NQA ISO 27701 Mini Implementation Guide
NQA ISO 27701 Mini Implementation Guide
NQA ISO 27701 Mini Implementation Guide
IMPLEMENTATION GUIDE
50,000
CERTIFICATES
GLOBALLY
TRANSPARENT 90
MANAGING PERSONAL GDPR – An overview of legislation
INFORMATION WITH The GDPR was adopted by the EU in April 2016 and
ISO/IEC 27701 replaced the EU Data Protection Directive 95/46/EC.
This new legislation has initiated obligations to any
Since 2016 and within a relatively short period of time, modern organisation with data processing responsibilities, and is
data protection legislation has been passed in many countries applicable to organisations outside of the EU too. It has
around the world. The most notable is the EU’s General harmonised privacy legislation across the EEA.
Data Protection Regulation (GDPR) which has shaped the
requirements for organisations to ensure the rights of data Any non-EU entity offering goods or services to
subjects when processing their personal data. The relative individuals located in the EU are also bound by the
speed at which this legislation has been established has left requirements of the GDPR. Businesses and organisations
some organisations unable to adequately respond, and well- with sizeable personal data processing requirements
publicised breaches have occurred. are uniquely affected and ensuring conformity to the
legislation is paramount.
Despite the well signposted roll out of the GDPR, it doesn’t
provide specific guidance on what measures should be taken Organisations must have a lawful basis for processing
to ensure compliance with its requirements. Further, existing personal data and only process it for a specified purpose.
standards do not have, in most cases, a robust enough set of Individuals have the right to request a copy of all data
clauses or controls to ensure data privacy is addressed in full that is held on them, including an explanation of how
through implementation of management systems. such data is used and if third parties have access.
Individuals may request for their data profile to be passed
The International Organisation for Standardisation (ISO) and the to another data processor; furthermore, individuals also
International Electrotechnical Commission (IEC) have developed have the right to withdraw consent for processing and to
ISO 27701 to provide the necessary guidance for businesses request for data that is no longer required to be erased.
to effectively address data privacy and ensure the gap between
existing management systems requirements and global privacy Organisations and individuals who process personal data
data legislations are effectively bridged. are now required to have appropriate security controls
in place to ensure confidentiality of the data they hold or
process. Personal data can be transferred outside of the
EU, but only to countries which are considered to have
adequate legislation for preserving the rights of EU data
subjects.
In most circumstances, organisations with existing certification acts as either a PII controller or processor. Organisations should
to ISO 27001 should start at Annex F to understand how the implement a PIMS Statement of Applicability (SoA) which is
application of PIMS fits in to their existing ISO 27001 ISMS. This influenced by whether they are a controller or processor (or
annex refers to three instances for application of the standard: both). Organisations can create a combined ISMS-PIMS and
extend their ISMS SoA to include the PIMS controls.
• Application of security standards as is
• Additions to security standards
Annex A + Clause 6 = 37 enhanced controls
• Refinement of security standards
Clauses 5 to 8 within PIMS extend the requirements of Annex A + Clause 7 = 31 new controls for controllers
ISO 27001 to incorporate PII considerations. Clause 5 provides
PIMS-specific guidance concerning the information security Annex A - Clause 8 = 18 new controls for processors
requirements in ISO 27001 appropriate to an organisation which
ADDITIONAL CONSIDERATIONS
Detailed below are the additional considerations within clause 5 of the ISO 27701 standard which may be observed as extra
to existing ISMS requirements:
5.1 The requirements of ISO 27001 must be extended to the protection of privacy as potentially affected by the
processing of PII. A glance at Annex F provides a table which gives visual indication of how this will look.
5.2.1 An additional requirement to ISO 27001 clause 4.1 is to outline that an organisation will determine its role as a PII
Controller and/or processer. Additionally external and internal factors that are relevant to context and affect the ability
to achieve outcomes of its PIMS require indication. This includes any relevant legislation adherence already in place
as a consideration within the existing ISMS or contractual requirements which hitherto had been identified in differing
clauses or Annex controls within ISO 27001.
Where an organisation has both PII controller and PII processor roles identified, separate roles must be determined, each
of which will be subject to a separate control set.
5.2.2 A consideration extra to ISO 27001 clause 4.2 is the requirement to include interested parties with responsibilities
associated with the processing of PII. This can include customers, which again is not something which may have
previously been considered in an ISO 27001 ISMS. Additionally requirements which are relevant to the processing of
PII can be determined by legal requirements, contractual obligations or self-identified objectives.
5.2.3 The scope of the ISMS is required by ISO 27001 clause 4.3. Additional PIMS factors for scope include an
organisation including processing of PII. PIMS scope determination, therefore, can require a revision of the ISMS
because of the extension to interpretation of what constitutes information security in ISO 27701 clause 5.1.
5.2.4 Further to ISO 27001 clause 4.4 an organisation is required within the new standard to establish, implement,
maintain and continually improve a PIMS in accordance with the requirements of ISO 27001:2013 Clauses 4 to 10,
extended by the requirements in Clause 5.
5.3 Within ISO 27001, organisations are required to demonstrate commitment to the ISMS through leadership initiatives
and the creation of policies, roles & responsibilities and guidance. Likewise, the PIMS requires a similar input from
the top management along with relevant PIMS specific interpretations as indicated at 5.1 to ISO 27701 which covers
all mirrored aspects of clause 5 of the ISMS.
5.4.1 The requirements of ISO 27001 to address risks and opportunities require augmentation with the considerations
of clause 5.1 in ISO 27701. Furthermore, Information Security risk assessments identified within ISO 27001 are
applicable with the following additional requirements:
1. The organisation shall apply the information security risk assessment process to identify risks associated with the
loss of confidentiality, integrity and availability, within the scope of the PIMS.
2. The organisation shall apply privacy risk assessment process to identify risks related to the processing of PII,
within the scope of the PIMS.
3. The organisation shall ensure throughout the risk assessment processes that the relationship between information
security and PII protection is appropriately managed.
This can be an integrated risk assessment process or parallel processes which are controlled separately; this
depends entirely on the organisation to determine.
Additionally, ISO 27001 clause 6.1.2.d is refined to include an assessment for potential consequences for both
the organisation and PII principals that would result if the risks identified during the 6.1.2.c (ISO 27001) were to
materialise.
Further considerations are given to the Statement of Applicability which would have been generated by the
organisation when implementing the ISO 27001 ISMS. As an organisation would have encountered an “opt out
and justify” approach to produce the SoA in the first instance, likewise for the PIMS, not all control objectives and
controls listed within Annex areas need to be included during PIMS implementation. Justification for exclusion where
controls are not deemed necessary can be identified.
5.4.2 Information security objectives from the organisations ISMS from clause 6.2 augmented by the interpretation of
ISO 27701 clause 5.1 must be considered.
5.5 Support considerations from ISO 27001 at clause 7 are applicable along with the additional interpretation specified
within ISO 27701 clause 5.1.
5.6 Operational consideration from ISO 27001 at clause 8 including risk treatment planning are similarly required by
ISO 27701 along with additional information which is identified through addressing clause 5.1 to the latter standard.
5.7/5.8 Similarly; the Monitoring/Measuring & Improvement considerations which are live within an existing ISMS require
further augmentation from the considerations given to clause 5.1 to ISO 27701.
The processes identified above indicate that clause 5.1 in the new standard is a key point to the
implementation of a PIMS. The extension to the protection of privacy for processing PII is a key element
to implementation. It guides the consideration to be given when addressing the further clause areas of
ISO 27701.
The following table provides a simple overview of the information on the previous page:
ISO 27001 Clause ISO 27701 Extension
5.1 Top Level Commitment for Privacy Policy and integration of PIMS to the ISMS including:
7.3 Awareness of the PIMS policy and how personnel contribute to the establishment and improvement of the
system
7.5 Documentation for PIMS with additional considerations on information and documentation non-organic to the
organisation.
8.3 PIMS Risk Treatment Plan including amendments to existing risk registers
www.nqa.com
NQA ASSOCIATE
PARTNER PROGRAMME
NC 8 8
E 19 0015