ISO 27701: Pri­va­cy Infor­ma­ti­on Manage­ment System (PIMS) zur Ergän­zung von ISMS (ISO 27001/2)

Die ISO (Inter­na­tio­na­le Orga­ni­sa­ti­on für Nor­mung) hat einen neu­en Stan­dard ver­ab­schie­det, ISO 27701, “Secu­ri­ty tech­ni­ques — Exten­si­on to ISO/IEC 27001 and ISO/IEC 27002 for pri­va­cy infor­ma­ti­on manage­ment — Requi­re­ments and gui­de­li­nes”. Der neue Stan­dard ergänzt den bekann­ten Stan­dard ISO 27001/27002, der ISMS betrifft, also Manage­ment­sy­ste­me für Informationssicherheit.

Inhalt­lich ent­hält der Stan­dard vor allem Ver­wei­sun­gen auf ISO 27001 und 27002, teils direkt, teils mit bestimm­ten Abwei­chun­gen. Weni­ge Vor­ga­ben sind neu. Illu­stra­tiv etwa Ziff. 6.5.3.2:

6.5.3.2 Dis­po­sal of media

The con­trol, imple­men­ta­ti­on gui­d­ance and other infor­ma­ti­on sta­ted in ISO/IEC 27002:2013, 8.3.2 and the fol­lo­wing addi­tio­nal gui­d­ance applies.

Addi­tio­nal imple­men­ta­ti­on gui­d­ance for 8.3.2, Dis­po­sal of media, of ISO/IEC 27002:2013 is:

Whe­re remova­ble media on which PII is stored is dis­po­sed of, secu­re dis­po­sal pro­ce­du­res should be inclu­ded in the docu­men­ted infor­ma­ti­on and imple­men­ted to ensu­re that pre­vious­ly stored PII will not be accessible.

Auf­ge­baut ist ISO 27701 wie folgt:

  • Fore­word
  • Intro­duc­tion
  • 1 Scope
  • 2 Nor­ma­ti­ve references
  • 3 Terms, defi­ni­ti­ons and abbreviations
  • 4 Gene­ral
    • 4.1 Struc­tu­re of this document
    • 4.2 App­li­ca­ti­on of ISO/1EC 27001:2013 requirements
    • 4.3 App­li­ca­ti­on of ISO/1EC 27002:2013 guidelines
    • 4.4 Custo­mer
  • 5 PIMS-spe­ci­fic requi­re­ments rela­ted to ISO/IEC 27001
    • 5.1 Gene­ral
    • 5.2 Con­text of the organization
    • 5.3 Lea­dership
    • 5.4 Plan­ning
    • 5.5 Sup­port
    • 5.6 Ope­ra­ti­on
    • 5.7 Per­for­mance evaluation
    • 5.8 Impro­ve­ment
  • 6 PIMS-spe­ci­fic gui­d­ance rela­ted to ISO/IEC 27002
    • 6.1 Gene­ral
    • 6.2 Infor­ma­ti­on secu­ri­ty poli­ci­es l±l 6.3 Orga­niz­a­ti­on of infor­ma­ti­on security
    • 6.4 Human resour­ce security
    • 6.5 Asset management
    • 6.6 Access control
    • 6.7 Cryp­to­gra­phy
    • 6.8 Phy­si­cal and envi­ron­men­tal security
    • 6.9 Ope­ra­ti­ons security
    • 6.10 Com­mu­ni­ca­ti­ons security
    • 6.11 Systems acqui­si­ti­on, deve­lo­p­ment and maintenance
    • 6.12 Sup­plier relationships
    • 6.13 Infor­ma­ti­on secu­ri­ty inci­dent management
    • 6.14 Infor­ma­ti­on secu­ri­ty aspects of busi­ness con­ti­nui­ty management
    • 6.15 Com­pli­an­ce
  • 7 Addi­tio­nal ISO/IEC 27002 gui­d­ance for PII controllers
    • 7.1 Gene­ral
    • 7.2 Con­di­ti­ons for collec­tion and processing
    • 7.3 Obli­ga­ti­ons to PII principals
    • 7.4 Pri­va­cy by design and pri­va­cy by default
    • 7.5 PII sharing, trans­fer, and disclosure
  • 8 Addi­tio­nal ISO/IEC 27002 gui­d­ance for PII processors
    • 8.1 Gene­ral
    • 8.2 Con­di­ti­ons for collec­tion and processing
    • 8.3 Obli­ga­ti­ons to PII principals
    • 8.4 Pri­va­cy by design and pri­va­cy by default
    • 8.5 PII sharing, trans­fer, and disclosure
  • Annex A PIMS-spe­ci­fic refe­rence con­trol objec­ti­ves and con­trols (PII Controllers) 
  • Annex B PIMS-spe­ci­fic refe­rence con­trol objec­ti­ves and con­trols (PII Processors) 
  • Annex C Map­ping to ISO/IEC 29100
  • Annex D Map­ping to the Gene­ral Data Pro­tec­tion Regulation
  • Annex E Map­ping to ISO/IEC 27018 and ISO/IEC 29151
  • Annex F How to app­ly ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
  • F.1 How to app­ly this document
  • F.2 Examp­le of refi­ne­ment of secu­ri­ty standards
  • Biblio­gra­phy