ISO 27701: Pri­va­cy Infor­ma­ti­on Manage­ment System (PIMS) to com­ple­ment ISMS (ISO 27001/2)

ISO (Inter­na­tio­nal Orga­niz­a­ti­on for Stan­dar­diz­a­ti­on) has adop­ted a new stan­dard, ISO 27701, “Secu­ri­ty tech­ni­ques – Exten­si­on to ISO/IEC 27001 and ISO/IEC 27002 for pri­va­cy infor­ma­ti­on manage­ment – Requi­re­ments and gui­de­li­nes.” The new stan­dard com­ple­ments the fami­li­ar ISO 27001/27002 stan­dard, which ISMS con­cerns, i.e., manage­ment systems for infor­ma­ti­on security.

In terms of con­tent, the stan­dard main­ly con­tains refe­ren­ces to ISO 27001 and 27002, part­ly direct­ly, part­ly with cer­tain devia­ti­ons. Few requi­re­ments are new. For examp­le, see sec­tion 6.5.3.2:

6.5.3.2 Dis­po­sal of media

The con­trol, imple­men­ta­ti­on gui­d­ance and other infor­ma­ti­on sta­ted in ISO/IEC 27002:2013, 8.3.2 and the fol­lo­wing addi­tio­nal gui­d­ance applies.

Addi­tio­nal imple­men­ta­ti­on gui­d­ance for 8.3.2, Dis­po­sal of media, of ISO/IEC 27002:2013 is:

Whe­re remova­ble media on which PII is stored is dis­po­sed of, secu­re dis­po­sal pro­ce­du­res should be inclu­ded in the docu­men­ted infor­ma­ti­on and imple­men­ted to ensu­re that pre­vious­ly stored PII will not be accessible.

ISO 27701 is struc­tu­red as follows:

  • Fore­word
  • Intro­duc­tion
  • 1 Scope
  • 2 Nor­ma­ti­ve references
  • 3 Terms, defi­ni­ti­ons and abbreviations
  • 4 Gene­ral
    • 4.1 Struc­tu­re of this document
    • 4.2 App­li­ca­ti­on of ISO/1EC 27001:2013 requirements
    • 4.3 App­li­ca­ti­on of ISO/1EC 27002:2013 guidelines
    • 4.4 Custo­mer
  • 5 PIMS-spe­ci­fic requi­re­ments rela­ted to ISO/IEC 27001
    • 5.1 Gene­ral
    • 5.2 Con­text of the organization
    • 5.3 Lea­dership
    • 5.4 Plan­ning
    • 5.5 Sup­port
    • 5.6 Ope­ra­ti­on
    • 5.7 Per­for­mance evaluation
    • 5.8 Impro­ve­ment
  • 6 PIMS-spe­ci­fic gui­d­ance rela­ted to ISO/IEC 27002
    • 6.1 Gene­ral
    • 6.2 Infor­ma­ti­on secu­ri­ty poli­ci­es l±l 6.3 Orga­niz­a­ti­on of infor­ma­ti­on security
    • 6.4 Human resour­ce security
    • 6.5 Asset management
    • 6.6 Access control
    • 6.7 Cryp­to­gra­phy
    • 6.8 Phy­si­cal and envi­ron­men­tal security
    • 6.9 Ope­ra­ti­ons security
    • 6.10 Com­mu­ni­ca­ti­ons security
    • 6.11 Systems acqui­si­ti­on, deve­lo­p­ment and maintenance
    • 6.12 Sup­plier relationships
    • 6.13 Infor­ma­ti­on secu­ri­ty inci­dent management
    • 6.14 Infor­ma­ti­on secu­ri­ty aspects of busi­ness con­ti­nui­ty management
    • 6.15 Com­pli­an­ce
  • 7 Addi­tio­nal ISO/IEC 27002 gui­d­ance for PII controllers
    • 7.1 Gene­ral
    • 7.2 Con­di­ti­ons for collec­tion and processing
    • 7.3 Obli­ga­ti­ons to PII principals
    • 7.4 Pri­va­cy by design and pri­va­cy by default
    • 7.5 PII sharing, trans­fer, and disclosure
  • 8 Addi­tio­nal ISO/IEC 27002 gui­d­ance for PII processors
    • 8.1 Gene­ral
    • 8.2 Con­di­ti­ons for collec­tion and processing
    • 8.3 Obli­ga­ti­ons to PII principals
    • 8.4 Pri­va­cy by design and pri­va­cy by default
    • 8.5 PII sharing, trans­fer, and disclosure
  • Annex A PIMS-spe­ci­fic refe­rence con­trol objec­ti­ves and con­trols (PII Controllers) 
  • Annex B PIMS-spe­ci­fic refe­rence con­trol objec­ti­ves and con­trols (PII Processors) 
  • Annex C Map­ping to ISO/IEC 29100
  • Annex D Map­ping to the Gene­ral Data Pro­tec­tion Regulation
  • Annex E Map­ping to ISO/IEC 27018 and ISO/IEC 29151
  • Annex F How to app­ly ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
  • F.1 How to app­ly this document
  • F.2 Examp­le of refi­ne­ment of secu­ri­ty standards
  • Biblio­gra­phy