ISO 27701, Clause 6.9 – Operations Security

ISO 27701 Clause 6.9.1.1 – Documenting Operating Procedures

References ISO 27002 Control 5.37

Organisation’s should thoroughly document procedures associated with privacy protection, including:

• Activities that need to be performed multiple times by the same personnel.
• Activities that aren’t usually performed, and when the next instance will likely arise.
• New activities.
• Passing responsibility to other personnel.

Processes and procedures should clearly specify:

• Individuals responsible for carrying out the activity.
• How systems should be implemented.
• How PII and related information should be stored and handled.
• Backups plans and business resilience (see ISO 27002 Control 8.13).
• Any scheduling requirements.
• Clear instructions that outline how staff should handle special conditions that arise during the process of protecting PII and privacy-related assets, including utility programs (see ISO 27002 Control 8.18).
• How to implement and administer storage media (see ISO 27002 Controls 7.10 and 7.14).
• System recovery procedures.
• How staff should manage audit trails, system and event logs, and other associated monitoring systems (see ISO 27002 Controls 8.15, 8.17 and 7.4).
• Capacity, performance and security monitoring (see ISO 27002 Controls 8.6 and 8.16).

Organisations should ensure that policies and procedures are reviewed at appropriate intervals, and updated when operational needs change.

Where possible, ISO recommends that systems should be maintained using the same set of administrative controls and applications.

Relevant ISO 27002 Controls

• ISO 27002 7.4
• ISO 27002 7.10
• ISO 27002 7.14
• ISO 27002 8.6
• ISO 27002 8.13
• ISO 27002 8.15
• ISO 27002 8.16
• ISO 27002 8.17
• ISO 27002 8.18

ISO 27701 Clause 6.9.1.2 – Change Management

References ISO 27002 Control 8.32

Whenever a new system is introduced, or any major changes are planned to existing systems, organisations should adhere to a structured system that covers off:

• Documentation.
• Specification.
• Testing.
• Quality control.
• Managed implementation.

Change procedures should include:

• An analysis of the impact of any proposed changes.
• Authorisation procedures.
• Dissemination of changes to all interested parties.
• Testing – including rigid acceptance criteria.
• How changes are made during implementation phases.
• Contingency plans that cover off any change-related incidents during implementation.
• How to maintain adequate records of all change-related activity.
• Updating all relevant operating documents and user instructions (see ISO 27002 Control 5.37).

ISO advocates for testing and of any change-related activity in an environment that is logically (and potentially physically) separate from the operational environment that the changes are set to impact) (see ISO 27002 Control 8.31).

Relevant ISO 27002 Controls

• ISO 27002 5.37
• ISO 27002 8.31

ISO 27701 Clause 6.9.1.3 – Capacity Management

References ISO 27002 Control 8.6

Organisations need to ensure that they have sufficient operating capacity to carry out daily business functions, so that PII or privacy-related material is not compromised.

Organisations should:

• Consider business continuity and privacy protection as a top priority when implementing capacity management controls, including detective controls that highlight potential issues before they occur.
• Base their capacity management operation upon the proactive functions of tuning and monitoring.
• Perform regular stress tests that interrogate a systems ability to cater to overall business needs and privacy protection regulations, laws and guidelines.
• Include plans for commercial and technical expansion (both from a physical and digital perspective) of the operation.
• Consider varying lead times and costs, depending on the system or business function in question. Privacy-related resources should be afforded more attention, given their elevated risk profile.
• Document and observe single points of failure relating to a dependency on key personnel, individual resources and PII.
• Draft and implement a capacity management plan that deals specifically with privacy protection.

ISO advocates for an dual-fronted approach to capacity management that either increases capacity, or reduces demand upon a resource, or set of resources.

When attempting to increase capacity, organisations should:

1. Consider hiring new employees, to meet expanding business requirements.
2. Expand into new physical locations – including data processing and storage facilities.
3. Consider using cloud resources that automatically expand to meet the growing needs of the organisation.

When attempting to reduce demand, organisations should:

• Delete obsolete or unused data.
• Dispose of any hard copies of information that the organisation no longer needs, and is not legally required to keep.
• Decommission any ICT resources that are no longer required.
• Implement scheduled ICT tasks that optimise memory resources and minimise storage space.
• Ensure that any pieces of executable code, or database queries, are optimised to reduce demand on computational and storage resources.
• Restrict Internet access and ban video/audio streaming from work devices.

ISO 27701 Clause 6.9.1.4 – Separation of Development, Testing and Operational Environments

References ISO 27002 Control 8.31

ISO identifies three distinct testing environments that need to be segregated from one another:

• Development
• Testing
• Production

To ensure that PII is protected across all three environments (particularly throughout the production environment), organisations should:

• Operate production and development systems in distinctly different domains (physical and virtual).
• Rigidly define how software is implemented from the development stage to the production stage.
• Thoroughly test any changes to productions systems in a testing environment, prior to them being applied in a live environment (see ISO 27002 Control 8.29).
• Prohibit testing in live production environments, aside from special cases that have received prior authorisation.
• Ensure that development tools are not accessible from live production environments, unless explicitly required.
• Label systems and assets to clearly indicate what environment they belong to.
• Prevent the copying of privacy-related information from the production environment into any other environment, unless said data is subject to the same set of security controls wherever it is being copied to.

Development and testing environments should be protected by:

1. Updating and patching ALL development tools.
2. Best-practice configurations.
3. Auditing and monitoring any changes to the environment.
4. Robust BUDR plans.

ISO makes it explicitly clear that development and testing staff pose a disproportionate risk to PII – either directly due to malicious actions, or inadvertently due to mistakes in the development process.

It is vitally important that no single employee has the ability to make amendments both to and within development and production environments without proper authorisation, including a review of the required changes and multi-step approval (see ISO 27002 Control 8.33).

Organisations should take great care to ensure the integrity and availability of PII throughout the development and testing process, including multiple live production environments, training environments and segregation of duties.

Relevant ISO 27002 Controls

• ISO 27002 8.29
• ISO 27002 8.33

Supporting Controls From ISO 27002 and GDPR

How ISMS.online Helps

To comply with ISO 27701, you must create a Privacy Information Management System (PIMS). With our prebuilt PIMS, you can quickly and simply manage and organise customer, supplier, and employee data to fully satisfy the standard.

Furthermore, ISMS.online can accommodate the growing number of global, regional, and sector-specific privacy regulations.

Prior to becoming ISO 27701 (privacy) certified, you must first become ISO 27001 (information security) certified. Fortunately, our platform can help you accomplish both.

Find out more by booking a demo.