ISO 27701 - The Path To Privacy Program Certification Part 1
ISO 27701 - The Path To Privacy Program Certification Part 1
risk sixty
Security I Privacy I Compli
An Overview of ISO 27701 FrameworkElements GDPR
Before
compliance
we begin dissecting
posture to the
internal
ISO 27701
and externalstake
framework
ISO 27701 Clause 5 (The PIMS)
Background and History
ISO 27701 Clause 6-8 (Considerations for
Security Controls)
01
Privacy Program
SO 27701 Framework
risk sixty
Security I Privacy I Compliance
P
Annex A and B – Required Privacy Controls
PIMS: Clause 5 Essential Elements
Clauses 6-8
Privacy Consideration Related to Security Controls
1
Article 4 of GDPR defines data controllers and data processors as below: controller or the specific criteria for its nomination may
(7) ‘controller’ means the natural or legal person, public authority, agency Union or Member State law;
or other body which, alone or jointly with others, determines the purposes (8) ‘processor’ means a natural or legal person, public a
and means of the processing of personal data; where the purposes and other body which processes personal data on behalf of th
means of such
processing are determined by Union or Member State law, the
controller or the specific criteria for its nomination may be provided for by
Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller;
As a philosophical point, ISO 27701 establishes a system i
of management (hence the term Privacy information security n
management system or PIMS) that empowers management to c
establish, implement, govern, and continuously improve the l
privacy environment. This, in short, is the PIMS. u
There are many elements of a functional PIMS that must be d
implemented in order to satisfy ISO 27701 certification i
requirements. These requirements are outlined in clause 5 of n
ISO 27701 and map directly to Clauses 4-10 of ISO 27001. g
For those unfamiliar with ISO 27701/ISO 27001, reading through
these clauses for the first time and trying to understand the t
scope of what needs to be done to implement an PIMS can be h
daunting and confusing. e
Thus, it is helpful to think about these requirements as being a
part of one of four categories: Governance, Risk Management, i
Strategic Planning, and Performance Monitoring. n
1) Governance t
Governance includes establishing leadership and ownership of r
security, defining roles on the organizational chart, authoring o
and implementing policies and procedures related to privacy, d
and ensuring appropriate resources are available to support the u
security program. c
2) Risk Assessment/Risk Management t
Risk management is an essential element of establishing a i
process to identify, analyze, and treat risks. A risk management o
program should grant authorization and authority of those n
individuals responsible for information security (often called the
information risk council, or similar). A formalized risk o
assessment is the process which helps leadership identify key f
risks, prioritize resources and controls, and align the security
program with business objectives. As related to privacy, t
the risk assessment should consider privacy topics h
e
P
r
i
v
a
c
y
I
m
p
a
c
t
A
s
s
e
s
s
m
e
n
t
Requirements ISO 27701 Clause ISO 27001 Clause
Planning 5.4 (5.4.1) 6
Operation 5.6 (5.6.2, 5.6.3) 8
Requirements ISO 27701 Clause ISO 27001 Clause
Planning 5.4 (5.4.2) 6 (6.2)
Resources 5.5 7
Operation 5.6 (5.6.2, 5.6.3) 8
Requirements ISO 27701 Clause ISO 27001 Clause
Context 5.2 4
Leadership 5.3 5
Requirements ISO 27701 Clause ISO 27001 Clause
Performance 5.7 (5.7.2) 9 (9.2)
Evaluation
Improvement 5.8 10
Annex A and B outline the unique privacy controls that may be relevant to
controllers (Annex A) and processors (Annex B).
Contact a ProfessionalChristian Hyatt, Managing DirectorCISA | CISM | ISO 27001 Lead Auditor | PCI QSA Christian.Hyatt@risk3sixt
Manage Security and Compliance in One Platform
From vulnerability scanning, to policy curation, team collaboration,
audits, and assessments – manage your entire security and
compliance program in a single platform.
Simple and Fast Implementation
One-Click Compliance Reporting
Quickly Assess Risk with Asset Labeling
Complete Team Collaboration
Project Management to Vulnerability Closure
Automated Scan and Rescan to Validate Issue Closure
Management-Level KPIs and Progress Reporting
Customized Workflow.
ISO 27001, SOC 2, GDPR, PCI DSS, and more!
Appendix I:
Mapping and Commentary on ISO 277
ISO 27001 Control Guidelines, and GD
ISO 27701 Guidance ISO 27001
Clause Mapping
5.1 All references in ISO 27001 to “information n/a
security” should be considered references to
“information security and privacy”
Note: This applies even to ISO 27001 and ISO
27002 sections without a privacy-specific
interpretation
n/a
n/a