ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
The standard helps organizations manage privacy risks and compliance with various privacy regulations, such as GDPR (General Data Protection Regulation). It outlines requirements and guidance for implementing, maintaining, and continually improving a PIMS, focusing on the protection of Personally Identifiable Information (PII) and ensuring individuals’ privacy rights are upheld.
The standard specifies PIMS-related requirements and provides guidance for personally identifiable information (PII), specifically in relation to PII controllers and PII processors holding responsibility and accountability for PII processing. It is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
Table of Contents
Introduction |
1 Scope |
2 Normative references |
3 Terms, definitions and abbreviations |
4 General |
4.1 Structure of this document |
4.2 Application of ISO/IEC 27001:2013 requirements |
4.3 Application of ISO/IEC 27002:2013 guidelines |
4.4 Customer |
5 PIMS-specific requirements related to ISO/IEC 27001 |
5.1 General |
5.2 Context of the organization |
5.3 Leadership |
5.4 Planning |
5.5 Support |
5.6 Operation |
5.7 Performance evaluation |
5.8 Improvement |
6 PIMS-specific guidance related to ISO/IEC 27002 |
6.1 General |
6.2 Information security policies |
6.3 Organization of information security |
6.4 Human resource security |
6.5 Asset management |
6.6 Access control |
6.7 Cryptography |
6.8 Physical and environmental security |
6.9 Operations security |
6.10 Communications security |
6.11 Systems acquisition, development and maintenance |
6.12 Supplier relationships |
6.13 Information security incident management |
6.14 Information security aspects of business continuity management |
6.15 Compliance |
7 Additional ISO/IEC 27002 guidance for PII controllers |
7.1 General |
7.2 Conditions for collection and processing |
7.3 Obligations to PII principals |
7.4 Privacy by design and privacy by default |
7.5 PII sharing, transfer, and disclosure |
8 Additional ISO/IEC 27002 guidance for PII processors |
8.1 General |
8.2 Conditions for collection and processing |
8.3 Obligations to PII principals |
8.4 Privacy by design and privacy by default |
8.5 PII sharing, transfer, and disclosure |
Annex A PIMS-specific reference control objectives and controls (PII Controllers) |
Annex B PIMS-specific reference control objectives and controls (PII Processors) |
Annex C Mapping to ISO/IEC 29100 |
Annex D Mapping to the General Data Protection Regulation |
Annex E Mapping to ISO/IEC 27018 and ISO/IEC 29151 |
Annex F How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002 |
F.1 How to apply this document |
F.2 Example of refinement of security standards |
Implementation
Implementing a Privacy Information Management System (PIMS) in conformity with ISO/IEC 27701 involves several key steps,
Here are those steps.
Gap Analysis
Conduct a thorough assessment of your organization’s current privacy management practices against the requirements of ISO/IEC 27701 to identify gaps and areas for improvement.
Leadership Commitment
Obtain commitment and support from top management to ensure that privacy is prioritized and integrated into the organization’s overall business strategy.
Scope Definition
Define the scope of your PIMS, including the boundaries, activities, and processes covered by the system.
Risk Assessment and Treatment
Identify and assess privacy risks associated with the processing of personally identifiable information (PII) within your organization. Develop and implement controls to mitigate these risks effectively.
Legal and Regulatory Compliance
Ensure compliance with relevant privacy laws, regulations, and contractual obligations, such as GDPR, CCPA, and HIPAA, by integrating legal requirements into your PIMS.
Privacy Policies and Procedures
Develop and implement comprehensive privacy policies, procedures, and guidelines to govern the collection, use, retention, and disclosure of PII within your organization.
Training and Awareness
Provide training and awareness programs to employees, contractors, and other relevant stakeholders to enhance their understanding of privacy responsibilities and requirements.
Documented Information
Establish and maintain documented information, including policies, procedures, records, and other relevant documentation, to support the effective implementation and operation of your PIMS.
Monitoring and Measurement
Implement mechanisms to monitor, measure, and evaluate the performance of your PIMS against defined objectives, targets, and key performance indicators (KPIs).
Internal Audit
Conduct regular internal audits to assess the effectiveness of your PIMS, identify non-conformities, and drive continual improvement.
Continual Improvement
Foster a culture of continual improvement by implementing corrective actions, preventive actions, and other measures to address identified non-conformities and enhance the overall performance of your PIMS.
Management Review
Hold periodic management reviews to evaluate the performance of your PIMS, identify opportunities for improvement, and make necessary adjustments to enhance its effectiveness.
In conclusion…
By following these steps, organizations can effectively implement a Privacy Information Management System in conformity with ISO/IEC 27701, thereby demonstrating their commitment to protecting individuals’ privacy rights and complying with applicable privacy laws and regulations.
ISO/IEC 27701 can be purchased through the ISO.org website.
Comments (0)