ISO IEC 27701:2019 pdf free download.Security techniques Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management Requirements and guidelines.
Introduction
0.1 General
Almost every organization processes Personally Identifiable Information (P11). Further, the quantity and types of Pit processed is increating, as is the number of situations where an organization needs to cooperate with other organizations regarding the processing ol P11. Protection of privacy In the context of the processing of Pit is a societal need, as well as the topic oldedicated legislation and/or regulation all over the worlcL
The Information Security Management System (ISMS) defined In ISO/IEC 27001 Is designed to permit the addition of sector specific requirements, without the need to develop .i new Management System. ISO Management System standards, including the sector specific ones, are designed to be able to be implemented either separately or as a combined Management System.
Requirements and guidance for Pit protection vary depending on the context of the organization. in particular where national legislation and/or regulation exist. lSO/1EC 27001 requires that this context be understood and taken into account. ISO IEC 27701 Includes mapping to:
— the privacy framework and principles defined in ISO/1EC 29100;
— iSO/IEC 27018:
— iSO/lEC2911:and
— the EU General Data Protection Regulation.
However, those can need to be interpreted to take into account local legislation and/or regubtion.
ISO IEC 27701 can be used by P11 controllers (including those that are joint P11 controllers) and Pit processors (including those using subcontracted P11 processors and those processIng P11 as subcontractors to PIt processors).
An organization complying with the requirements In this document will generate documentary evidence of how it handles the processing of PIt. Such evidence can be used to facilitate agreements with business partners where the processing of P11 is mutually relevant. This can also assist in relationships with other stakeholders. The use ol this document in conjunction with ISO/IEC 27001 can, If desired. provide independent verification of this evidence.
ISO IEC 27701 was initially developed as lSO/IEC 275S2.
0.2 CompatibilIty with other management system standards
ISO IEC 27701 applies the framework developed by ISO to Improve alignment among its Management System Standards.
ISO IEC 27701 enables an organization to align or integrate its PIMS with the requirrnwnts of other Management System standards.
Where the organization acts in both roles (e.g. a P11 controller and a P11 processor), separate roles shall be determined, each of which is the subject of a separate set of controls.
NOTE The role of the organization can be different for each instance of the processing of PU, since it depends on who determines the purposes and means at the processing.
5.2.2 Understanding the needs and expectations of interested parties A requirement additional to ISO/IEC 27001:2013.4.2 is:
The organization shall include among its interested porties (see ISO/IEC 27001:2013.4.2). those parties having interests or responsibilities associated with the processing at P11. including the P11 principals.
NOTE 1 Other interested parties can include customers (see 4.4). supervisory suihoritles. other Pit controllers. P11 processors and their subcontractors.
NOTE 2 Requirements relevant to the processing or ii can be determined by Legal and regulatory requirements, by contractual obligations and by self-imposed organizatIonal abectives. The privacy principles set out in ISO/IEC 29100 provide guidance concerning the processing of P11.
NOTE 3 As an element to demonstrate compliance to the organization’s obligations, some interested parties can expect that the organIzation be In conformity with specifk standards, such as the Management System specified In this document, and/or any reirvani set of specifIcations. These partIes can call for independently audited compliance to these standards.
5.2.3 Determining the scope of the information security management system
A requirement additional to ISO/IEC 27001:2013.4.3 Is:
When determining the scope of the PIMS, the organization shall include the processing of P11.
NOTE The determination of the scope of the PIMS c-an require revising the scope of the information security management system, because aithe extended interpretation of Inforniadon security according to 5.]..
5.2.4 Information security management system
A requirement additional to ISO/IEC 27001:2013.4.4 Is:
The organization shall establish, implement, maintain and continually improve a PIMS In accordance
with the requirements of ISO/IEC 27001:2013 CLauses 4 to 10, extended by the requirements in Clause 5.
5.3 LeadershIp
5.3.1 Leadership and commitment
The requirements stated in ISO/IEC 27001:2013,5.1 along with the interpretation specified inS.]., apply.
5.3.2 PolIcy
The requirements stated In lSO/IEC 27001:2013,5.2 along with the interpretation specified in Li. apply.
5.3,3 Organizational roles, responsibilities and authorities
The requirements stated In ISO/IEC 27001:2013,5.3 along with the interpretation specified in Si,, apply.
6.3.1.3 Contact with authorities
The control, implementation guidance and other information slated in ISO/IEC 27002:2013. 6.1.3 applies.
6.3.1.4 Contact with special Interest groups
The control, implenwntation guidance and other information stated in ISO/IEC 27002:2013. 6.1.4 applies.
6.3.1.5 ln(onnatlon security in project management
The control, implementation guidance and other Information stated in ISO/IF.C 27002:2013. 6,1.5 applies.
6.3.2 Mobile devices and teleworking
6.3.2.1 Mobile device policy
The control, implementation guidance and other inlormatlon stated in ISO/IEC 27002:2013, 6.2.1 and
the following additional guidance applies.
Additional implementation guidance for 6.2.1, Mobile device policy, of ISO/IEC 27002:2013 Is:
The organization should ensure that the use of mobile devices does not lead to a compromise of P11.
6.3.2.2 Teleworklng
The control, implementation guidance and other information stated In lSO/IF.C 27002:2013, 6.2.2 applies.
6.4 Human resource security
6.4.1 Prior to employment
6.4.1.1 ScreenIng
The control. Implementation guidance and other information stated In 150/ IEC 27002:2013, 7.1.1 applies.
6.4.1.2 Terms and conditions of employment
The control, Implementation guidance and other Information stated In ISO/IEC 27002:2013. 7.1.2
applies.
6.4.2 During employment
6.4.2.1 Management responsibilities
The control, implementation guidance and other Information stated In ISO/1EC 27002:2013, 7.2.1 applies.
6.4.22 InFormation security awareness, education and training
The control, Implemenlalion guidance and other Information stated In ISO/IEC 27002:2013. 7.2.2 and the following additional guidance applies.Implementation guidance
Some jurisdictions require the organization to be able to demonstrate that the lawfulness of prOcessing was duly established before the processing.
The legal basis for the processing of P11 can Include:
— consent from P11 principals;
— performance of a contract;
— compliance with a legal obligation;
— protection of the vital Interests 01 P11 princIpals:
— performance ola task carried out In the public Interest;
— legitimate interests o(the P11 controller.
the organization should document this basis for each PIt processing activity (see ZZJ).
The legitimate Interests ol the organization can Include, (or Instance. Information security objectives, which should be balanced against the obligations to P11 principals with regards to privacy protection.
Whenever special categories of P11 are defined, either by the nature of the P11 (e.g. health information) or by the P11 prIncipals concerned (e.g. P11 relatIng to children) the organization should Include those categories oF P11 in its classification schemes.
The classification of P11 that falls Into these categories can vary from one jurisdiction to another and can vary between different regulatory regimes that apply to difterent kInds of business, so the organization needs to be aware of the classification(s) that apply to the P11 processIng being performed.
The use of special categories of P11 can also be subfrct to more stringent controls,
Changing or extending the purposes for the processing of P11 can require updating and/or revision of the legal basis. It can also require additional consent to be obtained from the P11 prIncipal.
7.2.3 Determine when and how consent Is to be obtained
Control
The organization should determine and document a process by which it can demonstrate IL when and how consent for the processing of P11 was obtained from P11 principals.
Implementation guidance
Consent can be required for processing of P11 unless other lawful grounds apply. The organization should clearly document when consent needs to be obtained and the requirements for obtaining consent. It can be useful to correlate the purpose(s) for processing with Information about if and how consent is obtained.
Some jurisdictions have specific requirements for how consent Is collected and recorded (eg. not bundled with other agreements). Additionally, certain types of data collection (for scientific research For example) and certain types of P11 principals, such as children, can be subject to additional requirements. the organization should take Into account such requirements and document how mechanisms For Consent meet those requirements.