Site icon

ISO 27701 and Conformance with Privacy Information Management (Part 2)

The International Organization for Standardization wrote ISO 27701 to align the standards of the ISO 27001 series with privacy-based standards like GDPR and CCPA. As such, it addresses the core requirements of that standard and refines them so that organizations don’t have to fumble in the dark about adapting their existing ISO certifications to larger regulatory frameworks.

Previously, we discussed the impact of this document on ISO 27001. In this article, we carry on where we previously left off by discussing refinements to ISO 27002 and adopting specific controls to handle PII.

 


What’s The Difference Between ISO 27001 and ISO 27002?

The ISO 27000 series focuses on best cybersecurity practices, specifically around implementing Information Security Management Systems (ISMS). It’s important to note that these ISMS frameworks aren’t strictly technical but rather a conglomeration of technical, administrative, operational, and physical measures that contribute to an organization’s overall security. 

There are two core documents to this series:

In our previous article, we covered how ISO 27702 refines the ISMS standards of ISO 27001. Here, we’re diving into the next section to discuss refinements to ISO 27002.

 

ISO 27701 and PIMS-Related Guidance for ISO 27002 

These refinements fall under two general categories:

Many requirements remain unchanged between the two documents, except for the broader ideas listed here. 

 

Information on Security Policies

ISO 27701 refines the original requirements by requiring that organizations augment their security policies with a commitment to protecting PII specifically. This statement, and all policies, should include plans to preserve PII per government regulations and industry standards.

 

Organization of Information Security

Specific refinements to IT security organization includes:

 

Human Resource Security

The organization should implement training and education regarding the consequences of the compromise of PII, including those related to regulations, loss of reputation and business, disciplinary actions, and any other financial, physical, or emotional impacts. This training should also include awareness of necessary incident reporting. 

Asset Management

Data classification schemas should include PII as part of its sensitive data categories and, thus, apply all requisite security, privacy, and integrity controls to that information as defined in that scheme.

Furthermore, the organization must make information available to inform personnel about this classification and any subsequent responsibilities. 

Physical media management also receives several refinements, including:

 

Access Control

Any user account meant to administer PII should have safeguards to deal with thefts or loss of credentials. No deactivated accounts should be reactivated or reissued for use. Any user account provided the privilege to process PII must be inventoried and monitored. 

Finally, if the organization is a service provider offering PII processing, they can turn over control of some aspects of ID management with clearly documented processes. 

 

Cryptography

The organization must provide documentation regarding the types of cryptography used to protect PII and how it aligns with relevant jurisdictional requirements (such as government regulations or industry standards). 

 

Physical Security

ISO 27701 refines physical media security in cases where storage media is re-used. If storage media is used to store PII and is then repurposed for other uses, the organization must ensure that the PII is deleted and no longer accessible. In cases where there is ambiguity as to whether or not storage media has ever contained PII, it must be treated as if it has contained PII.

 

Operations Security

ISO 27701 refines a few specific controls in operations security, including:

 

Communications Security

These controls are refined such that if personal use company-wide communication media internally or externally, they must operate under a confidentiality agreement stating that they will refrain from broadcasting PII over such channels.

 

Systems Acquisition and Design

Systems should follow “privacy by design” and “privacy by default” principles, following guidance in ISO 29100 implemented in the design phase and revisited in all design milestones. And under no circumstances should PII be used as a test data set for software or system development.

 

Supplier Relationships

Supplier agreements should include mention of systems processing PII, with a clear allocation of responsibilities for security and management between suppliers and third parties. There should also be mechanisms to ensure that these agreements (and any compliance or regulatory requirements) are adhered to. 

 

Information Security Incident Management

The organization must include PII within their incident response and recovery management plans. Furthermore, if specific regulations or compliance requirements adhere to PII specifically, those must be integrated into these security plans.

Should there be an incident affecting PII or PII-containing systems, then an immediate review must follow to inform the incident response process, except in cases where the event could not impact PII.

Finally, the organization should have, in the form of a contract or terms of service, an agreement with customers regarding how they will report any breach of PII. This report should include information that would be useful for regulatory or forensic purposes, including the event description, the time of the event, the consequences of the event, and steps taken to resolve the event.

 

Compliance

The organization should include a record of any legal sanctions resulting from improper processing of PII, including fines or loss of operating licenses. These sanctions can be used to inform contracts with customers and third-party suppliers.

 

Stay Ahead of Evolving ISO Requirements with Lazarus Alliance

The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s important to understand how those changes result in a unique PIMS infrastructure.

Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version