ISO 27701 and Conformance with Privacy Information Management (Part 2)
The International Organization for Standardization wrote ISO 27701 to align the standards of the ISO 27001 series with privacy-based standards like GDPR and CCPA. As such, it addresses the core requirements of that standard and refines them so that organizations don’t have to fumble in the dark about adapting their existing ISO certifications to larger regulatory frameworks.
Previously, we discussed the impact of this document on ISO 27001. In this article, we carry on where we previously left off by discussing refinements to ISO 27002 and adopting specific controls to handle PII.
What’s The Difference Between ISO 27001 and ISO 27002?
The ISO 27000 series focuses on best cybersecurity practices, specifically around implementing Information Security Management Systems (ISMS). It’s important to note that these ISMS frameworks aren’t strictly technical but rather a conglomeration of technical, administrative, operational, and physical measures that contribute to an organization’s overall security.
There are two core documents to this series:
- ISO 27001: This document provides the overarching requirements for implementing a proper ISMS, from planning and support to operational systems and leadership expectations.
- ISO 27002: While ISO 27001 covers the big picture requirements for an ISMS, ISO 27002 provides a more in-depth approach to the actual controls that comprise these broader categories. These controls can range from physical security standards to cryptography, endpoint security, and policy creation.
In our previous article, we covered how ISO 27702 refines the ISMS standards of ISO 27001. Here, we’re diving into the next section to discuss refinements to ISO 27002.
ISO 27701 and PIMS-Related Guidance for ISO 27002
These refinements fall under two general categories:
- General Refinements: ISO 27702 Section 5.1 defines “general” refinements as those in which any requirements in ISO 27002 that mention “information security” must be extended to include data privacy if it is threatened or affected through the processing of PII.
- Specific Requirements: More in-depth refinements are specified on a per-item basis as necessary.
Many requirements remain unchanged between the two documents, except for the broader ideas listed here.
Information on Security Policies
ISO 27701 refines the original requirements by requiring that organizations augment their security policies with a commitment to protecting PII specifically. This statement, and all policies, should include plans to preserve PII per government regulations and industry standards.
Organization of Information Security
Specific refinements to IT security organization includes:
- Internal Organization: Organizations should have one or more people appointed with the responsibility for the security around PII. These individuals should be independent of management but report to them, involve themselves in all issues of PII security, be an expert in data regulations and compliance, act as a contact point for authorities, and provide advice to the organization related to PII security.
- Mobile Devices: The use of mobile devices and remote computing should never compromise PII.
Human Resource Security
The organization should implement training and education regarding the consequences of the compromise of PII, including those related to regulations, loss of reputation and business, disciplinary actions, and any other financial, physical, or emotional impacts. This training should also include awareness of necessary incident reporting.
Data classification schemas should include PII as part of its sensitive data categories and, thus, apply all requisite security, privacy, and integrity controls to that information as defined in that scheme.
Furthermore, the organization must make information available to inform personnel about this classification and any subsequent responsibilities.
Physical media management also receives several refinements, including:
- Documentation: Any physical media used to store PII must also be documented, and part of an inventory and all media (especially removable media) should be encrypted.
- Disposal: All media storing PII must be disposed of so that no PII is retrievable.
- Transfer: Any removable media used to transfer PII must be inventoried and logged by recording the chain of possession. This media should include encryption and other security measures that prevent data access outside authorized personnel.
Any user account meant to administer PII should have safeguards to deal with thefts or loss of credentials. No deactivated accounts should be reactivated or reissued for use. Any user account provided the privilege to process PII must be inventoried and monitored.
Finally, if the organization is a service provider offering PII processing, they can turn over control of some aspects of ID management with clearly documented processes.
The organization must provide documentation regarding the types of cryptography used to protect PII and how it aligns with relevant jurisdictional requirements (such as government regulations or industry standards).
ISO 27701 refines physical media security in cases where storage media is re-used. If storage media is used to store PII and is then repurposed for other uses, the organization must ensure that the PII is deleted and no longer accessible. In cases where there is ambiguity as to whether or not storage media has ever contained PII, it must be treated as if it has contained PII.
ISO 27701 refines a few specific controls in operations security, including:
- Backups: Organizations should have policies in place to address backup and recovery requirements for PII. These policies should address any regulations or compliance requirements for PII backups and put into place procedures for executing and logging PII restoration.
- Event Logging: Event log review should be accomplished via continuous, automated monitoring processes. These logs should cover any access to PII and include specific information (the user, the time and date, and the kinds of changes made).
- PII in Audit Logs: If audit logs themselves PII (relatively common), those logs must be protected and monitored as PII.
These controls are refined such that if personal use company-wide communication media internally or externally, they must operate under a confidentiality agreement stating that they will refrain from broadcasting PII over such channels.
Systems Acquisition and Design
Systems should follow “privacy by design” and “privacy by default” principles, following guidance in ISO 29100 implemented in the design phase and revisited in all design milestones. And under no circumstances should PII be used as a test data set for software or system development.
Supplier agreements should include mention of systems processing PII, with a clear allocation of responsibilities for security and management between suppliers and third parties. There should also be mechanisms to ensure that these agreements (and any compliance or regulatory requirements) are adhered to.
Information Security Incident Management
The organization must include PII within their incident response and recovery management plans. Furthermore, if specific regulations or compliance requirements adhere to PII specifically, those must be integrated into these security plans.
Should there be an incident affecting PII or PII-containing systems, then an immediate review must follow to inform the incident response process, except in cases where the event could not impact PII.
Finally, the organization should have, in the form of a contract or terms of service, an agreement with customers regarding how they will report any breach of PII. This report should include information that would be useful for regulatory or forensic purposes, including the event description, the time of the event, the consequences of the event, and steps taken to resolve the event.
The organization should include a record of any legal sanctions resulting from improper processing of PII, including fines or loss of operating licenses. These sanctions can be used to inform contracts with customers and third-party suppliers.
Stay Ahead of Evolving ISO Requirements with Lazarus Alliance
The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s important to understand how those changes result in a unique PIMS infrastructure.
Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.