In the modern age is privacy protection a necessity due to the ever-increasing rate of digitization, whereas addressing access to personal data in a legitimate way. In addition, information security is concerned with ensuring the confidentiality, integrity and availability of personal data. Information security and privacy protection are interrelated; privacy cannot be ensured without introducing security measures.
In August 2019, the International Organization for Standardization published ISO/IEC 27701, which extends the requirements and recommendations of ISO/IEC 27001 and ISO/IEC 27002 to cover privacy issues. It specifies requirements and guides the establishment, implementation, maintenance and continuous improvement of PIMS. It also provides guidance to controllers and processors to properly manage the processing of personal data using the Privacy Information Management System (PIMS).
New concepts in privacy management systems
The standard introduces some new concepts. Especially Privacy Information Management System (PIMS), which is, by definition, information security management system which addresses the protection of privacy as potentially affected by the processing of PII.
In this context, the term information security and privacy extends the term information security that is used in information security management systems according to ISO/IEC 27001. The application is broad, for example, information security policy is updated to information security and privacy policy, or information security objectives is updated to information security and privacy objectives, etc.
The abbreviation PII should be remembered. It means Personally Identifiable Information, therefore in the context GDPR, personal data. The term has been taken from ISO / IEC 29100, which provides a framework for PII protection in ICT systems.
The standard also defines the term customer, which may be (a) an organization who has a contract with a PII controller, (b) a PII controller who has a contract with a PII processor, (c) a PII processor who has a contract with a subcontractor for PII processing.
Structure of the standard
As stated, ISO/IEC 27701 extends ISO/IEC 27001 and ISO/IEC 27002. This link is reflected in its structure, which includes the following essential elements:
- Article 5: PIMS-specific requirements related to ISO/IEC 27001
- Article 6: PIMS-specific guidance related to ISO/IEC 27002
- Article 7: Additional ISO/IEC 27002 guidance for PII controllers
- Article 8: Additional ISO/IEC 27002 guidance for PII processors
To comply with a standard, an organization must establish, implement, maintain and continuously improve PIMS following the requirements of Articles 4 to 10 of ISO/IEC 27001: 2013, extended by the requirements of Article 5 of ISO/IEC 27701.
The standard contains six annexes, of which Annexes A and B are normative. Annexes C to F are informative.
- Annex A: PIMS specific reference measures and measures (PII controllers)
- Annex B: PIMS specific reference measures and measures (PII processors)
- Annex C: Mapping to ISO/IEC 29100
- Annex D: Mapping to the General Data Protection Regulation GDPR
- Annex E: Mapping to ISO/IEC 27018 and ISO/IEC 29151
- Annex F: How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
PIMS-specific requirements related to ISO/IEC 27001
PIMS-specific requirements related to ISO/IEC 27001 refers to “only” a few articles that relate to the organization’s context (clauses 4.1 to 4.4 of ISO/IEC 27001) and risk management processes (clauses 6.1.2 and 6.1.3 of ISO/IEC 27001). Other requirements of ISO/IEC 27001 are practically unchanged.
In addressing the context, an organization must determine its role as a controller and/or a processor of PII. It must also identify external and internal factors that are relevant to its context and affect its ability to achieve the intended PIMS outcome(s). Organizations shall include among interested parties those having interests or obligations related to the processing of PII, including PII principals. Organizations must also include PII processing into the scope of PIMS.
It is also essential that an organization shall not only apply the process of assessing information security risks associated with the loss of confidentiality, integrity and availability of information within the PIMS range. An organization shall also implement a process of privacy risk assessment to identify risks associated with processing personally identifiable information (PII) within the PIMS scope. There is a requirement that the relationship between information security and the protection of personally identifiable information (PII) needs to be adequately managed. The Statement of Applicability according to Annex A of ISO/IEC 27001 shall be extended to include the privacy measures of Annex A (for controllers) and Annex B (for processors) of ISO/IEC 27701.
PIMS-specific guidance related to ISO/IEC 27002
ISO/IEC 27701 extends ISO/IEC 27002 to include privacy-related guidelines. Thus, Article 6 provides additional guidance on information security policies, information security roles and responsibilities, mobile device policy, awareness, education and training, information classification, media manipulation, access controls, etc.
Privacy objectives controls and controls for PII controllers and PII processors
Privacy objective controls for PII controllers (Annex A) and processors (Annex B) are the same for both and include:
- Conditions for collection and processing
- Obligations to PII principals
- Privacy by design and privacy by default
- PII sharing, transfer and disclosure
However, the number of individual measures and their content varies. Standards define 32 controls for PII controllers and 18 controls for PII processors. Articles 7 and 8 then provide both of them additional guidance.
Mapping ISO/IEC 27701 with other standards and GDPR
Informative annexes C, D and E address the mapping of ISO/IEC 27701 to other standards (i.e. ISO/IEC 29100, ISO/IEC 27018, ISO/IEC 29151) as well as to the GDPR. If you are interested in detail mapping of the GDPR, please contact us at info@krucek.cz.
Conclusion
The Privacy Information Management System (PIMS) based on ISO/IEC 27701 is a great assistant for the proper management of extensive personal data processing. It will help organizations to implement all the necessary processes and controls to process PII properly and effectively integrate these into the overall organization’s management and controls.