ISO27701:2019 : Assessment Checklist

Customer Name: Contract No:

Certificate Date: Visit Type*: Certification /
Re-certification / Surveillance
ISO/IEC27001:2013 certification expiry date:
*delete as applicable.

This is a sector-specific document related to ISO/IEC 27001:2013 and to ISO/IEC 27002:2013. This checklist focuses on PIMS-specific requirements.
Compliance with this checklist is based on adherence to these requirements and with the requirements in ISO/IEC 27001:2013. This document extends the
requirements of ISO/IEC 27001:2013 to take into account the protection of privacy of PII principals as potentially affected by the processing of PII, in addition
to information security.

NB: ISO27701:2019 Certification is predicated on a ISO/IEC27001:2013 certification being in place.

Control Requirement Annex SL (Annex – Compliance

No A/B) Y/N Notes
5.2.1 The organization shall determine its role as a PII controller (including as a joint Context Y/N
PII controller) and/or a PII processor. The organization shall determine external
and internal factors that are relevant to its context and that affect its ability to
achieve the intended outcome(s) of its PIMS. For example, these can include:
— applicable privacy legislation;
— applicable regulations;
— applicable judicial decisions;
— applicable organizational context, governance, policies and procedures;
— applicable administrative decisions;
— applicable contractual requirements.
Where the organization acts in both roles (e.g. a PII controller and a PII
processor), separate roles shall be determined, each of which is the subject of a
separate set of controls.
5.2.2 The organization shall include among its interested parties (see ISO/IEC Context Y/N
27001:2013, 4.2), those parties having interests or responsibilities associated

Created by Dilraj S Sagoo - exelar Ltd Page 1 of 16

Draft 0.1
 with the processing of PII, including the PII principals.
5.2.3 When determining the scope of the PIMS, the organization shall include the Context Y/N
processing of PII.
5.2.4 The organization shall establish, implement, maintain and continually improve a Context Y/N
PIMS in accordance with the requirements of ISO/IEC 27001:2013 Clauses 4 to
10, extended by the requirements in Clause 5.
5.4.1.2, The organization shall apply the information security risk assessment process to Planning Y/N
identify risks associated with the loss of confidentiality, integrity and availability,
within the scope of the PIMS. The organization shall apply privacy risk
assessment process to identify risks related to the processing of PII, within the
scope of the PIMS. The organization shall ensure throughout the risk
assessment processes that the relationship between information security and PII
protection is appropriately managed.
… The organization shall assess the potential consequences for both the Planning Y/N
organization and PII principals that would result if the risks identified in ISO/IEC
27001:2013, 6.1.2 c) as refined above, were to materialize.
5.4.1.3 The controls determined in ISO/IEC 27001:2013 6.1.3 b) shall be compared with Planning Y/N
the controls in Annex A and/or Annex B and ISO/IEC 27001:2013, Annex A to
verify that no necessary controls have been omitted. When assessing the
applicability of control objectives and controls from ISO/IEC 27001:2013 Annex A
for the treatment of risks, the control objectives and controls shall be considered
in the context of both risks to information security as well as risks related to the
processing of PII, including risks to PII principals.
… Produce a Statement of Applicability that contains: — the necessary controls Planning Y/N
[see ISO/IEC 27001:2013, 6.1.3 b) and c)];
— justification for their inclusion;
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the controls in AnnexA and/or AnnexB
and ISO/IEC 27001:2013, Annex A according to the organization's determination
of its role (see 5.2.1). Not all the control objectives and controls listed in the
annexes need to be included in a PIMS implementation. Justification for
exclusion can include where the controls are not deemed necessary.
by the risk assessment, and where they are not required by (or are subject to
exceptions under) the legislation and/or regulation including those applicable to
the PII principal.
PIMS specific guidance

Created by Dilraj S Sagoo - exelar Ltd Page 2 of 16

Draft 0.1
 6 Annex A Additional Control Implementation Guidance;

6.1 The guidelines in ISO/IEC 27002:2013 mentioning "information security" should Control Y/N
be extended to the protection of privacy as potentially affected by the processing
of PII.
All control objectives and controls should be considered in the context of both
risks to information security as well as risks to privacy related to the processing
of PII.
6.2.1.1 Either by the development of separate privacy policies, or by the augmentation of Technical Y/N
information security policies, the organization should produce a statement Implementation
concerning support for and commitment to achieving compliance with applicable
PII protection legislation and/or regulation and with the contractual terms agreed
between the organization and its partners, its subcontractors and its applicable
third parties (customers, suppliers etc.), which should clearly allocate
responsibilities between them.
Any organization that processes PII, whether a PII controller or a PII processor,
should consider applicable PII protection legislation and/or regulation during the
development and maintenance of information security policies.
6.3.1.1 The organization should designate a point of contact for use by the customer Information security Y/N
regarding the processing of PII. When the organization is a PII controller, roles and responsibilities
designate a point of contact for PII principals regarding the processing of their PII
(see 7.3.2). The organization should appoint one or more persons responsible for
developing, implementing, maintaining and monitoring an organization-wide
governance and privacy program, to ensure compliance with all applicable laws
and regulations regarding the processing of PII. The responsible person should,
where appropriate:
— be independent and report directly to the appropriate management level of the
organization in order to ensure effective management of privacy risks;
— be involved in the management of all issues which relate to the processing of
PII;
— be expert in data protection legislation, regulation and practice;
— act as a contact point for supervisory authorities;
— inform top-level management and employees of the organization of their
obligations with respect to the processing of PII;
— provide advice in respect of privacy impact assessments conducted by the
organization.
6.3.2.1 The organization should ensure that the use of mobile devices does not lead to a Mobile Device Y/N
Created by Dilraj S Sagoo - exelar Ltd Page 3 of 16
Draft 0.1
 compromise of PII.
6.4.2.2 Measures should be put in place, including awareness of incident reporting, to Information security Y/N
ensure that relevant staff are aware of the possible consequences to the awareness, education
organization (e.g. legal consequences, loss of business and brand or and training
reputational damage), to the staff member (e.g. disciplinary consequences) and
to the PII principal (e.g. physical, material and emotional consequences) of
breaching privacy or security rules and procedures, especially those addressing
the handling of PII.
6.5.2.1 The organization's information classification system should explicitly consider PII Classification of Y/N
as part of the scheme it implements. Considering PII within the overall information (8.2.1)
classification system is integral to understanding what PII the organization
processes (e.g. type, special categories), where such PII is stored and the
systems through which it can flow
6.5.3.1 The organization should document any use of removable media and/or devices Removable Media Y/N
for the storage of PII. Wherever feasible, the organization should use removable (8.3.1)
physical media and/or devices that permit encryption when storing PII.
Unencrypted media should only be used where unavoidable, and in instances
where unencrypted media and/or devices are used, the organization should
implement procedures and compensating controls (e.g. tamper-evident
packaging) to mitigate risks to the PII.

Removable media which is taken outside the physical confines of the

organization is prone to loss, damage and inappropriate access. Encrypting
removable media adds a level of protection for PII which reduces security and
privacy risks should the removable media be compromised.

6.5.3.2 Where removable media on which PII is stored is disposed of, secure disposal Disposal of Media Y/N
procedures should be included in the documented information and implemented (8.3.2)
to ensure that previously stored PII will not be accessible.
6.5.3.3 If physical media is used for information transfer, a system should be put in place Physical Media Transfer Y/N
to record incoming and outgoing physical media containing PII, including the type (8.3.3)
of physical media, the authorized sender/ recipients, the date and time, and the
number of physical media. Where possible, additional measures such as
encryption should be implemented to ensure that the data can only be accessed
at the point of destination and not in transit. The organization should subject
physical media containing PII before leaving its premises to an authorization

Created by Dilraj S Sagoo - exelar Ltd Page 4 of 16

Draft 0.1
 procedure and ensure the PII is not accessible to anyone other than authorized
personnel.
6.6.2.1 Procedures for registration and de-registration of users who administer or User registration and Y/N
operate systems and services that process PII should address the situation de-registration (9.2.1)
where user access control for those users is compromised, such as the
corruption or compromise of passwords or other user registration data (e.g. as a
result of inadvertent disclosure).
The organization should not reissue to users any de-activated or expired user
IDs for systems and services that process PII. In the case where the organization
is providing PII processing as a service, the customer can be responsible for
some or all aspects of user ID management. Such cases should be included in
the documented information. Some jurisdictions impose specific requirements
regarding the frequency of checks for unused authentication credentials related
to systems that process PII. Organizations operating in these jurisdictions should
take compliance with these requirements into account.
6.6.2.2 The organization should maintain an accurate, up-to-date record of the user User access Y/N
profiles created for users who have been authorized access to the information provisioning (9.2.2)
system and the PII contained therein. This profile comprises the set of data about
that user, including user ID, necessary to implement the identified technical
controls providing authorized access. Implementing individual user access IDs
enables appropriately configured systems to identify who accessed PII and what
additions, deletions or changes they made. As well as protecting the
organization, users are also protected as they can identify what they have
processed and what they have not processed. In the case where the
organization is providing PII processing as a service, the customer can be
responsible for some or all aspects of access management. Where appropriate,
the organization should provide the customer the means to perform access
management, such as by providing administrative rights to manage or terminate
access. Such cases should be included in the documented information.
6.6.4.2 Where required by the customer, the organization should provide the capability Secure Log on Y/N
for secure log-on procedures for any user accounts under the customer's control. Procedures (9.4.2)
6.7.7.1 Some jurisdictions can require the use of cryptography to protect particular kinds Policy on the use of Y/N
of PII, such as health data, resident registration numbers, passport numbers and cryptographic controls
driver's licence numbers. The organization should provide information to the (10.1.1)
customer regarding the circumstances in which it uses cryptography to protect
the PII it processes. The organization should also provide information to the
customer about any capabilities it provides that can assist the customer in
Created by Dilraj S Sagoo - exelar Ltd Page 5 of 16
Draft 0.1
 applying their own cryptographic protection.
6.8.2.7 The organization should ensure that, whenever storage space is re-assigned, Secure disposal or re- Y/N
any PII previously residing on that storage space is not accessible. On deletion use of equipment
of PII held in an information system, performance issues can mean that explicit (11.2.7)
erasure of that PII is impractical. This creates the risk that another user can
access the PII. Such risk should be avoided by specific technical measures. For
secure disposal or re-use, equipment containing storage media that can possibly
contain PII should be treated as though it does contain PII.
6.8.2.9 The organization should restrict the creation of hardcopy material including PII to Clear Screen Clear Y/N
the minimum needed to fulfil the identified processing purpose. Desk (11.2.9)
6.9.3.1 The organization should have a policy which addresses the requirements for Information Backup Y/N
backup, recovery and restoration of PII (which can be part of an overall (12.3.1)
information backup policy) and any further requirements (e.g. contractual and/or
legal requirements) for the erasure of PII contained in information held for
backup requirements. PII-specific responsibilities in this respect can depend on
the customer. The organization should ensure that the customer has been
informed of the limits of the service regarding backup. Where the organization
explicitly provides backup and restore services to customers, the organization
should provide them with clear information about their capabilities with respect to
backup and restoration of PII. Some jurisdictions impose specific requirements
regarding the frequency of backups of PII, the frequency of reviews and tests of
backup, or regarding the recovery procedures for PII. Organizations operating in
these jurisdictions should demonstrate compliance with these requirements.
There can be occasions where PII needs to be restored, perhaps due to a
system malfunction, attack or disaster. When PII is restored (typically from
backup media), processes need to be in place to ensure that the PII is restored
into a state where the integrity of PII can be assured, and/or where PII
inaccuracy and/or incompleteness is identified and processes put in place to
resolve them (which can involve the PII principal). The organization should have
a procedure for, and a log of, PII restoration efforts. At a minimum, the log of the
PII restoration efforts should contain:
— the name of the person responsible for the restoration;
— a description of the restored PII. Some jurisdictions prescribe the content of
the logs of PII restoration efforts. Organizations should be able to document
compliance with any applicable jurisdiction-specific requirements for restoration
log content. The conclusions of such deliberations should be included in
documented information. The use of subcontractors to store replicated or backup
Created by Dilraj S Sagoo - exelar Ltd Page 6 of 16
Draft 0.1
 copies of PII processed is covered by the controls in this document applying to
subcontracted PII processing (see 6.5.3.3, 6.12.1.2). Where physical media
transfers take place related to backups and restoration, this is also covered by
controls in this document (6.10.2.1).
6.9.4.1 A process should be put in place to review event logs using continuous, Event Logging (12.4.1) Y/N
automated monitoring and alerting processes, or else manually where such
review should be performed with a specified, documented periodicity, to identify
irregularities and propose remediation efforts. Where possible, event logs should
record access to PII, including by whom, when, which PII principal's PII was
accessed, and what (if any) changes were made (additions, modifications or
deletions) as a result of the event. Where multiple service providers are involved
in providing services, there can be varied or shared roles in implementing this
guidance. These roles should be clearly defined and included in the documented
information, and agreement on any log access between providers should be
addressed.
Implementation guidance for PII processors:
The organization should define criteria regarding if, when and how log
information can be made available to or usable by the customer. These criteria
should be made available to the customer. Where the organization permits its
customers to access log records controlled by the organization, the organization
should implement appropriate controls to ensure that the customer can only
access records that relate to that customer’s activities, cannot access any log
records which relate to the activities of other customers, and cannot amend the
logs in any way.
6.9.4.2 Log information recorded for, for example, security monitoring and operational Protection of Log Y/N
diagnostics, can contain PII. Measures such as controlling access (see ISO/IEC Information (12.4.2)
27002:2013, 9.2.3) should be put in place to ensure that logged information is
only used as intended. A procedure, preferably automatic, should be put in place
to ensure that logged information is either deleted or de-identified as specified in
the retention schedule (see 7.4.7).
6.10.2.1 The organization should consider procedures for ensuring that rules related to Information transfer Y/N
the processing of PII are enforced throughout and outside of the system, where policies and procedures
applicable. (13.2.1)
6.10.2.4 The organization should ensure that individuals operating under its control with Confidentiality or non- Y/N
access to PII are subject to a confidentiality obligation. The confidentiality disclosure agreements
agreement, whether part of a contract or separate, should specify the length of (13.2.4)
time the obligations should be adhered to. When the organization is a PII
Created by Dilraj S Sagoo - exelar Ltd Page 7 of 16
Draft 0.1
 processor, a confidentiality agreement, in whatever form, between the
organization, its employees and its agents should ensure that employees and
agents comply with the policy and procedures concerning data handling and
protection.
6.11.1.2 The organization should ensure that PII that is transmitted over untrusted data Securing application Y/N
transmission networks is encrypted for transmission. Untrusted networks can services on public
include the public internet and other facilities outside of the operational control of networks (14.1.2)
the organization.
6.11.2.1 Policies for system development and design should include guidance for the Secure development Y/N
organization’s processing of PII needs, based on obligations to PII principals policy (14.2.1)
and/or any applicable legislation and/or regulation and the types of processing
performed by the organization. Clauses 7 and 8 provide control considerations
for processing of PII, which can be useful in developing policies for privacy in
systems design. Policies that contribute to privacy by design and privacy by
default should consider the following aspects: a) guidance on PII protection and
the implementation of the privacy principles (see ISO/IEC 29100) in the software
development lifecycle; b) privacy and PII protection requirements in the design
phase, which can be based on the output from a privacy risk assessment and/or
a privacy impact assessment (see 7.2.5); c) PII protection checkpoints within
project milestones; d) required privacy and PII protection knowledge; e) by
default minimize processing of PII.
6.11.2.5 Systems and/or components related to the processing of PII should be designed Secure systems Y/N
following the principles of privacy by design and privacy by default, and to engineering principles
anticipate and facilitate the implementation of relevant controls (as described in (14.2.5)
Clauses 7 and 8, for PII controllers and PII processors, respectively), in particular
such that the collection and processing of PII in those systems is limited to what
is necessary for the identified purposes of the processing of PII (see 7.2). For
example, an organization that processes PII should ensure that, based on the
relevant jurisdiction, it disposes of PII after a specified period. The system that
processes that PII should be designed in a way to facilitate this deletion
requirement.
6.11.2.7 The same principles (see 6.11.2.5) of privacy by design and privacy by default Outsourced Y/N
should be applied, if applicable, to outsourced information systems. development (14.2.7)
6.11.3.1 PII should not be used for testing purposes; false or synthetic PII should be used. Protection of test data Y/N
Where the use of PII for testing purposes cannot be avoided, technical and (14.3.1)
organizational measures equivalent to those used in the production environment

Created by Dilraj S Sagoo - exelar Ltd Page 8 of 16

Draft 0.1
 should be implemented to minimize the risks. Where such equivalent measures
are not feasible, a risk-assessment should be undertaken and used to inform the
selection of appropriate mitigating controls.
6.12.1.2 The organization should specify in agreements with suppliers whether PII is Addressing security Y/N
processed and the minimum technical and organizational measures that the within supplier
supplier needs to meet in order for the organization to meet its information agreements (15.1.2)
security and PII protection obligations (see 7.2.6 and 8.2.1).
Supplier agreements should clearly allocate responsibilities between the
organization, its partners, its suppliers and its applicable third parties (customers,
suppliers, etc.) taking into account the type of PII processed. The agreements
between the organization and its suppliers should provide a mechanism for
ensuring the organization supports and manages compliance with all applicable
legislation and/or regulation. The agreements should call for independently
audited compliance, acceptable to the customer.
6.13.1.1 As part of the overall information security incident management process, the Responsibilities and Y/N
organization should establish responsibilities and procedures for the identification procedures (Security
and recording of breaches of PII. Additionally, the organization should establish Incidents) 16.1.1
responsibilities and procedures related to notification to required parties of PII
breaches (including the timing of such notifications) and the disclosure to
authorities, taking into account the applicable legislation and/or regulation. Some
jurisdictions impose specific regulations regarding breach responses, including
notification. Organizations operating in these jurisdictions should ensure that they
can demonstrate compliance with these regulations.
6.13.1.5 An incident that involves PII should trigger a review by the organization, as part Response to information Y/N
of its information security incident management process, to determine if a breach security incidents
involving PII that requires a response has taken place. An event does not (16.1.5)
necessarily trigger such a review. NOTE 1 An information security event does
not necessarily result in actual, or the significant probability of, unauthorized
access to PII or to any of the organization’s equipment or facilities storing PII.
These can include, but are not limited to, pings and other broadcast attacks on
firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of
service attacks and packet sniffing. When a breach of PII has occurred, response
procedures should include relevant notifications and records. Some jurisdictions
define cases when the breach should be notified to the supervisory authority, and
when it should be notified to PII principals. Notifications should be clear and can
be required.

Created by Dilraj S Sagoo - exelar Ltd Page 9 of 16

Draft 0.1
 Where a breach involving PII has occurred, a record should be maintained with
sufficient information to provide a report for regulatory and/or forensic purposes,
such as:
— a description of the incident;
— the time period;
— the consequences of the incident;
— the name of the reporter;
— to whom the incident was reported;
— the steps taken to resolve the incident (including the person in charge and the
data recovered);
— the fact that the incident resulted in unavailability, loss, disclosure or alteration
of PII.
In the event that a breach involving PII has occurred, the record should also
include a description of the PII compromised, if known; and if notifications were
performed, the steps taken to notify PII principals, regulatory agencies or
customers.
Implementation guidance for PII processors
Provisions covering the notification of a breach involving PII should form part of
the contract between the organization and the customer. The contract should
specify how the organization will provide the information necessary for the
customer to fulfil their obligation to notify relevant authorities. This notification
obligation does not extend to a breach caused by the customer or PII principal or
within system components for which they are responsible. The contract should
also define expected and externally mandated limits for notification response
times. In some jurisdictions, the PII processor should notify the PII controller of
the existence of a breach without undue delay (i.e. as soon as possible),
preferably, as soon as it is discovered so that the PII controller can take the
appropriate actions. Where a breach involving PII has occurred, a record should
be maintained with sufficient information to provide a report for regulatory and/or
forensic purposes, such as:
— a description of the incident;
— the time period;
— the consequences of the incident;
— the name of the reporter;
— to whom the incident was reported;
— the steps taken to resolve the incident (including the person in charge and the
data recovered);
Created by Dilraj S Sagoo - exelar Ltd Page 10 of 16
Draft 0.1
 — the fact that the incident resulted in unavailability, loss, disclosure or alteration
of PII. In the event that a breach involving PII has occurred, the record should
also include a description of the PII compromised, if known; and if notifications
were performed, the steps taken to notify the customer and/or the regulatory
agencies. In some jurisdictions, applicable legislation and/or regulation can
require the organization to directly notify appropriate regulatory authorities (e.g. a
PII protection authority) of a breach involving PII.
6.15.1.1 The organization should identify any potential legal sanctions (which can result Identification of Y/N
from some obligations being missed) related to the processing of PII, including applicable legislation
substantial fines directly from the local supervisory authority. In some and contractual
jurisdictions, International Standards such as this document can be used to form requirements (18.1.1)
the basis for a contract between the organization and the customer, outlining
their respective security, privacy and PII protection responsibilities. The terms of
the contract can provide a basis for contractual sanctions in the event of a
breach of those responsibilities.
6.15.1.3 Review of current and historical policies and procedures can be required (e.g. in Protection of records Y/N
the cases of customer dispute resolution and investigation by a supervisory (18.1.3)
authority). The organization should retain copies of its privacy policies and
associated procedures for a period as specified in its retention schedule (see
7.4.7). This includes retention of previous versions of these documents when
they are updated.
6.15.2.1 Where an organization is acting as a PII processor, and where individual Independent review of Y/N
customer audits are impractical or can increase risks to security, the organization information security (
should make available to customers, prior to entering into, and for the duration
of, a contract, independent evidence that information security is implemented
and operated in accordance with the organization’s policies and procedures. A
relevant independent audit, as selected by the organization, should normally be
an acceptable method for fulfilling the customer's interest in reviewing the
organization’s processing operations, if it covers the needs of anticipated users
and if results are provided in a sufficient transparent manner.

Created by Dilraj S Sagoo - exelar Ltd Page 11 of 16

Draft 0.1
 6.15.2.3 As part of technical reviews of compliance with security policies and standards, Technical compliance Y/N
the organization should include methods of reviewing those tools and review (18.2.3)
components related to processing PII. This can include:
— ongoing monitoring to verify that only permitted processing is taking place;
and/or
— specific penetration or vulnerability tests (for example, de-identified datasets
can be subject to a motivated intruder test to validate that de-identification
methods are compliant with organizational requirements).

Additional Guidance for PII Controllers – Annex A Controls

Verwerkingsverantwoordelijke (verwerkt zijn eigen data)
A7.2.1 The organization shall identify and document the specific purposes for which the Identify and document Y/N
PII will be processed. purpose
A7.2.2 The organization shall determine, document and comply with the relevant lawful Identify lawful basis Y/N
basis for the processing of PII for the identified purposes.
A7.2.3 The organization should determine and document a process by which it can Determine when and Y/N
demonstrate if, when and how consent for the processing of PII was obtained how consent is to be
from PII principals. obtained
A7.2.4 The organization Shall obtain and record consent from PII principals according to Obtain and record Y/N
the documented processes. consent
A7.2.5 The organization Shall assess the need for, and implement where appropriate, a Privacy impact Y/N
privacy impact assessment whenever new processing of PII or changes to assessment
existing processing of PII is planned.
A7.2.6 The organization Shall have a written contract with any PII processor that it uses, Contracts with PII Y/N
and Shall ensure that their contracts with PII processors address the processors
implementation of the appropriate controls in Annex B.
A7.2.7 The organization Shall determine respective roles and responsibilities for the Joint PII controller Y/N
processing of PII (including PII protection and security requirements) with any
joint PII controller.
A7.2.8 The organization shall determine and securely maintain the necessary records in Records related to Y/N
support of its obligations for the processing of PII. processing PII

A way to maintain records of the processing of PII is to have an inventory or list

of the PII processing activities that the organization performs. Such an inventory
can include:

Created by Dilraj S Sagoo - exelar Ltd Page 12 of 16

Draft 0.1
 — the type of processing;
— the purposes for the processing;
— a description of the categories of PII and PII principals (e.g. children);
— the categories of recipients to whom PII has been or will be disclosed,
including recipients in third countries or international organizations;
— a general description of the technical and organizational security measures;
and
— a Privacy Impact Assessment report. Such an inventory should have an owner
who is responsible for its accuracy and completeness.
A7.3.1 The organization Shall determine and document their legal, regulatory and Determining and fulfilling Y/N
business obligations to PII principals related to the processing of their PII and obligations to PII
provide the means to meet these obligations. principals
A7.3.2 The organization Shall determine and document the information to be provided to Determining information Y/N
PII principals regarding the processing of their PII and the timing of such a for PII principals
provision..
A7.3.3 The organization Shall provide PII principals with clear and easily accessible Providing information to Y/N
information identifying the PII controller and describing the processing of their PII principals
PII.
A7.3.4 The organization Shall provide a mechanism for PII principals to modify or Providing mechanism to Y/N
withdraw their consent. modify or withdraw
consent
A7.3.5 The organization Shall provide a mechanism for PII principals to object to the Providing mechanism to Y/N
processing of their PII. object to PII processing
A7.3.6 The organization Shall implement policies, procedures and/or mechanisms to Access, correction Y/N
meet their obligations to PII principals to access, correct and/or erase their PII. and/or erasure
A7.3.7 The organization Shall inform third parties with whom PII has been shared of any PII controllers' Y/N
modification, withdrawal or objections pertaining to the shared PII, and obligations to inform
implement appropriate policies, procedures and/or mechanisms to do so. third parties
A7.3.8 The organization Shall be able to provide a copy of the PII that is processed Providing copy of PII Y/N
when requested by the PII principal. processed
A7.3.9 The organization Shall define and document policies and procedures for handling Handling requests Y/N
and responding to legitimate requests from PII principals.
A7.3.10 The organization Shall identify and address obligations, including legal Automated decision Y/N
obligations, to the PII principals resulting from decisions made by the making
organization which are related to the PII principal based solely on automated
processing of PII.

Created by Dilraj S Sagoo - exelar Ltd Page 13 of 16

Draft 0.1
 A7.4.1 The organization Shall limit the collection of PII to the minimum that is relevant, Limit collection Y/N
proportional and necessary for the identified purposes.
A7.4.2 The organization Shall limit the processing of PII to that which is adequate, Limit processing Y/N
relevant and necessary for the identified purposes..
A7.4.3 The organization Shall ensure and document that PII is as accurate, complete Accuracy and quality Y/N
and up-to-date as is necessary for the purposes for which it is processed,
throughout the life-cycle of the PII.
A7.4.4 The organization Shall define and document data minimization objectives and PII minimization Y/N
what mechanisms (such as de-identification) are used to meet those objectives. objectives
A7.4.5 The organization Shall either delete PII or render it in a form which does not PII de-identification and Y/N
permit identification or re-identification of PII principals, as soon as the original deletion at the end of
PII is no longer necessary for the identified purpose(s). processing
A7.4.6 The organization Shall ensure that temporary files created as a result of the Temporary files Y/N
processing of PII are disposed of (e.g. erased or destroyed) following
documented procedures within a specified, documented period.
A7.4.7 The organization Shall not retain PII for longer than is necessary for the Retention Y/N
purposes for which the PII is processed.
A7.4.8 The organization Shall have documented policies, procedures and/or Disposal Y/N
mechanisms for the disposal of PII.
A7.4.9 The organization Shall subject PII transmitted (e.g. sent to another organization) PII transmission controls Y/N
over a data transmission network to appropriate controls designed to ensure that
the data reaches its intended destination.
A7.5.1 The organization Shall identify and document the relevant basis for transfers of Identify basis for PII Y/N
PII between jurisdictions. transfer between
jurisdictions
A7.5.2 The organization Shall specify and document the countries and international Countries and Y/N
organizations to which PII can possibly be transferred. international
organizations to which
PII can be transferred
A7.5.3 The organization Shall record transfers of PII to or from third parties and ensure Records of transfer of Y/N
cooperation with those parties to support future requests related to obligations to PII
the PII principals.
A7.5.4 The organization Shall record disclosures of PII to third parties, including what Records of PII Y/N
PII has been disclosed, to whom and at what time. disclosure to third
parties

Created by Dilraj S Sagoo - exelar Ltd Page 14 of 16

Draft 0.1
 PIMS-specific reference control objectives and controls (PII Processors) – Annex B
Verwerker (ontvangt data in opdracht van, verwerkt, en geeft deze terug)
B8.2.1 The organization Shall ensure, where relevant, that the contract to process PII Customer Agreement Y/N
addresses the organization’s role in providing assistance with the customer’s
obligations (taking into account the nature of processing and the information
available to the organization).
B8.2.2 The organization Shall ensure that PII processed on behalf of a customer are Organisaitonal Purpose Y/N
only processed for the purposes expressed in the documented instructions of the
customer.
B8.2.3 The organization Shall not use PII processed under a contract for the purposes Marketing and Y/N
of marketing and advertising without establishing that prior consent was obtained advertising use
from the appropriate PII principal. The organization Shall not make providing
such consent a condition for receiving the service.
B8.2.4 The organization Shall inform the customer if, in its opinion, a processing Infringing instruction Y/N
instruction infringes applicable legislation and/or regulation.
B8.2.5 The organization Shall provide the customer with the appropriate information Customer obligations Y/N
such that the customer can demonstrate compliance with their obligations
B8.2.6 The organization Shall determine and maintain the necessary records in support Records related to Y/N
of demonstrating compliance with its obligations (as specified in the applicable processing PII
contract) for the processing of PII carried out on behalf of a customer
B8.3.1 The organization Shall provide the customer with the means to comply with its Obligations to PII Y/N
obligations related to PII principals. principals
B8.4.1 The organization Shall ensure that temporary files created as a result of the Temporary files Y/N
processing of PII are disposed of (e.g. erased or destroyed) following
documented procedures within a specified, documented period.
B8.4.2 The organization Shall provide the ability to return, transfer and/or disposal of PII Return, transfer or Y/N
in a secure manner. It Shall also make its policy available to the customer. disposal of PII
B8.4.3 The organization Shall subject PII transmitted over a data-transmission network PII transmission controls Y/N
to appropriate controls designed to ensure that the data reaches its intended
destination.
B8.5.1 The organization Shall inform the customer in a timely manner of the basis for PII Basis for PII transfer Y/N
transfers between jurisdictions and of any intended changes in this regard, so between jurisdictions
that the customer has the ability to object to such changes or to terminate the
contract.
B8.5.2 The organization Shall specify and document the countries and international Countries and Y/N
organizations to which PII can possibly be transferred. international
Created by Dilraj S Sagoo - exelar Ltd Page 15 of 16
Draft 0.1
 organizations to which
PII can be transferred
B8.5.3 The organization Shall record disclosures of PII to third parties, including what Records of PII Y/N
PII has been disclosed, to whom and when. disclosure to third
parties
B8.5.4 The organization Shall notify the customer of any legally binding requests for Notification of PII Y/N
disclosure of PII disclosure request
B8.5.5 The organization Shall reject any requests for PII disclosures that are not legally Legally binding PII Y/N
binding, consult the corresponding customer before making any PII disclosures disclosures
and accepting any contractually agreed requests for PII disclosures that are
authorized by the corresponding customer.
B8.5.6 The organization Shall disclose any use of subcontractors to process PII to the Disclosure of Y/N
customer before use. subcontractors used to
process PII
B8.5.7 The organization Shall only engage a subcontractor to process PII according to Engagement of a Y/N
the customer contract. subcontractor to process
PII
B8.5.8 The organization Shall, in the case of having general written authorization, inform Change of subcontractor Y/N
the customer of any intended changes concerning the addition or replacement of to process PII
subcontractors to process PII, thereby giving the customer the opportunity to
object to such changes.

Final Compliance Statement:

Created by Dilraj S Sagoo - exelar Ltd Page 16 of 16

Draft 0.1