Auditing usually involves gathering large amounts of information on any given system – including user actions, customer data and critical events.
The process of auditing itself can represent a risk to PII and privacy protection, given that such activities have the potential to impact on data availability, and sometimes require specialised methods to interrogate sensitive datasets.
ISO 27701 6.9.7 contains one sub-clause related to ICT auditing and the associated privacy risks – ISO 6.9.7.1 – which includes guidance from ISO 27002 Control 8.34.
ISO provides no additional PIMS or PII-related guidance points, nor are there any UK GDPR considerations to keep in mind.
When performing periodic auditing (and other network assurance activities) plans should be drafted to ensure that the integrity and availability of PII and privacy-related assets is protected at all times.
To achieve this, organisations should:
ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Control | Associated GDPR Articles |
---|---|---|---|
6.9.7.1 | Information Systems Audit Controls | 8.34 – Protection of Information Systems During Audit Testing for ISO 27002 | None |
Our PIMS adheres to the international standard ISO 27001, but it can also accommodate a growing number of national, regional, and sector-specific privacy standards, frameworks, and regulations.
With our intuitive platform, you can map your work across multiple frameworks, eliminating duplication and repetition.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo