ISO 27701

The Path to Privacy Prog

Certification
Understanding the ISO 27701 Framewor
Part 1

risk sixty
Security I Privacy I Compli
An Overview of ISO 27701 FrameworkElements GDPR
Before
compliance
we begin dissecting
posture to the
internal
ISO 27701
and externalstake
framework
ISO 27701 Clause 5 (The PIMS)
Background and History
ISO 27701 Clause 6-8 (Considerations for
Security Controls)
01
Privacy Program

SO 27701 Framework

risk sixty
Security I Privacy I Compliance

This document has been downloaded from

www.ministryofsecurity.co
Follow ministryofsecurity for more such infosec
content.
This document has been downloaded from
www.ministryofsecurity.co
Follow ministryofsecurity for more such infosec
content.
 organizations that are “controllers” of Personally a
Identifiable Information (PII). 1 d
Clause 8: ISO 27002 Guidance for PII Processors (Privacy d
Control Considerations for Processors) - Clause 7 further r
expands on privacy specific guidance to e
organizations that are “processors” of Personally s
Identifiable Information (PII). 1 s
Annex A – Privacy Controls for for PII Controllers – Annex A e
provides a list of privacy specific controls for PII Controllers. s
Annex A is “normative” and considered mandatory for a
certification.
Annex B – Privacy Controls for for PII Processors – Annex B c
provides a list of privacy specific controls for PII Processors. o
Annex A is “normative” and considered mandatory for d
certification. e
Annex C – Mapping to ISO 29100 – Annex C provides a mapping
to ISO 29100. ISO 29100 is another ISO framework that o
addresses privacy in the context of information technology and f
security. Annex C is s
“informative” only and not mandatory to achieve e
certification. c
Annex D – Mapping to GDPR – Annex D provides mapping to u
the General Data Protection Regulation. This section is very r
helpful if you are leveraing ISO 27701 to communicate your i
GDPR compliance posture. Annex D is “informative” only and t
not mandatory to achieve certification. y
Annex E – Mapping to ISO 27018 and ISO 29151 –
Annex E provides mapping to ISO 27018 and ISO 29151. p
ISO 27018 addresses cloud privacy and ISO 29151 r
a
c
t
i
c
e
s
f
o
r
p
r
o
t
e
c
t
i
n
g

P
Annex A and B – Required Privacy Controls
PIMS: Clause 5 Essential Elements

Governance (Clauses 5.2, 5.3)

Management System (PIMS)

(Leadership, Roles, Policies, Procedure, People)

Privacy Security Management System (PIMS) Risk Assessment (Clauses 5.4 and 5.6)
(Provides context, drives decision making, drives planning)

Strategic Planning (Clauses 5.4, 5.5, 5.6)

(Plan for Information Security, Key Performance Indicators,
Communication Plans.)
Internal Audit/Performance Monitoring (Clause 5.7 and 5.8)
(Management Visibility, Drives Continuous Improvement)
(Clause 5)

Clauses 6-8
Privacy Consideration Related to Security Controls

Clauses A-B Required Privacy Controls

Annex C, D, E, and F – Mapping to Other

Frameworks and Helpful Information
Annex C-F
Mapping to Other Frameworks (Including GDPR)

1
Article 4 of GDPR defines data controllers and data processors as below: controller or the specific criteria for its nomination may
(7) ‘controller’ means the natural or legal person, public authority, agency Union or Member State law;
or other body which, alone or jointly with others, determines the purposes (8) ‘processor’ means a natural or legal person, public a
and means of the processing of personal data; where the purposes and other body which processes personal data on behalf of th
means of such
processing are determined by Union or Member State law, the
controller or the specific criteria for its nomination may be provided for by
Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller;
 As a philosophical point, ISO 27701 establishes a system i
of management (hence the term Privacy information security n
management system or PIMS) that empowers management to c
establish, implement, govern, and continuously improve the l
privacy environment. This, in short, is the PIMS. u
There are many elements of a functional PIMS that must be d
implemented in order to satisfy ISO 27701 certification i
requirements. These requirements are outlined in clause 5 of n
ISO 27701 and map directly to Clauses 4-10 of ISO 27001. g
For those unfamiliar with ISO 27701/ISO 27001, reading through
these clauses for the first time and trying to understand the t
scope of what needs to be done to implement an PIMS can be h
daunting and confusing. e
Thus, it is helpful to think about these requirements as being a
part of one of four categories: Governance, Risk Management, i
Strategic Planning, and Performance Monitoring. n
1) Governance t
Governance includes establishing leadership and ownership of r
security, defining roles on the organizational chart, authoring o
and implementing policies and procedures related to privacy, d
and ensuring appropriate resources are available to support the u
security program. c
2) Risk Assessment/Risk Management t
Risk management is an essential element of establishing a i
process to identify, analyze, and treat risks. A risk management o
program should grant authorization and authority of those n
individuals responsible for information security (often called the
information risk council, or similar). A formalized risk o
assessment is the process which helps leadership identify key f
risks, prioritize resources and controls, and align the security
program with business objectives. As related to privacy, t
the risk assessment should consider privacy topics h
e

P
r
i
v
a
c
y

I
m
p
a
c
t
A
s
s
e
s
s
m
e
n
t
Requirements ISO 27701 Clause ISO 27001 Clause
Planning 5.4 (5.4.1) 6
Operation 5.6 (5.6.2, 5.6.3) 8
Requirements ISO 27701 Clause ISO 27001 Clause
Planning 5.4 (5.4.2) 6 (6.2)
Resources 5.5 7
Operation 5.6 (5.6.2, 5.6.3) 8
Requirements ISO 27701 Clause ISO 27001 Clause
Context 5.2 4
Leadership 5.3 5
Requirements ISO 27701 Clause ISO 27001 Clause
Performance 5.7 (5.7.2) 9 (9.2)
Evaluation
Improvement 5.8 10

Clause 6 – Privacy Considerations Related to

Security Controls
ISO 27701 Document Checklist | PIMS
+ PIMS Document – this document contains the context,
requirements, and scope of the organizations PIMS and aligns with
clause 5.
+ Privacy Risk Assessment – This defines how your will identify,
measure, and treat privacy related risks. It may also be your Privacy
Impact Assessment (PIA).
+ Statement of Applicability (SoA) – identifies the security controls
to be included in the PIMS, justifies the choice of included controls and
whether they are implemented or not, and justifies the excluded
controls from clauses 6-8.
+ Risk Management Charter – Established the information risk
council and grants this office the authority and responsibility to
measure and treat identify risks.
+ Risk Management Policy – Policy that outlines management
expectations related to risk management and risk assessment process.
+ Risk Assessment Report – Report outlining the results of the risk
assessment.
+ Risk Register – Formal log of identified risk.
+ Program Roadmap – Project plan outlining what you are going to
do, when you plan to do it, and who will execute.
+ Privacy Program Resource Plan – The resource plan should
include budget for personnel, toolsets, implementations, etc.
+ Key Performance Indicators (KPIs) – Defined measurables tied to
program success indicators.
+ Communication Plan – Plan to communicate with key
stakeholders including status and meeting cadences.
+ Internal Audit Policy – Policy that defines the roles,
responsibilities, authority, and process that governs internal audit. The
policy should define auditor qualifications and methodology.
+ Internal Audit Plan – The internal audit plan should be a 3-year
plan (in alignment with the 3-year ISO 27001/ISO 27701 certification).
The plan must be “risk based” and include the entirety of the PIMS
Scope.
+ Internal Audit Report – Results of the annual internal audit in
line with the Internal Audit plan.
+ Management Action Plans – Management commitments as a
result of any internal audit findings.
plan (in alignment with the 3-year ISO 27001/ISO 27701 certification).
The plan must be “risk based” and include the entirety of the PIMS
Scope.
+ Internal Audit Report – Results of the annual internal audit in
line with the Internal Audit plan.
+ Management Action Plans – Management commitments as a
result of any internal audit findings.

Clause 6 outlines the privacy considerations for the 14 cate

objectives and 114 controls referenced in ISO 27002.

The updates in this section are largely additional considera

privacy that expand on ISO 27002’s implementation guidan
considered during implementation of the referenced secur
Reference Appendix I:
We have created a detailed mapping of ISO 27701 privacy
27001 security controls with risk3sixty commentary to help
considerations.

Clause 7 and 8 – Privacy Considerations for

Controllers and Processors Relevant to
Security
Controls
 Clauses 7 and 8 outline the privacy considerations for the 1
control objectives and 114 controls referenced in ISO 2700
controllers (clause 7) and processors (clause 8).
To determine which (or both) of these clauses are relevant
organization, your company will need to determine if it is a
processor, or both.1
Based on your firm’s controller vs. processor determination
consider the implementation guidance for the relevant clau
Reference Appendix I: Mapping and Commentary on ISO 2
Guidelines
We have created a detailed mapping of ISO 27701 privacy
GDPR with risk3sixty commentary to help interpret these c

Annex A and B: Privacy Controls

Annex A and B outline the unique privacy controls that ma
controllers (Annex A) and processors (Annex B).

Similar to clauses 7 and 8, to determine which (or both)

of these sections are relevant to your organization, your
Clause 6 outlines the privacy considerations for the 14 categories, 35 control
objectives and 114 controls referenced in ISO 27002.

The updates in this section are largely additional considerations relevant to

privacy that expand on ISO 27002’s implementation guidance that should be
considered during implementation of the referenced security controls.
Reference Appendix I:
We have created a detailed mapping of ISO 27701 privacy requirements to ISO
27001 security controls with risk3sixty commentary to help interpret these
considerations.
Clauses 7 and 8 outline the privacy considerations for the 14 categories, 35
control objectives and 114 controls referenced in ISO 27002 relevant to
controllers (clause 7) and processors (clause 8).
To determine which (or both) of these clauses are relevant to your
organization, your company will need to determine if it is a controller,
processor, or both.1
Based on your firm’s controller vs. processor determination you should
consider the implementation guidance for the relevant clause.
Reference Appendix I: Mapping and Commentary on ISO 27701 and GDPR
Guidelines
We have created a detailed mapping of ISO 27701 privacy requirements to
GDPR with risk3sixty commentary to help interpret these considerations.

Annex A and B outline the unique privacy controls that may be relevant to
controllers (Annex A) and processors (Annex B).

Similar to clauses 7 and 8, to determine which (or both)

of these sections are relevant to your organization, your
company will need to determine if it is a controller,
Let’s Get Started
processor, or both.1 Based on your firm’s controller vs.
processor determination you should consider the
implementation guidance for the relevant Annex.
It is important that your organization document this determination
and be prepared to present your rationale to the certification body
and any other relevant stakeholders. (Typically during the risk
assessment process.)
Annex A consist of 4 categories and 32 control points. Annex B
consist of 4 categories and 18 control points. You can reference the
ISO 27701 standard pages 49 – 55 for these controls.
The Certification Process
If you are considering ISO 27001/ISO 27701 certification and would
like assistance with guided implementation and certification,
risk3sixty can help. Following
risk3sixty’s guided implementation process, our clients have 100%
ISO 27001/ISO 27701 certification success rate. We can assist with
every step of the project from complete implementation, auditor
selection, and working directly with the auditor during the
certification process.
 100% Certification Success Rate
 100% three-year client retention
 Our clients consistently report 50% faster implementation

 Supported by a complete team of security and

compliance experts Leveraging our audit workflow platform Phalanx, we save our clients an average of 50% over attempting to imple
Let’s Get Started

Contact a ProfessionalChristian Hyatt, Managing DirectorCISA | CISM | ISO 27001 Lead Auditor | PCI QSA Christian.Hyatt@risk3sixt
Manage Security and Compliance in One Platform
From vulnerability scanning, to policy curation, team collaboration,
audits, and assessments – manage your entire security and
compliance program in a single platform.
 Simple and Fast Implementation
 One-Click Compliance Reporting
 Quickly Assess Risk with Asset Labeling
 Complete Team Collaboration
 Project Management to Vulnerability Closure
 Automated Scan and Rescan to Validate Issue Closure
 Management-Level KPIs and Progress Reporting
 Customized Workflow.
 ISO 27001, SOC 2, GDPR, PCI DSS, and more!
 Appendix I:
Mapping and Commentary on ISO 277
ISO 27001 Control Guidelines, and GD
ISO 27701 Guidance ISO 27001
Clause Mapping
5.1  All references in ISO 27001 to “information n/a
security” should be considered references to
“information security and privacy”
 Note: This applies even to ISO 27001 and ISO
27002 sections without a privacy-specific
interpretation

5.2.1  An organization must determine its role as a 4.1

controller, processor, or both
 Separate controls should be applied to the
organization when acting as a controller and the
organization when acting as a processor

5.2.2  Interested parties with respect to processing of 4.2

PII may include PII principals (data subjects) as well
as supervisory authorities, customers, or other
controllers or subprocessors)
5.2.3  The organization shall establish a PIMS and the 4.3
5.2.4 scope shall take into account the processing of PII 4.4

5.3  No additional guidance except for the expanded 5

5.4.1.1 definition of “information security” 6.1.1
5.4.1.2  The risk assessment shall include the scope of 6.1.2
the PIMS and include risks related to processing of
PII
 The risk assessment shall take into account the
risks to PII principals if an identified risk
materialized (i.e., risks to rights and freedoms of
individual data subjects)
5.4.1.3  The Statement of Applicability shall take into 6.1.3
account controls included in Annexes A and B of
ISO 27701
 The inclusion of controls in the Statement of
Applicability should take into account risks to PII
principals and risks to information security

5.5  No additional guidance except for the expanded 7

5.6 definition of “information security” 8
5.7 9
5.8 10

6.1  All references in ISO 27002 to “information n/a

security” should be considered references to
“information security and privacy”
 All control objectives and controls should be
considered in the context of risks to information
security as well as risks to privacy related to
processing of PII
 All controls in ISO 27701 apply to both PII
controllers and processors

6.2.1.1  The organization should include in its policies a 5.1.1

statement concerning commitment to achieving
compliance with contractual terms related to PII
processing as well as PII protection legislation
6.3.1.1  The organization must designate a point of 6.1.1
contact for the processing of PII
 The organization must appoint one or more
persons to be responsible for governance of its
privacy program
6.3.2.1  The use of mobile devices must not lead to a 6.2.1
compromise of PII

6.4.2.2  Relevant staff should be trained regarding the 7.2.2

impact of an incident to the organization, staff
person, and PII principal of breaching privacy and
security procedures
 Awareness of incident reporting mechanisms is
also emphasized

6.5.2.1  The organization’s information classification 8.2.1

scheme should specifically address PII
 on ISO 27701,
nes, and GDPR
Risk3sixty Commentary

The scope of the PIMS may

differ from scope of the
existing ISMS, and should be
re-evaluated during
implementation of ISO 27701

Controller and processor are

never explicitly defined within
ISO 27701. We recommend
applying the same definitions
of these terms as under GDPR
Article 4
Interested parties should be
re-evaluated

The PIMS will incorporate the

organization’s ISMS and
additional privacy scope and
guidance as defined in ISO
27701
n/a

Companies may leverage their

PIA process as the privacy
portion of their risk
assessment
The Statement of Applicability
will need to address the ISO
27701 controls

Each clause should be re-

evaluated in light of the
revised scope of the PIMS

n/a

n/a

ISO 27701 uses language from

GDPR Articles 37-39 with
slight modifications, to mirror
the GDPR Data Protection
Officer (DPO) requirement.
Consider enforcement of MDM
solution to the expanded
scope of the PIMS
Organizations should review
their training curriculums to
ensure that privacy is
adequately addressed

Organizations should perform

a data inventory to ensure PII
is captured in the
classification scheme
ISO 27701 Guidance ISO 27001
Clause Mapping
6.5.2.2  Employees and contractors should be made 8.2.2
aware of the definition of PII and how to recognize
PII

6.5.3.1  The use of removable media to store PII should 8.3.1

be documented
 Removable media storing PII should be
encrypted whenever feasible
 Compensating controls should be put in place
to protect unencrypted media storing PII

6.5.3.2  Clarifies that destruction procedures for 8.3.2

removable media storing PII should ensure that
previously stored PII is no longer accessible
6.5.3.3  Transfer of media containing PII should be 8.3.3
recorded including the type of media, authorized
recipients, and number of physical media
transferred
 Media should be subject to an “authorization
procedure” and should not be accessible to anyone
other than authorized personnel (i.e., appropriately
encrypted)

6.6.2.1  Access Control Policies and Procedures should 9.2.1

address the compromise of passwords or
registration data
 Customer responsibilities for access
management should be specifically documented
 De-activated or expired user IDs should not be
reissued
 Organizations should take into account
regulatory requirements to review and remove
unused accounts

6.6.2.2  Companies should maintain an up-to-date user 9.2.2

list for systems containing PII
 Customers should be provided the means to
manage user access when possible
6.6.4.2  Customer accounts should require a secure log- 9.4.2
on procedure where possible
Risk3sixty Commentary

Training and guidance should

be made available to
employees within the scope of
the PIMS
ISO 27701, unlike ISO 27002,
explicitly requires encryption
of removable media unless
non-encryption is unavoidable

The control should be met

once data classification (see
6.5.2.1) is updated
ISO 27701 requires greater
detail to be recorded where
media is transferred, and
again emphasizes
requirements for media
encryption

These requirements may fall

outside existing compliance
requirements. Companies
should review Access Control
Policies and Procedures to
verify that the required
elements are documented

Companies should avoid

situations where they are
responsible for ongoing
management of client users
Companies should implement
secure capabilities such as
multifactor authentication for
customer log-on
ISO 27701 Guidance ISO 27001
Clause Mapping
6.7.1.1  Organizations should be aware of jurisdiction- 10.1.1
specific requirements for cryptographic controls on
various types of PII
 The customer should be made aware of
cryptographic controls use and any capabilities
that the customer can use to enhance its
cryptographic protections

6.8.2.7  If storage space is re-used, PII previously 11.2.7

residing on that space should not be accessible
 If explicit erasure is impractical, technical
measures should be put in place to restrict access
to the erased data
6.8.2.9  Printing of material containing PII should be 11.2.9
restricted to the minimum needed to fulfil the
purpose of processing

6.9.3.1  Backup policies should specifically address PII 12.3.1

and requirements for erasure of PII in backups
 Customers should be informed of their
responsibilities with respect to backups and
capabilities provided by the organization
 PII restoration efforts (from backups) should
ensure data integrity and should be systematically
logged

6.9.4.1  Event logs should be reviewed through 12.4.1

continuous, automated monitoring and alerting
 Event logs should record access to PII including
by whom, when, records accessed, and any
changes made
 Roles and responsibilities should be defined
between all involved service providers
 PII processors should define how log
information will be made available to customers,
and implement controls to ensure customers can
only access their own logs and cannot amend logs

6.9.4.2  Log information containing PII should be 12.4.2

protected to ensure it is only used as intended
 Procedures should be developed to delete or
de-identify logged PII according to the
organization’s retention schedule
Risk3sixty Commentary

Cloud processing platforms

should clearly define division
of responsibilities for applying
cryptographic controls to
protect PII

Organizations should address

this requirement on an as-
needed basis

Technical solutions (i.e., DLP)

may be necessary to restrict
printing of materials
containing PII
Backup policies should be
reviewed to ensure that PII
erasure and restoration are
properly addressed

ISO 27701 specifies that

monitoring should be
automated (i.e., through a
SIEM) whenever possible

Data retention policies should

be updated to address
deletion of log data. Technical
solutions should be used to
systematically delete or de-
identify PII stored in logs
ISO 27701 Guidance ISO 27001
Clause Mapping
6.10.2.1  Information transfer policies and procedures 13.2.1
should reflect rules related to the processing of PII
and be enforced throughout and outside of the
system
6.10.2.4  Individuals with access to PII should be subject 13.2.4
to a confidentiality agreement which specifies the
length of time confidentiality obligations must be
adhered to
 PII processors should ensure employees and
agents comply with policies and procedures
concerning data handling and protection

6.11.1.2  PII transmitted over untrusted networks must 14.1.2

be encrypted in transit

6.11.2.1  SDLC policies should include consideration of 14.2.1

the organization’s processing of PII, including
obligations to PII principals and regulatory
requirements
6.11.2.5  Systems should be designed to facilitate the 14.2.5
implementation of relevant PII controls under
Clauses 7 and 8 of ISO 27701, as applicable
6.11.2.7  Privacy by design and by default should be 14.2.7
applied to outsourced systems

6.11.3.1  Specifically states that PII should not be used in 14.3.1

test environments. If PII must be used, it should
be secured by the same measures as production
systems. If PII cannot be adequately protected,
mitigating controls should be developed based on
a risk assessment.
6.12.1.2  Defines security requirements for suppliers 15.1.2
(i.e., subprocessors) by reference to ISO 27701
Annex B
 Responsibilities should be contractually
allocated between various parties
 Supplier compliance should be monitored,
including periodic supplier audits
 Supplier agreements should require that
suppliers will only process PII on the
organization’s instructions
6.13.1.1  Incident response procedures should be 16.1.1
established specific to breaches of PII
 Notification requirements with respect to a PII
breach, including timing requirements, should be
documented based on regulatory requirements

6.13.1.5  Incidents involving PII should be reviewed to 16.1.5

determine whether a breach has occurred
 Notification requirements should be defined
 Records of PII breaches should be retained
 PII processors should determine by contract
their required response times

6.15.1.1  The inventory of legal and contractual 18.1.1

requirements should include potential legal
sanctions, including fines

6.15.1.3  Previous versions of policies should be retained 18.1.3

according to the entity’s retention schedules

6.15.2.1  PII processors should make independent audits 18.2.1

of information security available to customers, if
individual audits are not practical

6.15.2.3  Defines methods for PII compliance reviews 18.2.3

including:
o Verifying that only permitted processing is
taking place
o Targeted penetration testing
Risk3sixty Commentary

Policies and procedures

should be reviewed to ensure
the protection of PII

Maps closely to GDPR Article

28(3)(b) requirement for
employees processing PII to
be subject to a confidentiality
agreement, and Article 28(3)
(a) requiring processing to be
performed only based on
controller instructions
Systematic enforcement such
as DLP may be required,
depending on organizational
circumstances
Incorporates the GDPR
principle of Privacy by Design

Incorporates the GDPR

principles of Privacy by Design
and Privacy by default
Incorporates the GDPR
principles of Privacy by Design
and Privacy by default
ISO 27701 extends beyond
existing ISO 27002 guidance
by explicitly prohibiting the
use of PII in test environments

This is one of the most

significant developments of
ISO 27701. Vendor standards
are now defined in Annex B.
In addition, the GDPR Article
28(3)(h) requirement is
expanded to require
independent audits (security
certifications may be accepted
instead)
No specific breach notification
requirements exist for ISO;
however, notification
requirements under contracts,
GDPR, and other regulatory
requirements should be
formally documented
Note expanded
documentation requirements
and that policies should
address notification
requirements and response
times

Legal and contractual

requirements should be
reviewed, including
consideration of fines for PII
breaches
Retention periods should take
into consideration potential
customer disputes or
regulatory investigations
Organizations should consider
the proper independent audit
that will address the scope of
PII processing
ISO 27701 will require
organizations to implement
additional risk-based reviews
related to privacy
ISO 27701 Guidance GDPR
Clause Mapping
7.2.1  The organization should determine and 5(1)(b)
document its purposes for PII processing 13(1)(c)
 PII principals should be made aware of the
purpose for which their PII is processed
Risk3sixty Commentary

ISO 27701 controls map

directly to GDPR requirements
ISO 27701 Guidance GDPR
Clause Mapping
7.2.2  The organization should determine and 5(1)(a)
document its lawful basis for PII processing 6(1)
 Where special categories of PII are involved, 8
these should be specifically documented in data 9
classification schemes 13(3)
 Consent may need to be obtained if the
purposes of PII processing are changed

7.2.3  The organization should be able to demonstrate 7(1)

that consent was received from PII principals, 7(2)
where consent is required for processing 8
 Jurisdictional requirements for consent should
be considered, including separating from other
agreements as well as requirements related to
research or data related to children

7.2.4  Records of consent should include relevant Recital 32

detail (statement agreed to, time provided) 4(11)
 An appropriate privacy policy should be 7(1)
presented before the collection of consent (See 13
7.3.3)
 Consent should be freely given, specific to the
purpose of processing, and explicit

7.2.5  Privacy impact assessments (PIAs) should be 35

performed upon new processing of PII or changes
to existing processing
 The organization should determine the
elements necessary for completion of a PIA
7.2.6  Contracts should be in place with all PII 28
processors
 Contracts should require implementation of ISO
27701 Annex B controls as determined by the
scope of processing and the risk assessment
 All Annex B controls should be considered
relevant unless the organization specifically
determines they are not

7.2.7  Relative roles and responsibilities of joint 26

controllers should be transparently determined
7.2.8  Organizations should retain all records of PII 30
processing under its control
Risk3sixty Commentary

Lawful bases defined in ISO

27701 are the same as the
GDPR Article 6 lawful bases.
The requirements of ISO
27701 generally conform to
existing GDPR obligations

ISO 27701 controls map

directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements

ISO 27701 controls map

directly to GDPR
requirements. A template
should be developed to
include all required elements
ISO 27701 controls map
directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements
ISO 27701 controls map
directly to GDPR requirements
ISO 27701 Guidance GDPR
Clause Mapping
7.3.1  Organizations should define their obligations 12
toward PII principals 13
 Obligations should be included in a privacy 15-21
policy and a point of contact should be designated
 The contact method should be similar to the
method used to obtain PII

7.3.2  Information to be provided to PII principals 12

should be defined, together with the required 13
timing 15-21
 Timing may be prior to processing (such as a
privacy policy) or upon request (such as right to
access)

7.3.3  Information should be provided to PII principals 12

that identifies the PII controller and the processing 13
taking place
 Information should be transparent and easily
accessible, using plain language
 Information should be presented at the time of
PII collection whenever possible

7.3.4  PII principals should be permitted to withdraw 7

consent, where consent is the basis for processing. 17(1)(b)
A mechanism for withdrawing consent should be
developed which is consistent with the mechanism
for granting consent
 Consent withdrawals should be logged in a
manner similar to granting of consent
 Changes of consent should be communicated
through systems and to third parties
 A procedure, including response times, should
be developed regarding withdrawals of consent

7.3.5  PII principals should be permitted to object to 12

processing 13
 PII principals should be informed of this right 21
 The reasons (legal or other) for objection to be
recognized should be defined
 The mechanism should be consistent with how
the service is delivered (i.e., online for an online
services)
7.3.6  PII principals should have the right to access, 16
modify, or erase their PII 17
 Procedures for granting this right should be
defined, including response times and procedures
for resolving disputes (i.e., with regards to data
accuracy)
 Corrections or erasures should be
communicated throughout systems and to relevant
third parties

7.3.7  Policies and procedures should be stablished to 19

ensure third parties accessing data are informed of
modifications, withdrawals, or objections of PII or
PII processing
 The organization should monitor third party
acknowledgements of receipt of such notifications

7.3.8  The organization should be able to provide PII 15

principals a copy of the data being processed 20
 The copy should be provided in a machine
readable format to facilitate portability. Where
feasible, data may be required to be transferred
directly to another controller
 De-identified data should not be re-identified
for purposes of fulfilling such a request. If data has
been deleted, the PII principal should be notified

7.3.9  Policies and procedures should be defined for 15-22

handling requests from PII principals, including 11
fees where legally permitted and response times.
 Response times should be defined in the
privacy policy

7.3.10  Responsibilities related to automated decision 21

making should be defined
 Jurisdictional obligations related to decisions
based on automated decision making should be
defined and addressed

7.4.1  PII collected should be relevant, proportional, 5(1)(c)

and necessary 25
 Indirect PII collection (such as logs) should be
limited
 Privacy by default should be implemented, such
as disabling options by default
7.4.2  Processing should be adequate, relevant and 5(1)(c)
necessary for the identified purposes 5(1)(e)
 Disclosure and retention of PII, and access to PII 32(2)
should be restricted by default to the minimum
necessary for the identified purposes
7.4.3  The organization should implement policies and 5(1)(d)
procedures to ensure data is accurate, complete,
and up-to-date during processing
7.4.4  Data minimization objectives and relevant 5(1)(c)
mechanisms should be defined 5(1)(e)
 A large focus is placed on de-identification 25(1)
(pseudonymization or anonymization) of data,
where appropriate
7.4.5  PII should be deleted or de-identified as soon as 5(1)(c)
no longer necessary for the identified purposes 5(1)(e)
11(1)

7.4.6  Temporary files created as a result of PII 5(1)(c)

processing should be disposed of according to 5(1)(e)
documented procedures within a defined period

7.4.7  PII should not be retained for longer than 5(1)(e)

necessary for the purposes for which the PII is
processed
 Retention schedules should be developed
based on legal, regulatory, and business
requirements. Conflicts between requirements
should be resolved based on a risk assessment

7.4.8  PII disposal procedures should be documented 5(1)(f)

32(2)

7.4.9  Appropriate controls should be put in place to 5(1)(f)

ensure PII transmissions reach their intended 32(1)(a)
destination 32(2)

7.5.1  The basis for PII transfers between jurisdictions 44

should be documented
7.5.2  The organization should document the 13(1)(f)
countries where PII may be transferred 15(2)
 The list of permitted countries should be made 30(1)(e)
available to PII principals
7.5.3  Third party transfers of PII should be recorded 13(1)(e)
30(1)(d)
30(1)(e)

7.5.4  Third party disclosures of PII should be recorded 30(1)(d)

8.2.1  Agreements with customers (PII controllers or 28(3)

other processors) should address the 33(2)
organization’s role in assisting the customer with
its obligations, such as implementing privacy by
design, securing data, notifying of breaches, and
conducting PIAs
8.2.2  The processor should only ensure that customer 5(1)(a)
PII is processed based on the controller’s 5(1)(b)
documented instructions 28(3)(a)
 Processors should allow customers to verify 29
they are complying with the customer’s specified 32(4)
purpose

8.2.3  A processor should not use PII for marketing 7(4)

and advertising without verifying consent has been
obtained
 Marketing and advertising use should not be a
condition of the processor’s service

8.2.4  The organization should inform the customer if 28(3)

it believes a processing instruction violates
applicable laws or regulations
8.2.5  The organization should provide the customer 28(3)
the necessary information so the customer can 33(2)
demonstrate compliance with its obligations
8.2.6  Relevant records should be retained for 30(2)
processing carried out on behalf of a customer
8.3.1  A processor should assist the customer in 17(2)
meeting its obligations to PII principals (i.e., data 28(3)(e)
subject requests)
8.4.1  Temporary files created as a result of PII 5(1)(c)
processing should be disposed of according to 5(1)(e)
documented procedures within a defined period
 8.4.2  PII should be returned, transferred, or disposed 5(1)(e)
of securely 28(3)(g)
 The processor should develop and implement a
PII disposal policy and make it available to its
customer
 The processor should be able to demonstrate to
the customer that customer PII is erased once no
longer needed for the purposes of processing

8.4.3  Appropriate controls should be put in place to 5(1)(f)

ensure PII transmissions reach their intended 32(1)(a)
destination 32(2)

8.5.1  Customers should be informed of the basis for 28(2)

PII transfers between jurisdictions and permit the 44
customer to object to changes

8.5.2  The organization should document the 30(2)(c)

countries where PII may be transferred
 The list of permitted countries should be made
available to customers
8.5.3  Third party transfers of PII should be recorded 30(2)(c)

8.5.4  The organization should notify the customer of 28(3)(a)

any legally binding requests for PII disclosure
8.5.5  PII should not be disclosed if a request is not 48
legally binding
 All PII disclosures should be authorized by the
customer
8.5.6  The use of subcontractors should be disclosed 28(2)
to customers before use, including the permitted 28(4)
countries and the security requirements in place
8.5.7  Subcontractors processing PII must be under 28(2)
contract. The customer must authorize the use of 28(3)(d)
subcontractors 28(4)
 The contract should specify the security
controls the subcontractor will implement (by
reference to Annex B of ISO 27701)

8.5.8  Customers should be informed of any intended 28(2)

changes to subcontractors used, and given the
opportunity to object
Risk3sixty Commentary

The language used in ISO

27701 differs from GDPR, but
these descriptions correspond
to the data subject requests
under GDPR

ISO 27701 expands beyond

GDPR by clearly requiring
procedures to be developed
for responding to data subject
requests

Mirrors GDPR requirements

regarding a transparent
privacy policy

ISO 27701 expands beyond

GDPR by clearly requiring
procedures to be developed
for addressing consent
withdrawals

ISO 27701 controls map

directly to GDPR requirements
ISO 27701 expands on the
GDPR requirement by
requiring procedures to be
developed and addressing the
handling of disputes

ISO 27701 expands on the

GDPR requirement by
requiring procedures to be
developed and requiring
acknowledgements to be
tracked. Notably, ISO 27701
does not contain an exception
if notification involves
disproportionate effort
No specific requirements
added under ISO 27701

ISO 27701 contains a unique

requirement to define
response times and
communicate in the privacy
policy

ISO 27701 does not

specifically prohibit or restrict
automated decision making,
but companies subject to
GDPR will need to incorporate
their GDPR obligations into
their policies and procedures
Compared to GDPR, ISO
27701 more specifically
addresses data minimization
through limits of logs (for
example) and examples of
privacy by design
ISO 27701 provides further
clarification regarding the
implementation of privacy by
default principles

ISO 27701 controls map

directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements

Maps to GDPR principles, but

ISO 27701 specifically
references controls specific to
temporary files
ISO 27701 is more lenient
than GDPR, allowing extended
retention periods for legal
reasons if a risk assessment
supports the longer retention
period

ISO 27701 controls map

directly to GDPR requirements
and specifically requires
documentation be prepared
Data transmission methods
should be inventoried to
ensure transmissions are
adequately secured
ISO 27701 controls map
directly to GDPR requirements
ISO 27701 notably does not
address adequacy decisions,
certification mechanisms, or
adequate safeguards as under
GDPR. However, clause
6.12.1.2 addresses vendor
security requirements
ISO 27701 controls generally
correspond to GDPR
requirements

ISO 27701 controls generally

correspond to GDPR
requirements
ISO 27701 controls map
directly to GDPR requirements

ISO 27701 expands on GDPR

requirements by more directly
stating that customer audits
should be permitted to verify
that processing is only in
accordance with customer
instructions
ISO 27701 conforms to
general GDPR principles, but
is more specific about
restricting the
processor’s use of data for
marketing purposes. It is left
unclear whether aggregation
is permitted for marketing
purposes
ISO 27701 controls map
directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements
ISO 27701 controls map
directly to GDPR requirements

Maps to GDPR principles, but

ISO 27701 specifically
references controls specific to
temporary files
ISO 27701 expands on GDPR
requirements by requiring a
policy to be made available to
customers and requiring
affirmative demonstration
that PII has been erased

Data transmission methods

should be inventoried to
ensure transmissions are
adequately secured
ISO 27701 notably does not
address adequacy decisions,
certification mechanisms, or
adequate safeguards as under
GDPR. However, clause
6.12.1.2 addresses vendor
security requirements, which
would apply to subprocessors
ISO 27701 controls generally
correspond to GDPR
requirements

ISO 27701 controls generally

correspond to GDPR
requirements
ISO 27701 controls map
directly to GDPR requirements
ISO 27701 controls map
directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements

ISO 27701 controls map

directly to GDPR requirements