Die ISO (Inter­na­tio­na­le Orga­ni­sa­ti­on für Nor­mung) hat einen neu­en Stan­dard ver­ab­schie­det, ISO 27701, “Secu­ri­ty tech­ni­ques — Exten­si­on to ISO/IEC 27001 and ISO/IEC 27002 for pri­va­cy infor­ma­ti­on manage­ment — Requi­re­ments and gui­de­li­nes”. Der neue Stan­dard ergänzt den bekann­ten Stan­dard ISO 27001/27002, der ISMS betrifft, also Manage­ment­sy­ste­me für Infor­ma­ti­ons­si­cher­heit.

Inhalt­lich ent­hält der Stan­dard vor allem Ver­wei­sun­gen auf ISO 27001 und 27002, teils direkt, teils mit bestimm­ten Abwei­chun­gen. Weni­ge Vor­ga­ben sind neu. Illu­stra­tiv etwa Ziff. 6.5.3.2:

6.5.3.2 Dis­po­sal of media

The con­trol, imple­men­ta­ti­on gui­d­ance and other infor­ma­ti­on sta­ted in ISO/IEC 27002:2013, 8.3.2 and the fol­lo­wing addi­tio­nal gui­d­ance app­lies.

Addi­tio­nal imple­men­ta­ti­on gui­d­ance for 8.3.2, Dis­po­sal of media, of ISO/IEC 27002:2013 is:

Whe­re remova­ble media on which PII is stored is dis­po­sed of, secu­re dis­po­sal pro­ce­du­res should be inclu­ded in the docu­men­ted infor­ma­ti­on and imple­men­ted to ensu­re that pre­vious­ly stored PII will not be acces­si­ble.

Auf­ge­baut ist ISO 27701 wie folgt:

  • Fore­word
  • Intro­duc­tion
  • 1 Scope
  • 2 Nor­ma­ti­ve refe­ren­ces
  • 3 Terms, defi­ni­ti­ons and abbre­via­ti­ons
  • 4 Gene­ral
    • 4.1 Struc­tu­re of this docu­ment
    • 4.2 App­li­ca­ti­on of ISO/1EC 27001:2013 requi­re­ments
    • 4.3 App­li­ca­ti­on of ISO/1EC 27002:2013 gui­de­li­nes
    • 4.4 Custo­mer
  • 5 PIMS-spe­ci­fic requi­re­ments rela­ted to ISO/IEC 27001
    • 5.1 Gene­ral
    • 5.2 Con­text of the orga­ni­za­ti­on
    • 5.3 Lea­dership
    • 5.4 Plan­ning
    • 5.5 Sup­port
    • 5.6 Ope­ra­ti­on
    • 5.7 Per­for­mance eva­lua­ti­on
    • 5.8 Impro­ve­ment
  • 6 PIMS-spe­ci­fic gui­d­ance rela­ted to ISO/IEC 27002
    • 6.1 Gene­ral
    • 6.2 Infor­ma­ti­on secu­ri­ty poli­ci­es l±l 6.3 Orga­ni­za­ti­on of infor­ma­ti­on secu­ri­ty
    • 6.4 Human resour­ce secu­ri­ty
    • 6.5 Asset manage­ment
    • 6.6 Access con­trol
    • 6.7 Cryp­to­gra­phy
    • 6.8 Phy­si­cal and envi­ron­men­tal secu­ri­ty
    • 6.9 Ope­ra­ti­ons secu­ri­ty
    • 6.10 Com­mu­ni­ca­ti­ons secu­ri­ty
    • 6.11 Systems acqui­si­ti­on, deve­lop­ment and main­ten­an­ce
    • 6.12 Sup­plier rela­ti­onships
    • 6.13 Infor­ma­ti­on secu­ri­ty inci­dent manage­ment
    • 6.14 Infor­ma­ti­on secu­ri­ty aspects of busi­ness con­ti­nui­ty manage­ment
    • 6.15 Com­pli­an­ce
  • 7 Addi­tio­nal ISO/IEC 27002 gui­d­ance for PII con­trol­lers
    • 7.1 Gene­ral
    • 7.2 Con­di­ti­ons for collec­tion and pro­ces­sing
    • 7.3 Obli­ga­ti­ons to PII princi­pals
    • 7.4 Pri­va­cy by design and pri­va­cy by default
    • 7.5 PII sharing, trans­fer, and dis­clo­sure
  • 8 Addi­tio­nal ISO/IEC 27002 gui­d­ance for PII pro­ces­sors
    • 8.1 Gene­ral
    • 8.2 Con­di­ti­ons for collec­tion and pro­ces­sing
    • 8.3 Obli­ga­ti­ons to PII princi­pals
    • 8.4 Pri­va­cy by design and pri­va­cy by default
    • 8.5 PII sharing, trans­fer, and dis­clo­sure
  • Annex A PIMS-spe­ci­fic refe­rence con­trol objec­tives and con­trols (PII Con­trol­lers)
  • Annex B PIMS-spe­ci­fic refe­rence con­trol objec­tives and con­trols (PII Pro­ces­sors)
  • Annex C Map­ping to ISO/IEC 29100
  • Annex D Map­ping to the Gene­ral Data Pro­tec­tion Regu­la­ti­on
  • Annex E Map­ping to ISO/IEC 27018 and ISO/IEC 29151
  • Annex F How to app­ly ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
  • F.1 How to app­ly this docu­ment
  • F.2 Examp­le of refi­ne­ment of secu­ri­ty stan­dards
  • Biblio­gra­phy

Posted by David Vasella

RA Dr. David Vasella ist Rechtsanwalt bei FRORIEP. Er ist auf IT-, Datenschutz- und Immaterialgüterrecht spezialisiert und ist Lehrbeauftragter der Universität Zürich. Er ist Gründer von swissblawg.