ISO 27701

Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

First edition 2019-08

Licensed Content. Only outline shown for purpose of mapping to other legal texts.

5: PIMS-specific requirements related to ISO/IEC 27001

5.1: General

5.2: Context of the organization

5.2.1:

Understanding the organization and its context

5.2.2:

Understanding the needs and expectations of interested parties

5.2.3:

Determining the scope of the information security management system

5.2.4:

Information security management system

5.3: Leadership

5.3.1:

Leadership and commitment

5.3.2:

Policy

5.3.3:

Organizational roles, responsibilities and authorities

5.4: Planning

5.4.1:

Actions to address risks and opportunities

5.4.2:

Information security objectives and planning to achieve them

5.5: Support

5.5.1:

Resources

5.5.2:

Competence

5.5.3:

Awareness

5.5.4:

Communication

5.5.5:

Documented information

5.6: Operation

5.6.1:

Operational planning and control

5.6.2:

Information security risk assessment

5.6.3:

Information security risk treatment

5.7: Performance evaluation

5.7.1:

Monitoring, measurement, analysis and evaluation

5.7.2:

Internal audit

5.7.3:

Management review

5.8: Improvement

5.8.1:

Nonconformity and corrective action

5.8.2:

Continual improvement

6: PIMS-specific guidance related to ISO/IEC 27002

6.1: General

6.2: Information security policies

6.2.1:

Management direction for information security

6.3: Organization of information security

6.3.1:

Internal organization

6.3.2:

Mobile devices and teleworking

6.4: Human resource security

6.4.1:

Prior to employment

6.4.2:

During employment

6.4.3:

Termination and change of employment

6.5: Asset management

6.5.1:

Responsibility for assets

6.5.2:

Information classification

6.5.3:

Media handling

6.6: Access control

6.6.1:

Business requirements of access control

6.6.2:

User access management

6.6.3:

User responsibilities

6.6.4:

System and application access control

6.7: Cryptography

6.7.1:

Cryptographic controls

6.8: Physical and environmental security

6.8.1:

Secure areas

6.8.2:

Equipment

6.9: Operations security

6.9.1:

Operational procedures and responsibilities

6.9.2:

Protection from malware

6.9.3:

Backup

6.9.4:

Logging and monitoring

6.9.5:

Control of operational software

6.9.6:

Technical vulnerability management

6.9.7:

Information systems audit considerations

6.10: Communications security

6.10.1:

Network security management

6.10.2:

Information transfer

6.11: Systems acquisition, development and maintenance

6.11.1:

Security requirements of information systems

6.11.2:

Security in development and support processes

6.11.3:

Test data

6.12: Supplier relationships

6.12.1:

Information security in supplier relationships

6.12.2:

Supplier service delivery management

6.13: Information security incident management

6.13.1:

Management of information security incidents and improvements

6.14: Information security aspects of business continuity management

6.14.1:

Information security continuity

6.14.2:

Redundancies

6.15: Compliance

6.15.1:

Compliance with legal and contractual requirements

6.15.2:

Information security reviews

7: Additional ISO/IEC 27002 guidance for PII controllers

7.1: General

7.2: Conditions for collection and processing

7.2.1:

Identify and document purpose

7.2.2:

Identify lawful basis

7.2.3:

Determine when and how consent is to be obtained

7.2.4:

Obtain and record consent

7.2.5:

Privacy impact assessment

7.2.6:

Contracts with PII processors

7.2.7:

Joint PII controller

7.2.8:

Records related to processing PII

7.3: Obligations to PII principals

7.3.1:

Determining and fulfilling obligations to PII principals

7.3.2:

Determining information for PII principals

7.3.3:

Providing information to PII principals

7.3.4:

Provide mechanism to modify or withdraw consent

7.3.5:

Provide mechanism to object to PII processing

7.3.6:

Access, correction and/or erasure

7.3.7:

PII controllers' obligations to inform third parties

7.3.8:

Providing copy of PII processed

7.3.9:

Handling requests

7.3.10:

Automated decision making

7.4: Privacy by design and privacy by default

7.4.1:

Limit collection

7.4.2:

Limit processing

7.4.3:

Accuracy and quality

7.4.4:

PII minimization objectivesves

7.4.5:

PII de-identification and deletion at the end of processing

7.4.6:

Temporary files

7.4.7:

Retention

7.4.8:

Disposal

7.4.9:

PII transmission controls

7.5: PII sharing, transfer, and disclosure

7.5.1:

Identify basis for PII transfer between jurisdictions

7.5.2:

Countries and international organizations to which PII might be transferred

7.5.3:

Records of transfer of PII

7.5.4:

Records of PII disclosure to third parties

8: Additional ISO/IEC 27002 guidance for PII processors

8.1: General

8.2: Conditions for collection and processing

8.2.1:

Customer agreement

8.2.2:

Organization’s purposes

8.2.3:

Marketing and advertising use

8.2.4:

Infringing instruction

8.2.5:

Customer obligations

8.2.6:

Records related to processing PII

8.3: Obligations to PII principals

8.3.1:

Obligations to PII principals

8.4: Privacy by design and privacy by default

8.4.1:

Temporary files

8.4.2:

Return, transfer or disposal of PII

8.4.3:

PII transmission controls

8.5: PII sharing, transfer, and disclosure

8.5.1:

Basis for PII transfer between jurisdictions

8.5.2:

Countries and organizations to which PII might be transferred

8.5.3:

Records of PII disclosure to third parties

8.5.4:

Notification of PII disclosure requests

8.5.5:

Legally binding PII disclosures

8.5.6:

Disclosure of subcontractors used to process PII

8.5.7:

Engagement of a subcontractor to process PII

8.5.8:

Change of subcontractor to process PII