ISO IEC 27701:2019 download.Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.
Introduction
0.1 General
Almost every organization processes Personally Identifiable Information (PH). Further, the quantity and types of P11 processed Is increasing, as is the number of situations where an organization needs to cooperate with other organizations regarding the processing of Pit. Protection of privacy in the context of the processing of P11 is a societal need, as well as the topic of dedicated legislation and/or regulation all over the world.
The Information Security Management System (ISMS) defined In ISO/IEC 27001 is designed to permit the addition of sector specific requirements, without the need to develop a new Management System. ISO Management System standards, Including the sector specific ones, are designed to be able to be implemented either separately or as a combincd Management System.
Requirements and guidance for P11 protection vary depending on the context of the organization, in particular where national legislation and/or regulation exist. ISO/IEC 27001 requIres that this context be understood and taken into account. ISO IEC 27701 includes mapping to:
— the privacy framework and principles defined in ISO/IEC 29100;
— lSO/IEC 27018;
— lSO/IEC291S1;and
— the EU General Data Protection Regulation.
However, these can need to be interpreted to take into account local legislation and/or regulation.
ISO IEC 27701 can be used by P11 controllers (including those that are joint PIt controllers) and P11 processors (including those using subcontracted P11 processors and those processing PIE as subcontractors to P11 processors).
An organization complying with the requirements in this document will generate documentary evidence of how it handles the processing of P11. Such evidence can be used to facilitate agreements with business partners where the processing of PIE Is mutually relevant. This can also assist In relationships with other stakeholders. The use of this document in conjunction with ISO/IEC 27001 can, if desired, provide independent verification of this evidence.
ISO IEC 27701 was initially developed as ISO/IEC 27552.
0.2 CompatibIlity with other management system standards
ISO IEC 27701 applies the framework developed by ISO to improve alignment among its Management System Standards.
ISO IEC 27701 enables an organization to align or integrate its PIMS with the requirements of other Management System standards.
3.2
privacy information management system
P1 MS
information security management system which addresses the protection of privacy as potentially
affected by the processing of Pit
4 General
4.1 Structure of this document
This is a sector-specific document related to ISO/IEC 27001:2013 and to ISO/IEC 27002:2013.
ISO IEC 27701 focuses on PIMS-specific requirements. Compliance with this document Is based on adherence to these requirements and with the requirements in ISO/IEC 27001:2013. ISO IEC 27701 extends the requirements of ISO/IEC 27001:2013 to take into account the protection of privacy of Pit principals as potentially affected by the processing of Pit, in addition to information security For a better understanding. implementation guidance and other Information regarding the requirements is Included.
Clause 5 gIves PIMS-specific requirements and other information regarding the Information security requirements In ISO/IEC 27001 appropriate to an organization acting as either a P11 controller or a P11 processor.
NOTE 1 For completeness. Clause S contains suhclause for each of the clauses containing requirements in ISO/IEC 27001:2013. even in cases where there are no PIMS-speclflc requirements or other information.
CJause6 gives PIMS-specific guidance and other information regarding the information security controls in iSO/IEC 27002 and PIMS.specific guidance for an organization acting as either a Pit controller or a Pit processor.
NOTE 2 For completeness, Ciaus6 contains a subdause for each of the clauses containing oblectlves or controls In ISO/IEC 27002:2013. even in cases where there is no PIMS-speclfic guidance or other Informatlon
Clause 7 gives additional ISO/IEC 27002 guidance for PIt controllers, and Claiis8 gives additional ISO/IEC 27002 guidance for PIt processors.
Annex A lists the P1MS”spcclfic control objectives and controls for an organization acting as a P11 controller, (whether it employs a P11 processor or not, and whether acting jointly with another Pit controller or not).
Annex B lists the PIMS.specific control objectives and controls for an organization acting as a Pit processor (whether It subcontracts the processing of PIt to a separate PIt processor or not, and Including those processing Pit as subcontractors to P11 processors).
Annex C contains a mapping to lSO/IEC 29100.
Annex D contains a mapping of the controls in ISO IEC 27701 to the European Union General Data Protection Regulation.
Anne..E contains a mapping to lSO/1EC 27018 and ISO/IEC 29151,
AnneiF explains how ISO IEC 27001 and ISO/IEC 27002 are extended to the protection of privacy when processing PIt.
4.2 Application of ISO/IEC 27001:2013 requirements
TabIei. gives the location of PiMS.specific requirements in this document in relation to ISO/IEC 27001.
5.7 Performance evaluation
5.7.1 MonitorIng, measurement, analysis and evaluation
The requirements stated In ISO/IEC 27001:2013.9.1 along with the interpretation specified in £1. apply.
5.7.2 Internal audit
The requirements stated in ISO/IEC 27001:2013,9.2 along with the interpretation specified in 5.1. apply.
5.7.3 Management review
The requirements stated In ISO/IEC 27001:2013.9.3 along with the Interpretation specified in 5.1.. apply.
5.8 Improvement
5.8.1 NonconformIty and corrective action
The requirements stated in ISO/IEC 27001:2013. 10.1 along with the interpretation specified in 5.1. apply.
5.8.2 ContInual improvement
The requirements stated in ISO/IEC 27001:2013, 10.2 along with the interpretation specified in 5.1. apply.
6 PIMS-specific guidance related to ISO/IEC 27002
6.1 General
The guidelines In ISO/IEC 27002:2013 mentionIng “Information security” should be extended to the protection of privacy as potentially affected by the processing of P11.
NOTE I In practice, where information security” is used in ISO/IEC 27002:2013, information security and privacy applies Instead (see Annz.E).
All control objectives and controls should be considered in the context of both risks to information security as well as risks to privacy related to the processing of P11.
NOTE 2 Unless otherwise stated by specific provisions In Clause 6. or determined by the organization according to applicable jurisdictions, the same guidance applies for P11 controllers and P11 processors,
6.2 Information security policies
6.2.1 Management direction for Inlormallon security
6.2.1.1 PolIcies for Information security
The control. implementation guidance and other information stated In ISO/IEC 27002:2013, 5.1.1 and the following additional guidance applies:
Additional Implementation guidance for 5.1.1, Policies for Information security, of
ISO/IEC 27002:2013 Is:
Either by the development of separate privacy policies, or by the augmentation of information security policies, the organization should produce a statement concerning support for and commitment to achieving compliance with applicable P11 protection legislation and/or regulation and with the contractual terms agreed between the organization and its partners, its subcontractors and its
Implementation guidance
Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.
The legal basis for the processing of Pit can Include:
— consent from P11 principals;
— performance of a contract;
— compliance with a legal obligation;
— protection of the vital interests of P11 principals;
— performance of a task carried out in the public interest;
— legitimate interests of the P11 controller.
The organization should document this basis for each P11 processing activity (see 7.2.8),
The legitimate Interests of the organization can include, for instance, Information security objectives, which should be balanced against the obligations to P11 principals with regards to privacy protection.
Whenever special categories of P11 are defined, either by the nature of the P11 (e.g. health information) or by the P11 prIncipals concerned (e.g. P11 relating to children) the organization should include those categories of P11 in it.s classification schemes.
The classification of P11 that falls into these categories can vary from one jurisdiction to another and can vary between different regulatory regimes that apply to different kinds of business, so the organization needs to be aware of the classification(s) that apply to the P11 processing being performed.
The use olspeclal categories of P11 can also be subject to more stringent controls.
Changing or extending the purposes for the processing of P11 can require updating and/or revision of
the legal basis, It can also require additional consent to be obtained from the P11 principal.
7.2.3 Determine when and how consent is to be obtained
Control
The organization should determine and document a process by which it can demonstrate if, when and how consent for the processing of P11 was obtained from P11 principals.
Implementation guidance
Consent can be required for processing of P11 unless other lawful grounds apply. The organization should clearly document when consent needs to be obtained and the requirements for obtaining consent. It can be useful to correlate the purpose(s) for processing with information about if and how consent Is obtained.
Some jurisdictions have specific requirements for how consent is collected and recorded (e.g. not bunded with other agreements). Additionally, certain types of data collection (for scientific research for example) and certain types of P11 principals, such as children, can be subject to additional requirements. The organization should take Into account such requirements and document how mechanisms for consent meet those requirements.
The organization should apply the data minimization principle to the records of transfers by retaining only the strictly needed information.
7,5.4 Records of P11 disclosure to third parties Control
The organization should record disclosures of P11 to third parties. Including what Pit has been disclosed, to whom and at what time.
Implementation guidance
P11 can be disclosed during the course of normal operations. These disclosures should be recorded. Any additional disclosures to third parties, such as those arising from lawful Investigations or external audits, should also be recorded. The records should include the source of the disclosure and the source of the authority to make the disclosure.
8 Additional ISO/IEC 27002 guidance for PIt processors
8.1 Genera)
The guidance in Clause 6 and the additions of this clause create the PIMS-specific guidance for Pit processors. The implementation guidance documented in this clause relate to the controls listed in Ane
8.2 Conditions for collection and processing
Objective: To determine and document that processing is lawful, with legal basis as per applicable
jurIsdictions, and with clearly defined and legitimate purposes.
8.2.1 Customer agreement
Control
The organization should ensure, where relevant, that the contract to process P11 addresses the organization’s role in providing assistance with the customer’s obligations (taking into account the nature of processing and the Information available to the organization).
Implementation guidance
The contract between the organization and the customer should include the following wherever relevant, and depending on the customers role (P11 controller or P11 processor) (this list is neither definitive nor exhaustive):
— çrivacy by design and privacy by default (see 7.4,8.4);
— achieving security of processing;
— notification of breaches involving P11 to a supervisory authority;
— notification of breaches involving P11 to customers and P11 principals;
— conducting Privacy Impact Assessments (PIA); and
— the assurance of assistance by the P11 processor if prior consultations with relevant P11 protection nhorfties are needed.
Some jurisdictions require that the contract include the subject matter and duration of the processing. the nature and purpose of the processing. the type of P11 and categories of P11 principals.
Information disclosed should cover the fact that subcontracting is used and the names of relevant subcontractors. The information disclosed should also Include the countries and international organizations to which subcontractors can transfer data (see 85.2) and the means by which subcontractors are obliged to meet or exceed the obligations of the organization (see 8.5,7).
Where public disclosure of subcontractor information Is assessed to increase security risk beyond acceptable limits, disclosure should be made under a non-disclosure agreement and/or on the request of the customer. The customer should be made aware that the Information is available.
This does not concern the list of countries where the P11 can be transferred. This list should be disclosed to the customer in all cases in a way that allows them to inform the appropriate P11 principals.
8.5.7 Engagement of a subcontractor to process P11
Control
The organization should only engage a subcontractor to process PIT according to the customer contract.
Implementation guidance
Where the organization subcontracts some or all of the processing of that P11 to another organization. a written authorization from the customer Is required prior to the P11 processed by the subcontractor. This can be in the form of appropriate dauses In the customer contract, or can be a specific gone-off” agreement.
The organization should have a written contract with any subcontractors that it uses for Pit processing on Its behalf, and should ensure that their contracts with subcontractors address the implementation of the appropriate controls in Annex B.
The contract between the organization and any subcontractor processing P11 on its behalf should require the subcontractor to Implement the appropriate controls specified In Annex B. taking account of the information security risk assessment process (see 5.4.t2) and the scope of the processing of P11 performed by the P11 processor (see 6.12). By default, all controls specified in Annexii should be assumed as relevant. If the organization decides to not require the subcontractor to implement a control from Annex B. it should justify Its exclusion.
A contract can define the responsibilities of each party differently but, to be consistent with this document, all controls should be considered and Included in the documented information.
8.5.8 Change of subcontractor to process P11 Control
The organization should. In the case of having general written authorization, Inform the customer of any intended changes concerning the addition or replacement of subcontractors to process P11. thereby giving the customer the opportunity to object to such changes.
Implementation guidance
Where the organization changes the organization with which It subcontracts some or all of the processing of that P11, then written authorization from the customer Is required for the change, prior to the P11 processed by the new subcontractor. This can be in the form of appropriate dauses in the customer contract, or can be a specific one•ofr agreement.