Die ISO (Internationale Organisation für Normung) hat einen neuen Standard verabschiedet, ISO 27701, “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines”. Der neue Standard ergänzt den bekannten Standard ISO 27001/27002, der ISMS betrifft, also Managementsysteme für Informationssicherheit.
Inhaltlich enthält der Standard vor allem Verweisungen auf ISO 27001 und 27002, teils direkt, teils mit bestimmten Abweichungen. Wenige Vorgaben sind neu. Illustrativ etwa Ziff. 6.5.3.2:
6.5.3.2 Disposal of media
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 8.3.2 and the following additional guidance applies.
Additional implementation guidance for 8.3.2, Disposal of media, of ISO/IEC 27002:2013 is:
Where removable media on which PII is stored is disposed of, secure disposal procedures should be included in the documented information and implemented to ensure that previously stored PII will not be accessible.
Aufgebaut ist ISO 27701 wie folgt:
- Foreword
- Introduction
- 1 Scope
- 2 Normative references
- 3 Terms, definitions and abbreviations
- 4 General
- 4.1 Structure of this document
- 4.2 Application of ISO/1EC 27001:2013 requirements
- 4.3 Application of ISO/1EC 27002:2013 guidelines
- 4.4 Customer
- 5 PIMS-specific requirements related to ISO/IEC 27001
- 5.1 General
- 5.2 Context of the organization
- 5.3 Leadership
- 5.4 Planning
- 5.5 Support
- 5.6 Operation
- 5.7 Performance evaluation
- 5.8 Improvement
- 6 PIMS-specific guidance related to ISO/IEC 27002
- 6.1 General
- 6.2 Information security policies l±l 6.3 Organization of information security
- 6.4 Human resource security
- 6.5 Asset management
- 6.6 Access control
- 6.7 Cryptography
- 6.8 Physical and environmental security
- 6.9 Operations security
- 6.10 Communications security
- 6.11 Systems acquisition, development and maintenance
- 6.12 Supplier relationships
- 6.13 Information security incident management
- 6.14 Information security aspects of business continuity management
- 6.15 Compliance
- 7 Additional ISO/IEC 27002 guidance for PII controllers
- 7.1 General
- 7.2 Conditions for collection and processing
- 7.3 Obligations to PII principals
- 7.4 Privacy by design and privacy by default
- 7.5 PII sharing, transfer, and disclosure
- 8 Additional ISO/IEC 27002 guidance for PII processors
- 8.1 General
- 8.2 Conditions for collection and processing
- 8.3 Obligations to PII principals
- 8.4 Privacy by design and privacy by default
- 8.5 PII sharing, transfer, and disclosure
- Annex A PIMS-specific reference control objectives and controls (PII Controllers)
- Annex B PIMS-specific reference control objectives and controls (PII Processors)
- Annex C Mapping to ISO/IEC 29100
- Annex D Mapping to the General Data Protection Regulation
- Annex E Mapping to ISO/IEC 27018 and ISO/IEC 29151
- Annex F How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
- F.1 How to apply this document
- F.2 Example of refinement of security standards
- Bibliography