ISO 27701 PRIVACY INFORMATION MANAGEMENT Flashcards

Question 1

Q

ISO/IEC 27701

Answer

A

covers management of risks related to Personally Identifiable Information (PII) and aids compliance with GDPR regulations.

Question 2

Q

ISO 27701 provides a framework for management of data privacy.

Privacy information management systems are sometimes referred to as

Answer

A

personal information management systems.

Question 3

Q

What is ISO/IEC 27701?

Answer

A

ISO/IEC 27701 is a data privacy extension to ISO 27001.

It assists organizations to establish systems to support compliance with the European Union General Data Protection Regulation (GDPR) and other data privacy requirements but as a global standard it is not GDPR specific.

Question 4

Q

It allows an organization to manage and to regularly check the compliance status. This permits a _______ __________ of the system to ensure confidentiality protection and address vulnerabilities.

Answer

A

continual improvement

Question 5

Q

ISO 27701 is designed as an extension of ISO 27001 and can be implemented

Answer

A

simultaneously or at a later stage than ISO 27001.

Question 6

Q

Benefits of becoming certified

Answer

A

The standard takes a comprehensive approach to privacy information management and permits organizations to meet personal information protection requirements.

Question 7

Q

ISO/IEC 27701 will help:

Answer

A

1) Clarify the roles and responsibilities within your organization.
2) Build trust in your company’s ability to manage personal information, both for customers and employees.
3) Support compliance with GDPR and other applicable privacy regulations.
4) Facilitate agreements with business partners where the processing of PII is mutually relevant.

Question 8

Q

Getting started

Answer

A

To obtain certification, you need to implement an effective privacy information management system complying with the requirements of the standard.

Question 9

Q

Whether certification of a management system, product or a project, it provides evidence of your compliance according to national or international standards.

The road to certification process will

Answer

A

vary slightly for different services, such as certification of management systems or products.

Question 10

Q

How do I prepare for accredited certification?

Answer

A

After having decided on the management system you wish to implement, there are certain steps to get you started. Some simple tips have proven invaluable to companies seeking certification. As you set out, keep these in mind:

1) Make sure you begin the process with the right attitude.
2) Have a complete understanding of the concept set forth in the standard and use it as a guide to define your management system.
3) Know what application and implications of the standard will mean to your company.
4) Use the standard as a tool for improvement.
5) Have an understanding of the risks and processes that affect your organisation’s ability to realise its business strategy.
6) Select your partner (certification body/registrar) carefully.

Question 11

Q

10 general steps that will take you down the road to certification:

Answer

A

Obtain the standard
Obtain and read a copy of the standard to familiarize yourself with the requirements and decide if certification/registration to this standard makes good sense for your organization.
Review literature and software
There is a large amount of published information available that is designed to assist you in understanding and implementing a standard. Note also that for some standards there are guidelines developed for how to implement the requirements within an organization (e.g. ISO/TS 9002 covering ISO 9001 and ISO 14004 covering ISO 14001). Use some time to investigate what is available and identify which could be of support for your implementation process.
Assemble a team and define your strategy
The adoption of a management system needs to be the strategic decision of the whole organisation. It is vital that your senior management is involved in the decision and creation process. They decide the business strategy that an efficient management system should support. In addition, you need a dedicated team to develop and implement your management system.
Determine training needs
Your team members responsible for implementing and maintaining the management system(s) will need to know the full details of the applicable standard(s). There is a wide range of training, workshops, and seminars available designed to meet these needs. We provide a number of public courses around the world. Contact your local DNV office for more information.
Review consultant options
Independent consultants will be able to advise you of a workable, realistic, and cost-effective strategy plan for implementation.
Develop your management system documentation
Decide an appropriate platform for your management system documentation (e.g. specific software, process-map based, sharepoint-based). The right platform is important to ensure effective management, communication and implementation. Your management system should describe the policies and operations of your company. The documentation includes relevant processes and other documented information needed to support you in meeting your intended outcomes and the requirements of the applicable standard.
Determine, manage and document your processes
An important step in establishing your management system is to determine the needed processes and their interactions in accordance with your policies, strategy and objectives. These processes should cover areas such as:
Product and service realization (operational processes)
Meeting relevant needs and expectations of customers and other stakeholders
Management processes, including measurement, analysis, improvement and innovation
Implement your management system
Communication and training are key to a successful implementation. During the implementation phase, your organisation will be working according to the established processes and connected criteria to document and demonstrate the effectiveness of the management system.
Consider a pre-assessment
You can choose to have a preliminary evaluation of the implementation of your management system by a certification body/registrar. The purpose is to identify areas of non-conformance or weaknesses and allow you to correct these areas before you begin the accredited certification process. Receiving a non-conformance means that a particular area of your management systems is not compliant with the requirements of the standard.
Select a certification body/registrar
Your business relationship with the certification body/registrar will exist for many years, as your certification has to be maintained. To have an efficient management system, continual improvement is key. DNV will help you get maximum value through the certification journey with a partnership approach, risk-based auditing and digital tools driving efficiency and improvement.

Question 12

Q

ISO/IEC 27701 Released as

Answer

A

a New Standard for Privacy Compliance

Question 13

Q

ISO/IEC 27701 At-A-Glance

Answer

A

1) ISO/IEC 27701 is a new, privacy-oriented standard that builds upon the well-known ISO/IEC 27001 security standard.
2) Certification to ISO/IEC 27701 (when available) will require certification to ISO/IEC 27001 first.
3) While ISO/IEC 27001 provides controls for general security measures, ISO/IEC 27701 focuses on new requirements and controls, along with implementation guidance, directed specifically at protecting personal information.
4) ISO/IEC 27701 may be used to demonstrate compliance and accountability with various privacy regimes throughout the world, including the GDPR.
5) Businesses may want to include contractual obligations requiring vendors who handle sensitive personal information to comply with or, where appropriate, become certified under ISO/IEC 27701.
6) Vendors handling personal information may want to proactively begin efforts to build on ISO/IEC 27001 compliance and become compliant with and/or certified under ISO/IEC 27701.

Question 14

Q

On August 6, 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701, a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 designed to

Answer

A

help organizations protect and control the personal information they handle.

Question 15

Q

Similar to the existing ISO standards that ISO/IEC 27701 supplements, this new ISO standard may become the de facto standard of care for organizations to protect _______ _______ _______ and may be used to demonstrate compliance with privacy regulations around the globe, including the General Data Protection Regulation (EU) 2016/679 (GDPR).

Answer

A

personally identifiable information (PII)

Question 16

Q

What is ISO/IEC 27701?

Answer

A

Originally developed as ISO/IEC 27552, ISO/IEC 27701 provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension of the flexible Information Security Management System (ISMS) defined in ISO/IEC 27001 to take into account the privacy protections required for processing PII in addition to information security.

Question 17

Q

Does an organization have to adopt all the standards in ISO/IEC 27701?

Answer

A

Like the ISO/IEC 27001 standard, ISO/IEC 27701 does not expect organizations to adopt each and every control in all situations.

Instead, it requires organizations to understand the particular context in which they process PII and adjust the particular set of controls and related implementation of those controls in a way that is appropriate to their processing activities.

Question 18

Q

To better understand the new standard, which key terms should be understood?

Answer

A

1) controllers,
2) joint controllers,
3) processors, and
4) sub-processors.

These or similar terms are found in many privacy laws and regulations, including the GDPR.

Question 19

Q

A “controller” is

Answer

A

the entity that directs the reason why PII is collected and processed in the first place.

Question 20

Q

“Joint controllers” are

Answer

A

two or more entities that jointly provide this direction.

Question 21

Q

A “processor” is a

Answer

A

separate legal entity (i.e., not an employee) responsible for processing such data on behalf of that controller.

Question 22

Q

The newly published standard applies to both controllers (as well as joint controllers) and processors (including sub-processors) of PII, regardless of the jurisdictions and sectors in which they operate, and also includes mappings to the GDPR and to the ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151 security frameworks. Mappings of the ISO/IEC 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), should be expected and will likely aid organizations by providing a common standard for demonstrating compliance with these regulatory regimes

Question 23

Q

A high-level overview of certain key ISO/IEC 27701 requirements applicable to controllers and processors:

Answer

A

Requirements Applicable to Controllers and Processors

Confidentiality. Individuals authorized to access PII must execute a confidentiality agreement.

Analyze Risk. A privacy risk assessment must be conducted to identify PII processing risks.

Oversight. Organizations must appoint an individual who is responsible for developing, implementing, maintaining, and monitoring their governance and privacy program.

Training. Privacy awareness training for personnel that have access to PII is required.

Internal Processes. Organizations must adopt various policies and procedures, such as incident response plans for breaches of PII.

Record Keeping. ISO/IEC 27701 requires organizations to maintain a record of all PII processing activities, including PII transfers between jurisdictions and disclosures to third parties.

Question 24

Q

Processor-Specific Requirements

Answer

A

Processing Limitations. Organizations must process PII only on the documented instructions of the controller or processor (depending on the role of the customer).

Assist with Individuals’ Rights. ISO/IEC 27701 requires processors to implement measures that assist the customer in complying with the rights of individuals.

Transfers and Disclosures. Processors must inform the customer in advance of PII transfers between jurisdictions or any intended changes thereof.

Subcontractors. ISO/IEC 27701 requires processors to only engage a subcontractor for processing PII pursuant to the terms of the customer contract.

Question 25

Q

Controller-Specific Requirements

Answer

A

Privacy Notices. Organizations must provide a privacy policy containing specific information regarding the collection, use, and processing of PII.

Processor Contract Requirements. Organizations must have a written contract in place with their processors that addresses specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.

Individuals’ Rights. ISO/IEC 27701 requires organizations to implement mechanisms to accommodate individuals’ rights to access, correct, and erase their PII, as well as object to, or restrict, the processing of PII, among others.

Privacy by Design and Default. Organizations must adopt measures that operationalize the principles of privacy by design and default.

Question 26

Q

Benefits of ISO/IEC 27701

Answer

A

Compliance with ISO/IEC 27701 first requires compliance with the requirements of ISO/IEC 27001. They are intended to complement each other. Organizations that follow the requirements of ISO/IEC 27701 will create documentary evidence of how they handle the processing of PII, which may be used to facilitate agreements with business partners where the processing of PII is relevant and to clarify the organization’s processing of PII with other stakeholders. Although the GDPR does not yet have an accredited certification method, according to recent reports, ISO/IEC 27701 could change that in the very near future.

Question 27

Q

What Should You Do?

Answer

A

Customers engaging vendors to process and maintain PII on their behalf should consider contractually requiring those vendors to comply not only with ISO/IEC 27001, but also with ISO/IEC 27701 or to become certified under this standard if appropriate to the sensitivity of the data. Even if the customer does not require vendors to be certified by an independent third party as compliant with the new standard, they may still want to update their contracts to ensure the vendor can comply with requirements of ISO/IEC 27701. Since ISO/IEC 27701 is still very new, a reasonable time delay for vendors t

Question 28

Q

Organizations that are ISO/IEC 27001 certified and looking to implement the requirements of ISO/IEC 27701 should consider taking the following steps:

Answer

A

Perform a gap assessment of the existing ISMS to the requirements of ISO/IEC 27701 and produce an action plan on how to address those gaps.

Conduct a data mapping of the PII collected by the organization to understand the scope of PII collected and how it is used and shared with processors.

Determine the organization’s role as a controller and/or processor based on internal or external factors that are relevant to its context, such as applicable privacy legislation, regulations, judicial decisions, or contractual requirements (among others).

Review and update privacy policies to ensure they contain the required information.

Develop policies and procedures applicable to the organization’s role.

Begin the planning and implementation of the privacy by design and default principles.

Question 29

Q

How do I implement ISO/IEC 27701?

Answer

A

Secure commitment across your organization, including your leadership team, employees and supply chain
Regularly engage with your leadership team and key stakeholders
Clearly define your role as a data processor, controller or both
Compare your existing privacy processes and controls with ISO/IEC 27701 requirements
Get supply chain and stakeholder feedback on your current privacy processes and controls
Establish an implementation team to get the best results
Map out and share roles, responsibilities and timescales
Adapt the basic principles of the ISO/IEC 27701 standard to your organization
Motivate and support your staff through training courses
Create a more consistent approach throughout the data processing supply chain by encouraging others to implement ISO/IEC 27701
Consider BSI software to help capture and manage your ISO/IEC 27701 audits, findings, incidents and risks more effectively
Regularly review your ISO/IEC 27701 system to make sure it remains effective and that you are continually improving it

Question 30

Q

Step 3 Certification

Answer

A

Once you have implemented the requirements you are ready to begin the certification process for ISO/IEC 27701.

Question 31

Q

Do you have an ISO/IEC 27001 Information Security Management System already in place?

Answer

A

If yes, you’re ready to get started with ISO/IEC 27701.

The guidance and requirements for ISO/IEC 27701 Privacy Information Management System (PIMS) go across 8 different clauses and 6 annexes, which include personally identifiable information (PII) controls and mappings to related standards and the GDPR.

It’s vital you understand all the guidance, requirements and controls and ensure they are appropriately implemented across your organization. Here is how you can get started with ISO/IEC 27701.

Question 32

Q

The ISO/IEC 27701:2019 standard

Answer

A

is the first international privacy standard, which outlines the requirements for implementing a Privacy Information Management System (PIMS), to govern the handling of personal data, called Personally Identifiable Information (PII) in ISO 27701.

Question 33

Q

Who should implement ISO 27701?

Answer

A

ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.

Question 34

Q

GDPR certification

Answer

A

While ISO 27701 is not yet governed by accreditation bodies, it is expected that certification bodies will begin to audit against this new ISO standard despite no established scheme has yet been defined at the International Accreditation Forum (IAF) level.

Question 35

Q

ISO 27701 - an extension to ISO 27001

Answer

A

Since many organisations already have an ISO 27001 ISMS, it reduces the complexities around establishing a Privacy Information Management System (PIMS), since the ground has already been laid. Those organisations familiar with ISO 27001 will be able to extend their ISMS to address privacy and support them in GDPR compliance by providing a means to demonstrate commitment to privacy information management.

Question 36

Q

Terminology differences between GDPR and ISO 27701

Answer

A

ISO/IEC 27701:2019 uses the vocabulary common to the suite of ISO 2700x standards that cover information security and associated controls. It uses the term Personally Identifiable Information (PII) to describe the information assets that must be protected and managed when providing security and privacy for a data subject, called PII principal.

Question 37

Q

The major differences in terminology between the ISO 27701 standard and GDPR are outlined in the table:

Question 38

Q

Information security

Answer

A

Adequate information security is necessary for privacy of personal data but is not enough by itself. Preventing the disclosure, loss or corruption of personal data cannot be effective unless the entire life cycle of the personal data processing is protected through information security controls. The ISO standard defines information security as the result of adequate controls to preserve the confidentiality, integrity and availability of information.

Question 39

Q

Good practice supports the identification of control objectives to address privacy risks. One privacy risk might apply to more than one privacy control objective. Each control objective requires the design of a suite of controls – some organisational,

Question 40

Q

Catagory: Conditions for collection and processing

Answer

A

Control Objective: A.7.2

To determine and document that processing is lawful, with legal basis as per applicable jurisdictions, and with clearly defined and legitimate purposes.

Question 41

Q

Control A.7.2.1 Identify and document purpose

Answer

A

The organization shall identify and document the specific purposes for which the personal data will be processed.

Question 42

Q

Control A.7.2.2 Identify lawful basis

Answer

A

The organization shall determine, document and comply with the relevant lawful basis for the processing of personal data for the identified purposes.

Question 43

Q

Control A.7.2.3 Determine when and how consent is to be obtained

Answer

A

The organization shall determine and document a process by which it can demonstrate if, when and how consent for the processing of personal data was obtained from data subjects.

Question 44

Q

Control A.7.2.4 Obtain and record consent

Answer

A

The organization shall obtain and record consent from data subjects according to the documented processes.

Question 45

Q

Control A.7.2.5 Privacy impact assessment

Answer

A

The organization shall assess the need for, and implement where appropriate, a privacy impact assessment whenever new processing of personal data or changes to existing processing of personal data is planned.

Question 46

Q

Control A.7.2.6 Contracts with personal data processors

Answer

A

The organization shall have a written contract with any data processor that it uses, and shall ensure that their contracts with data processors address the implementation of the appropriate controls numbered B. (see below)

Question 47

Q

Control A.7.2.7 Joint data controller

Answer

A

The organization shall determine respective roles and responsibilities for the processing of personal data (including personal data protection and security requirements) with any joint data controller.

Question 48

Q

Control A.7.2.8 Records related to processing personal data

Answer

A

The organization shall determine and securely maintain the necessary records in support of its obligations for the processing of personal data.

Question 49

Q

Category: Obligations to data subjects

Answer

A

Control Object. A.7.3
To ensure that data subjects are provided with appropriate information about the processing of their personal data and to meet any other applicable obligations to data subjects related to the processing of

Question 50

Q

How does ISO 27701 map to other standards?

Answer

A

ISO 27701 includes annexes that map to the following other standards:

1) ISO 29100 (Information technology – Security techniques – Privacy framework);
2) ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
3) ISO 27018 (Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
4) The standard also maps its requirements and controls to the GDPR’s requirements (e.g. GDPR requirements related to data subjects’ rights are covered by ISO 27701’s controls covering obligations to PII principles).

Question 51

Q

ISO 27701 provides ______ for implementing each control.

Question 52

Q

It’s also worth noting that BS 10012:2017 with Annex A1:2018 is a similar standard to ISO 27701, and doesn’t require implementing

Answer

A

ISO 27001 as a prerequisite.

Question 53

Q

How will ISO 27701 certification support CCPA compliance?

Answer

A

Achieving certification to both ISO 27701 and ISO 27001 will enable you to meet the privacy and data security requirements of all major privacy frameworks. You will also be able to demonstrate that you have taken the necessary measures for to protect the consumer data you process and uphold data subjects’ rights

Question 54

Q

ISO/IEC 27701:2019 is a privacy extension to the international information security management standard, ISO/IEC 27001. It has been designed to integrate with ISO 27001 to extend an existing ______ (information security management system) with additional requirements, enabling an organization to establish, implement, maintain, and continually improve its PIMS.

Question 55

Q

ISO 27701 provides guidance on the protection of privacy, including how organizations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as

Answer

A

the EU’s GDPR (General Data Protection Regulation).

Question 56

Q

ISO/IEC 27701:2019: An introduction to privacy information management offers a concise introduction to the Standard, aiding those organizations looking to improve their privacy information management regime, particularly where ISO/IEC 27701:2019 is involved. It is intended for:

Answer

A

Individuals looking for general information about privacy information management

Organizations implementing, or considering improving, a PIMS, particularly where the use of ISO/IEC 27701:2019 is being considered

Question 57

Q

ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS). It’s a privacy extension to ISO/IEC 27001 Information Security Management and ___________.

Answer

A

ISO/IEC 27002 Security Controls.

Question 58

Q

It provides guidance and requirements on the protection of privacy, helping both personally identifiable information (PII) processors and PII controllers to put robust data processes and controls in place.
This means you can demonstrate _________ for managing PII, instill trust and build strong business relationships.

Answer

A

accountability

Question 59

Q

What kind of organizations can benefit from ISO/IEC 27701?

Answer

A

ISO/IEC 27701 is ideal for all types and sizes of organizations who want to demonstrate that they take protecting personal information seriously.

Question 60

Q

Whether you’re a public or private company, government entity or not-for-profit organization, if your organization is responsible for processing PII within an information security management system then __________ is for you.

Answer

A

ISO/IEC 27701

Question 61

Q

Specific organizational roles include:

Answer

A

PII controllers (including those who are joint PII controllers)
PII processors

Question 62

Q

Benefits of ISO/IEC 27701

Answer

A

1) Builds trust in managing PII
2) Supports compliance with privacy regulations
3) Reduces complexity by integrating with ISO/IEC 27001
4) Facilitates effective business relationships
5) Clarifies roles and responsibilities

Question 63

Q

The key requirements of ISO/IEC 27701

Answer

A

Clause 1: Scope

Question 64

Q

Clause 1: Scope

Answer

A

ISO/IEC 27701 is aimed at providing requirements and guidance to establish, implement, maintain and improve a privacy information management system
in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002. Focused on both PII controllers and PII processors who hold responsibility and accountability for processing PII.

Answer 60

A

Clause 1: Scope 1

Answer 61

A

For ISO/IEC 27701 these include:
ISO/IEC 27000 Information security management systems – overview and vocabulary
ISO/IEC 27001 Information security management systems – requirements
ISO/IEC 27002 Code of practice for information security controls
ISO/IEC 29100 Privacy framework

Answer 62

A

They are documents referred to throughout a standard.

Answer 63

A

This section provides a couple of additional definitions for important terms used throughout the standard that are not included in ISO/IEC 27000 and ISO/IEC 29100

Answer 64

A

This clause ‘sets the scene’ for ISO/IEC 27701. It provides an overview of the documents structure and indicates, at a high-level, the location of PIMS specific requirements in relation to ISO/IEC 27001 and ISO/IEC 27002

Answer 65

A

1) This clause is all about extending information security requirements from ISO/IEC 27001 to incorporate the protection of privacy.
2) As part of the context of the organization, you need to determine your role as a processor and/or controller and consider the impact of internal and external factors such as privacy specific regulations and contractual requirements.
3) Depending on your role, relevant controls from Annexes A and/or B need to be implemented and applied to your existing statement of applicability.
4) You must also consider interested parties associated with processing PII, the scope of your PIMS and how you’ll effectively implement, maintain and continually improve the system.

Answer 66

A

1) Requirements for leadership,
2) planning,
3) support,
4) operation,
5) performance evaluation and improvement from ISO/IEC 27001 must be considered and extended as appropriate to ensure the protection of privacy.
6) In particular, risks to information and processing of PII must now be assessed and treated appropriately.

Answer 67

A

This clause is all about extending information security guidance from ISO/IEC 27002 to incorporate the protection of privacy.

Answer 68

A

1) roles and responsibilities in relation to PII processing.
2) awareness of incident reporting and 3) the consequences of a privacy breach.
4) Guidance to ensure consideration of PII within your information classification is provided.
5) You must understand the PII your organization processes, where it is stored and the systems it flows through.
6) People must also be aware of what PII is and how to recognize it.
7) More detailed implementation guidance is included on incident management, removable media, user access on systems and services that process PII, cryptographic protection, re-assigning storage space that previously stored PII, back-up and recovery of PII, event log reviews, information transfer policies and confidentiality agreements.
8) Plus, guidance in this clause encourages you to consider PII up front before data transmission on public networks, and as part of system development and design.
9) Importantly, supplier relationships, expectations and responsibilities need addressing.

Answer 69

A

This clause covers PIMS specific implementation guidance for PII processors. It relates to controls listed in Annex B.

Answer 70

A

PII principals.

Answer 71

A

1) helping your customer respond to individual requests,
2) managing temporary files created during processing,
3) returning, transferring or disposing PII securely and
4) appropriate transmission controls are included.