BS EN ISO/IEC 27701:2021

$215.11

Security techniques. Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. Requirements and guidelines

Published By	Publication Date	Number of Pages
BSI	2021	78

Guaranteed Safe Checkout

Category: BSI

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

PDF Catalog

PDF Pages	PDF Title
2	undefined
8	Foreword
9	Introduction
11	1 Scope 2 Normative references 3 Terms, definitions and abbreviations
12	4 General 4.1 Structure of this document 4.2 Application of ISO/IEC 27001:2013 requirements
13	4.3 Application of ISO/IEC 27002:2013 guidelines
14	4.4 Customer 5 PIMS-specific requirements related to ISO/IEC 27001 5.1 General 5.2 Context of the organization 5.2.1 Understanding the organization and its context
15	5.2.2 Understanding the needs and expectations of interested parties 5.2.3 Determining the scope of the information security management system 5.2.4 Information security management system 5.3 Leadership 5.3.1 Leadership and commitment 5.3.2 Policy 5.3.3 Organizational roles, responsibilities and authorities
16	5.4 Planning 5.4.1 Actions to address risks and opportunities
17	5.4.2 Information security objectives and planning to achieve them 5.5 Support 5.5.1 Resources 5.5.2 Competence 5.5.3 Awareness 5.5.4 Communication 5.5.5 Documented information 5.6 Operation 5.6.1 Operational planning and control 5.6.2 Information security risk assessment 5.6.3 Information security risk treatment
18	5.7 Performance evaluation 5.7.1 Monitoring, measurement, analysis and evaluation 5.7.2 Internal audit 5.7.3 Management review 5.8 Improvement 5.8.1 Nonconformity and corrective action 5.8.2 Continual improvement 6 PIMS-specific guidance related to ISO/IEC 27002 6.1 General 6.2 Information security policies 6.2.1 Management direction for information security
19	6.3 Organization of information security 6.3.1 Internal organization
20	6.3.2 Mobile devices and teleworking 6.4 Human resource security 6.4.1 Prior to employment 6.4.2 During employment
21	6.4.3 Termination and change of employment 6.5 Asset management 6.5.1 Responsibility for assets 6.5.2 Information classification
22	6.5.3 Media handling
23	6.6 Access control 6.6.1 Business requirements of access control 6.6.2 User access management
24	6.6.3 User responsibilities 6.6.4 System and application access control
25	6.7 Cryptography 6.7.1 Cryptographic controls 6.8 Physical and environmental security 6.8.1 Secure areas
26	6.8.2 Equipment
27	6.9 Operations security 6.9.1 Operational procedures and responsibilities
28	6.9.2 Protection from malware 6.9.3 Backup 6.9.4 Logging and monitoring
29	6.9.5 Control of operational software
30	6.9.6 Technical vulnerability management 6.9.7 Information systems audit considerations 6.10 Communications security 6.10.1 Network security management 6.10.2 Information transfer
31	6.11 Systems acquisition, development and maintenance 6.11.1 Security requirements of information systems 6.11.2 Security in development and support processes
33	6.11.3 Test data 6.12 Supplier relationships 6.12.1 Information security in supplier relationships
34	6.12.2 Supplier service delivery management 6.13 Information security incident management 6.13.1 Management of information security incidents and improvements
37	6.14 Information security aspects of business continuity management 6.14.1 Information security continuity 6.14.2 Redundancies 6.15 Compliance 6.15.1 Compliance with legal and contractual requirements
38	6.15.2 Information security reviews
39	7 Additional ISO/IEC 27002 guidance for PII controllers 7.1 General 7.2 Conditions for collection and processing 7.2.1 Identify and document purpose 7.2.2 Identify lawful basis
40	7.2.3 Determine when and how consent is to be obtained 7.2.4 Obtain and record consent
41	7.2.5 Privacy impact assessment 7.2.6 Contracts with PII processors
42	7.2.7 Joint PII controller 7.2.8 Records related to processing PII
43	7.3 Obligations to PII principals 7.3.1 Determining and fulfilling obligations to PII principals 7.3.2 Determining information for PII principals
44	7.3.3 Providing information to PII principals 7.3.4 Providing mechanism to modify or withdraw consent
45	7.3.5 Providing mechanism to object to PII processing 7.3.6 Access, correction and/or erasure
46	7.3.7 PII controllers’ obligations to inform third parties 7.3.8 Providing copy of PII processed
47	7.3.9 Handling requests 7.3.10 Automated decision making
48	7.4 Privacy by design and privacy by default 7.4.1 Limit collection 7.4.2 Limit processing 7.4.3 Accuracy and quality
49	7.4.4 PII minimization objectives 7.4.5 PII de-identification and deletion at the end of processing 7.4.6 Temporary files
50	7.4.7 Retention 7.4.8 Disposal 7.4.9 PII transmission controls
51	7.5 PII sharing, transfer, and disclosure 7.5.1 Identify basis for PII transfer between jurisdictions 7.5.2 Countries and international organizations to which PII can be transferred 7.5.3 Records of transfer of PII
52	7.5.4 Records of PII disclosure to third parties 8 Additional ISO/IEC 27002 guidance for PII processors 8.1 General 8.2 Conditions for collection and processing 8.2.1 Customer agreement
53	8.2.2 Organization’s purposes 8.2.3 Marketing and advertising use 8.2.4 Infringing instruction 8.2.5 Customer obligations
54	8.2.6 Records related to processing PII 8.3 Obligations to PII principals 8.3.1 Obligations to PII principals 8.4 Privacy by design and privacy by default 8.4.1 Temporary files
55	8.4.2 Return, transfer or disposal of PII 8.4.3 PII transmission controls
56	8.5 PII sharing, transfer, and disclosure 8.5.1 Basis for PII transfer between jurisdictions 8.5.2 Countries and international organizations to which PII can be transferred
57	8.5.3 Records of PII disclosure to third parties 8.5.4 Notification of PII disclosure requests 8.5.5 Legally binding PII disclosures 8.5.6 Disclosure of subcontractors used to process PII
58	8.5.7 Engagement of a subcontractor to process PII 8.5.8 Change of subcontractor to process PII
59	Annex A (normative) PIMS-specific reference control objectives and controls (PII Controllers)
63	Annex B (normative) PIMS-specific reference control objectives and controls (PII Processors)
66	Annex C (informative) Mapping to ISO/IEC 29100
68	Annex D (informative) Mapping to the General Data Protection Regulation
71	Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151
74	Annex F (informative) How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
76	Bibliography

Additional information

Status	Revision Underway
Pages	78
Publication Date	2021-05-05
ISBN	978 0 539 15799 4
Standard Number	BS EN ISO/IEC 27701:2021
Title	Security techniques. Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. Requirements and guidelines
Identical National Standard Of	ISO/IEC 27701:2019, EN ISO/IEC 27701:2021, ISO /IEC 27701
Corrects	BS ISO/IEC 27701:2019
Descriptors	Data management, Risk assessment, Data organization, Document security, Data security
Publisher	BSI
Committee	IST/33/5
ICS Codes	35.030 - IT Security

Preview PDF


PDF Format	Searchable	Printable	Preview Now

BS EN ISO/IEC 27701:2021

PDF Catalog

Related products