ISO 27701

Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

First edition 2019-08

Licensed Content. Only outline shown for purpose of mapping to other legal texts.

5: PIMS-specific requirements related to ISO/IEC 27001

5.1: General

5.2: Context of the organization

Understanding the organization and its context

Understanding the needs and expectations of interested parties

Determining the scope of the information security management system

Information security management system

5.3: Leadership

Leadership and commitment

Organizational roles, responsibilities and authorities

5.4: Planning

Actions to address risks and opportunities

Information security objectives and planning to achieve them

5.5: Support

Documented information

5.6: Operation

Operational planning and control

Information security risk assessment

Information security risk treatment

5.7: Performance evaluation

Monitoring, measurement, analysis and evaluation

Management review

5.8: Improvement

Nonconformity and corrective action

Continual improvement

6: PIMS-specific guidance related to ISO/IEC 27002

6.1: General

6.2: Information security policies

Management direction for information security

6.3: Organization of information security

Internal organization

Mobile devices and teleworking

6.4: Human resource security

Prior to employment

During employment

Termination and change of employment

6.5: Asset management

Responsibility for assets

Information classification

6.6: Access control

Business requirements of access control

User access management

User responsibilities

System and application access control

6.7: Cryptography

Cryptographic controls

6.8: Physical and environmental security

6.9: Operations security

Operational procedures and responsibilities

Protection from malware

Logging and monitoring

Control of operational software

Technical vulnerability management

Information systems audit considerations

6.10: Communications security

Network security management

Information transfer

6.11: Systems acquisition, development and maintenance

Security requirements of information systems

Security in development and support processes

6.12: Supplier relationships

Information security in supplier relationships

Supplier service delivery management

6.13: Information security incident management

Management of information security incidents and improvements

6.14: Information security aspects of business continuity management

Information security continuity

6.15: Compliance

Compliance with legal and contractual requirements

Information security reviews

7: Additional ISO/IEC 27002 guidance for PII controllers

7.1: General

7.2: Conditions for collection and processing

Identify and document purpose

Identify lawful basis

Determine when and how consent is to be obtained

Obtain and record consent

Privacy impact assessment

Contracts with PII processors

Joint PII controller

Records related to processing PII

7.3: Obligations to PII principals

Determining and fulfilling obligations to PII principals

Determining information for PII principals

Providing information to PII principals

Provide mechanism to modify or withdraw consent

Provide mechanism to object to PII processing

Access, correction and/or erasure

PII controllers' obligations to inform third parties

Providing copy of PII processed

Handling requests

Automated decision making

7.4: Privacy by design and privacy by default

Limit collection

Limit processing

Accuracy and quality

PII minimization objectivesves

PII de-identification and deletion at the end of processing

Temporary files

PII transmission controls

7.5: PII sharing, transfer, and disclosure

Identify basis for PII transfer between jurisdictions

Countries and international organizations to which PII might be transferred

Records of transfer of PII

Records of PII disclosure to third parties

8: Additional ISO/IEC 27002 guidance for PII processors

8.1: General

8.2: Conditions for collection and processing

Customer agreement

Organization’s purposes

Marketing and advertising use

Infringing instruction

Customer obligations

Records related to processing PII

8.3: Obligations to PII principals

Obligations to PII principals

8.4: Privacy by design and privacy by default

Temporary files

Return, transfer or disposal of PII

PII transmission controls

8.5: PII sharing, transfer, and disclosure

Basis for PII transfer between jurisdictions

Countries and organizations to which PII might be transferred

Records of PII disclosure to third parties

Notification of PII disclosure requests

Legally binding PII disclosures

Disclosure of subcontractors used to process PII

Engagement of a subcontractor to process PII

Change of subcontractor to process PII