002 control 7.4.7).
See ISO 27701 Clause 6.9.4.1
ISO requires organisations to establish a standard reference time that can be used across all privacy protection systems.
Organisations should:
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.9.4.1 | Event Logging | 8.15 – Logging for ISO 27002 | Article (5) |
6.9.4.2 | Protection of Log Information | 8.15 – Logging for ISO 27002 | Article (5) |
6.9.4.3 | Administrator and Operator Logs | 8.15 – Logging for ISO 27002 | None |
6.9.4.4 | Clock Synchronisation | 8.17 – Clock Synchronisation for ISO 27002 | None |
Building your own PIMS system tends to be a better way to end up a system that fits your business processes.
A bespoke system may save you money and is likely to be easier to use, configure and adapt to your data processors and controllers.
Some organisations find the idea of building their own system daunting and a task that leads them to look for off the shelf systems.
Whichever route you choose to follow for your organisation, our cloud-based solutions at ISMS.online will help make sure that you keep the documentation required to meet the standard.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo