ISO 27701, Clause 6.9.7 – Information Systems Audit Considerations

ISO 27701 Controls and Clauses Explained

Book a demo

closeup,group,young,coworkers,together,discussing,creative,project,during,work

Auditing usually involves gathering large amounts of information on any given system – including user actions, customer data and critical events.

The process of auditing itself can represent a risk to PII and privacy protection, given that such activities have the potential to impact on data availability, and sometimes require specialised methods to interrogate sensitive datasets.

What’s Covered in ISO 27701 Clause 6.9.7

ISO 27701 6.9.7 contains one sub-clause related to ICT auditing and the associated privacy risks – ISO 6.9.7.1 – which includes guidance from ISO 27002 Control 8.34.

ISO provides no additional PIMS or PII-related guidance points, nor are there any UK GDPR considerations to keep in mind.

ISO 27701 Clause 6.9.7.1 – Information Systems Audit Controls

References ISO 27002 Control 8.34

When performing periodic auditing (and other network assurance activities) plans should be drafted to ensure that the integrity and availability of PII and privacy-related assets is protected at all times.

To achieve this, organisations should:

  • Ensure that access to systems is appropriately managed, for auditing purposes.
  • Clearly outline the scope of auditing activities, before they are implemented.
  • Where possible, limit access to sensitive data to read-only privileges. If elevated permissions are required, organisations should consider delegating auditing duties to an ‘experienced administrator’.
  • Scrutinise the security configuration of the devices that are being used to conduct the audit.
  • Operate with an agreed procedure for requesting specialised auditing tools.
  • Where possible, execute all auditing activities outside of business hours, where such activities have the potential to impact upon system availability.
  • Maintain a thorough log of all auditing activities (including requests), for compliance purposes.
  • Consider the privacy implications of auditing testing and development facilities and environments.

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.9.7.1Information Systems Audit Controls8.34 – Protection of Information Systems During Audit Testing for ISO 27002None

How ISMS.online Helps

Our PIMS adheres to the international standard ISO 27001, but it can also accommodate a growing number of national, regional, and sector-specific privacy standards, frameworks, and regulations.

  • GDPR
  • POPIA
  • BS 10012
  • Australian Privacy Principles
  • NIST Privacy Framework
  • OECD Privacy Guidelines
  • APEC Privacy Framework
  • And more

With our intuitive platform, you can map your work across multiple frameworks, eliminating duplication and repetition.

Find out more by booking a demo.

Jump to Topic

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.