ISO 27701 PRIVACY INFORMATION MANAGEMENT Flashcards

1
Q

ISO/IEC 27701

A

covers management of risks related to Personally Identifiable Information (PII) and aids compliance with GDPR regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ISO 27701 provides a framework for management of data privacy.

Privacy information management systems are sometimes referred to as

A

personal information management systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is ISO/IEC 27701?

A

ISO/IEC 27701 is a data privacy extension to ISO 27001.

It assists organizations to establish systems to support compliance with the European Union General Data Protection Regulation (GDPR) and other data privacy requirements but as a global standard it is not GDPR specific.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

It allows an organization to manage and to regularly check the compliance status. This permits a _______ __________ of the system to ensure confidentiality protection and address vulnerabilities.

A

continual improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ISO 27701 is designed as an extension of ISO 27001 and can be implemented

A

simultaneously or at a later stage than ISO 27001.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Benefits of becoming certified

A

The standard takes a comprehensive approach to privacy information management and permits organizations to meet personal information protection requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ISO/IEC 27701 will help:

A

1) Clarify the roles and responsibilities within your organization.
2) Build trust in your company’s ability to manage personal information, both for customers and employees.
3) Support compliance with GDPR and other applicable privacy regulations.
4) Facilitate agreements with business partners where the processing of PII is mutually relevant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Getting started

A

To obtain certification, you need to implement an effective privacy information management system complying with the requirements of the standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Whether certification of a management system, product or a project, it provides evidence of your compliance according to national or international standards.

The road to certification process will

A

vary slightly for different services, such as certification of management systems or products.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do I prepare for accredited certification?

A

After having decided on the management system you wish to implement, there are certain steps to get you started. Some simple tips have proven invaluable to companies seeking certification. As you set out, keep these in mind:

1) Make sure you begin the process with the right attitude.
2) Have a complete understanding of the concept set forth in the standard and use it as a guide to define your management system.
3) Know what application and implications of the standard will mean to your company.
4) Use the standard as a tool for improvement.
5) Have an understanding of the risks and processes that affect your organisation’s ability to realise its business strategy.
6) Select your partner (certification body/registrar) carefully.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

10 general steps that will take you down the road to certification:

A

Obtain the standard
Obtain and read a copy of the standard to familiarize yourself with the requirements and decide if certification/registration to this standard makes good sense for your organization.
Review literature and software
There is a large amount of published information available that is designed to assist you in understanding and implementing a standard. Note also that for some standards there are guidelines developed for how to implement the requirements within an organization (e.g. ISO/TS 9002 covering ISO 9001 and ISO 14004 covering ISO 14001). Use some time to investigate what is available and identify which could be of support for your implementation process.
Assemble a team and define your strategy
The adoption of a management system needs to be the strategic decision of the whole organisation. It is vital that your senior management is involved in the decision and creation process. They decide the business strategy that an efficient management system should support. In addition, you need a dedicated team to develop and implement your management system.
Determine training needs
Your team members responsible for implementing and maintaining the management system(s) will need to know the full details of the applicable standard(s). There is a wide range of training, workshops, and seminars available designed to meet these needs. We provide a number of public courses around the world. Contact your local DNV office for more information.
Review consultant options
Independent consultants will be able to advise you of a workable, realistic, and cost-effective strategy plan for implementation.
Develop your management system documentation
Decide an appropriate platform for your management system documentation (e.g. specific software, process-map based, sharepoint-based). The right platform is important to ensure effective management, communication and implementation. Your management system should describe the policies and operations of your company. The documentation includes relevant processes and other documented information needed to support you in meeting your intended outcomes and the requirements of the applicable standard.
Determine, manage and document your processes
An important step in establishing your management system is to determine the needed processes and their interactions in accordance with your policies, strategy and objectives. These processes should cover areas such as:
Product and service realization (operational processes)
Meeting relevant needs and expectations of customers and other stakeholders
Management processes, including measurement, analysis, improvement and innovation
Implement your management system
Communication and training are key to a successful implementation. During the implementation phase, your organisation will be working according to the established processes and connected criteria to document and demonstrate the effectiveness of the management system.
Consider a pre-assessment
You can choose to have a preliminary evaluation of the implementation of your management system by a certification body/registrar. The purpose is to identify areas of non-conformance or weaknesses and allow you to correct these areas before you begin the accredited certification process. Receiving a non-conformance means that a particular area of your management systems is not compliant with the requirements of the standard.
Select a certification body/registrar
Your business relationship with the certification body/registrar will exist for many years, as your certification has to be maintained. To have an efficient management system, continual improvement is key. DNV will help you get maximum value through the certification journey with a partnership approach, risk-based auditing and digital tools driving efficiency and improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ISO/IEC 27701 Released as

A

a New Standard for Privacy Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ISO/IEC 27701 At-A-Glance

A

1) ISO/IEC 27701 is a new, privacy-oriented standard that builds upon the well-known ISO/IEC 27001 security standard.
2) Certification to ISO/IEC 27701 (when available) will require certification to ISO/IEC 27001 first.
3) While ISO/IEC 27001 provides controls for general security measures, ISO/IEC 27701 focuses on new requirements and controls, along with implementation guidance, directed specifically at protecting personal information.
4) ISO/IEC 27701 may be used to demonstrate compliance and accountability with various privacy regimes throughout the world, including the GDPR.
5) Businesses may want to include contractual obligations requiring vendors who handle sensitive personal information to comply with or, where appropriate, become certified under ISO/IEC 27701.
6) Vendors handling personal information may want to proactively begin efforts to build on ISO/IEC 27001 compliance and become compliant with and/or certified under ISO/IEC 27701.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

On August 6, 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701, a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 designed to

A

help organizations protect and control the personal information they handle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Similar to the existing ISO standards that ISO/IEC 27701 supplements, this new ISO standard may become the de facto standard of care for organizations to protect _______ _______ _______ and may be used to demonstrate compliance with privacy regulations around the globe, including the General Data Protection Regulation (EU) 2016/679 (GDPR).

A

personally identifiable information (PII)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is ISO/IEC 27701?

A

Originally developed as ISO/IEC 27552, ISO/IEC 27701 provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension of the flexible Information Security Management System (ISMS) defined in ISO/IEC 27001 to take into account the privacy protections required for processing PII in addition to information security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Does an organization have to adopt all the standards in ISO/IEC 27701?

A

Like the ISO/IEC 27001 standard, ISO/IEC 27701 does not expect organizations to adopt each and every control in all situations.

Instead, it requires organizations to understand the particular context in which they process PII and adjust the particular set of controls and related implementation of those controls in a way that is appropriate to their processing activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

To better understand the new standard, which key terms should be understood?

A

1) controllers,
2) joint controllers,
3) processors, and
4) sub-processors.

These or similar terms are found in many privacy laws and regulations, including the GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A “controller” is

A

the entity that directs the reason why PII is collected and processed in the first place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

“Joint controllers” are

A

two or more entities that jointly provide this direction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A “processor” is a

A

separate legal entity (i.e., not an employee) responsible for processing such data on behalf of that controller.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The newly published standard applies to both controllers (as well as joint controllers) and processors (including sub-processors) of PII, regardless of the jurisdictions and sectors in which they operate, and also includes mappings to the GDPR and to the ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151 security frameworks. Mappings of the ISO/IEC 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), should be expected and will likely aid organizations by providing a common standard for demonstrating compliance with these regulatory regimes

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A high-level overview of certain key ISO/IEC 27701 requirements applicable to controllers and processors:

A

Requirements Applicable to Controllers and Processors

Confidentiality. Individuals authorized to access PII must execute a confidentiality agreement.

Analyze Risk. A privacy risk assessment must be conducted to identify PII processing risks.

Oversight. Organizations must appoint an individual who is responsible for developing, implementing, maintaining, and monitoring their governance and privacy program.

Training. Privacy awareness training for personnel that have access to PII is required.

Internal Processes. Organizations must adopt various policies and procedures, such as incident response plans for breaches of PII.

Record Keeping. ISO/IEC 27701 requires organizations to maintain a record of all PII processing activities, including PII transfers between jurisdictions and disclosures to third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Processor-Specific Requirements

A

Processing Limitations. Organizations must process PII only on the documented instructions of the controller or processor (depending on the role of the customer).

Assist with Individuals’ Rights. ISO/IEC 27701 requires processors to implement measures that assist the customer in complying with the rights of individuals.

Transfers and Disclosures. Processors must inform the customer in advance of PII transfers between jurisdictions or any intended changes thereof.

Subcontractors. ISO/IEC 27701 requires processors to only engage a subcontractor for processing PII pursuant to the terms of the customer contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Controller-Specific Requirements

A

Privacy Notices. Organizations must provide a privacy policy containing specific information regarding the collection, use, and processing of PII.

Processor Contract Requirements. Organizations must have a written contract in place with their processors that addresses specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.

Individuals’ Rights. ISO/IEC 27701 requires organizations to implement mechanisms to accommodate individuals’ rights to access, correct, and erase their PII, as well as object to, or restrict, the processing of PII, among others.

Privacy by Design and Default. Organizations must adopt measures that operationalize the principles of privacy by design and default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Benefits of ISO/IEC 27701

A

Compliance with ISO/IEC 27701 first requires compliance with the requirements of ISO/IEC 27001. They are intended to complement each other. Organizations that follow the requirements of ISO/IEC 27701 will create documentary evidence of how they handle the processing of PII, which may be used to facilitate agreements with business partners where the processing of PII is relevant and to clarify the organization’s processing of PII with other stakeholders. Although the GDPR does not yet have an accredited certification method, according to recent reports, ISO/IEC 27701 could change that in the very near future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What Should You Do?

A

Customers engaging vendors to process and maintain PII on their behalf should consider contractually requiring those vendors to comply not only with ISO/IEC 27001, but also with ISO/IEC 27701 or to become certified under this standard if appropriate to the sensitivity of the data. Even if the customer does not require vendors to be certified by an independent third party as compliant with the new standard, they may still want to update their contracts to ensure the vendor can comply with requirements of ISO/IEC 27701. Since ISO/IEC 27701 is still very new, a reasonable time delay for vendors t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Organizations that are ISO/IEC 27001 certified and looking to implement the requirements of ISO/IEC 27701 should consider taking the following steps:

A

Perform a gap assessment of the existing ISMS to the requirements of ISO/IEC 27701 and produce an action plan on how to address those gaps.

Conduct a data mapping of the PII collected by the organization to understand the scope of PII collected and how it is used and shared with processors.

Determine the organization’s role as a controller and/or processor based on internal or external factors that are relevant to its context, such as applicable privacy legislation, regulations, judicial decisions, or contractual requirements (among others).

Review and update privacy policies to ensure they contain the required information.

Develop policies and procedures applicable to the organization’s role.

Begin the planning and implementation of the privacy by design and default principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How do I implement ISO/IEC 27701?

A

Secure commitment across your organization, including your leadership team, employees and supply chain
Regularly engage with your leadership team and key stakeholders
Clearly define your role as a data processor, controller or both
Compare your existing privacy processes and controls with ISO/IEC 27701 requirements
Get supply chain and stakeholder feedback on your current privacy processes and controls
Establish an implementation team to get the best results
Map out and share roles, responsibilities and timescales
Adapt the basic principles of the ISO/IEC 27701 standard to your organization
Motivate and support your staff through training courses
Create a more consistent approach throughout the data processing supply chain by encouraging others to implement ISO/IEC 27701
Consider BSI software to help capture and manage your ISO/IEC 27701 audits, findings, incidents and risks more effectively
Regularly review your ISO/IEC 27701 system to make sure it remains effective and that you are continually improving it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Step 3 Certification

A

Once you have implemented the requirements you are ready to begin the certification process for ISO/IEC 27701.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Do you have an ISO/IEC 27001 Information Security Management System already in place?

A

If yes, you’re ready to get started with ISO/IEC 27701.

The guidance and requirements for ISO/IEC 27701 Privacy Information Management System (PIMS) go across 8 different clauses and 6 annexes, which include personally identifiable information (PII) controls and mappings to related standards and the GDPR.

It’s vital you understand all the guidance, requirements and controls and ensure they are appropriately implemented across your organization. Here is how you can get started with ISO/IEC 27701.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The ISO/IEC 27701:2019 standard

A

is the first international privacy standard, which outlines the requirements for implementing a Privacy Information Management System (PIMS), to govern the handling of personal data, called Personally Identifiable Information (PII) in ISO 27701.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Who should implement ISO 27701?

A

ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

GDPR certification

A

While ISO 27701 is not yet governed by accreditation bodies, it is expected that certification bodies will begin to audit against this new ISO standard despite no established scheme has yet been defined at the International Accreditation Forum (IAF) level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

ISO 27701 - an extension to ISO 27001

A

Since many organisations already have an ISO 27001 ISMS, it reduces the complexities around establishing a Privacy Information Management System (PIMS), since the ground has already been laid. Those organisations familiar with ISO 27001 will be able to extend their ISMS to address privacy and support them in GDPR compliance by providing a means to demonstrate commitment to privacy information management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Terminology differences between GDPR and ISO 27701

A

ISO/IEC 27701:2019 uses the vocabulary common to the suite of ISO 2700x standards that cover information security and associated controls. It uses the term Personally Identifiable Information (PII) to describe the information assets that must be protected and managed when providing security and privacy for a data subject, called PII principal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

The major differences in terminology between the ISO 27701 standard and GDPR are outlined in the table:

A
38
Q

Information security

A

Adequate information security is necessary for privacy of personal data but is not enough by itself. Preventing the disclosure, loss or corruption of personal data cannot be effective unless the entire life cycle of the personal data processing is protected through information security controls. The ISO standard defines information security as the result of adequate controls to preserve the confidentiality, integrity and availability of information.

39
Q

Good practice supports the identification of control objectives to address privacy risks. One privacy risk might apply to more than one privacy control objective. Each control objective requires the design of a suite of controls – some organisational,

A
40
Q

Catagory: Conditions for collection and processing

A

Control Objective: A.7.2

To determine and document that processing is lawful, with legal basis as per applicable jurisdictions, and with clearly defined and legitimate purposes.

41
Q

Control A.7.2.1 Identify and document purpose

A

The organization shall identify and document the specific purposes for which the personal data will be processed.

42
Q

Control A.7.2.2 Identify lawful basis

A

The organization shall determine, document and comply with the relevant lawful basis for the processing of personal data for the identified purposes.

43
Q

Control A.7.2.3 Determine when and how consent is to be obtained

A

The organization shall determine and document a process by which it can demonstrate if, when and how consent for the processing of personal data was obtained from data subjects.

44
Q

Control A.7.2.4 Obtain and record consent

A

The organization shall obtain and record consent from data subjects according to the documented processes.

45
Q

Control A.7.2.5 Privacy impact assessment

A

The organization shall assess the need for, and implement where appropriate, a privacy impact assessment whenever new processing of personal data or changes to existing processing of personal data is planned.

46
Q

Control A.7.2.6 Contracts with personal data processors

A

The organization shall have a written contract with any data processor that it uses, and shall ensure that their contracts with data processors address the implementation of the appropriate controls numbered B. (see below)

47
Q

Control A.7.2.7 Joint data controller

A

The organization shall determine respective roles and responsibilities for the processing of personal data (including personal data protection and security requirements) with any joint data controller.

48
Q

Control A.7.2.8 Records related to processing personal data

A

The organization shall determine and securely maintain the necessary records in support of its obligations for the processing of personal data.

49
Q

Category: Obligations to data subjects

A

Control Object. A.7.3
To ensure that data subjects are provided with appropriate information about the processing of their personal data and to meet any other applicable obligations to data subjects related to the processing of

50
Q

How does ISO 27701 map to other standards?

A

ISO 27701 includes annexes that map to the following other standards:

1) ISO 29100 (Information technology – Security techniques – Privacy framework);
2) ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
3) ISO 27018 (Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
4) The standard also maps its requirements and controls to the GDPR’s requirements (e.g. GDPR requirements related to data subjects’ rights are covered by ISO 27701’s controls covering obligations to PII principles).

51
Q

ISO 27701 provides ______ for implementing each control.

A

guidance

52
Q

It’s also worth noting that BS 10012:2017 with Annex A1:2018 is a similar standard to ISO 27701, and doesn’t require implementing

A

ISO 27001 as a prerequisite.

53
Q

How will ISO 27701 certification support CCPA compliance?

A

Achieving certification to both ISO 27701 and ISO 27001 will enable you to meet the privacy and data security requirements of all major privacy frameworks. You will also be able to demonstrate that you have taken the necessary measures for to protect the consumer data you process and uphold data subjects’ rights

54
Q

ISO/IEC 27701:2019 is a privacy extension to the international information security management standard, ISO/IEC 27001. It has been designed to integrate with ISO 27001 to extend an existing ______ (information security management system) with additional requirements, enabling an organization to establish, implement, maintain, and continually improve its PIMS.

A

ISMS

55
Q

ISO 27701 provides guidance on the protection of privacy, including how organizations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as

A

the EU’s GDPR (General Data Protection Regulation).

56
Q

ISO/IEC 27701:2019: An introduction to privacy information management offers a concise introduction to the Standard, aiding those organizations looking to improve their privacy information management regime, particularly where ISO/IEC 27701:2019 is involved. It is intended for:

A

Individuals looking for general information about privacy information management

Organizations implementing, or considering improving, a PIMS, particularly where the use of ISO/IEC 27701:2019 is being considered

57
Q

ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS). It’s a privacy extension to ISO/IEC 27001 Information Security Management and ___________.

A

ISO/IEC 27002 Security Controls.

58
Q

It provides guidance and requirements on the protection of privacy, helping both personally identifiable information (PII) processors and PII controllers to put robust data processes and controls in place.
This means you can demonstrate _________ for managing PII, instill trust and build strong business relationships.

A

accountability

59
Q

What kind of organizations can benefit from ISO/IEC 27701?

A

ISO/IEC 27701 is ideal for all types and sizes of organizations who want to demonstrate that they take protecting personal information seriously.

60
Q

Whether you’re a public or private company, government entity or not-for-profit organization, if your organization is responsible for processing PII within an information security management system then __________ is for you.

A

ISO/IEC 27701

61
Q

Specific organizational roles include:

A
  • PII controllers (including those who are joint PII controllers)
  • PII processors
62
Q

Benefits of ISO/IEC 27701

A

1) Builds trust in managing PII
2) Supports compliance with privacy regulations
3) Reduces complexity by integrating with ISO/IEC 27001
4) Facilitates effective business relationships
5) Clarifies roles and responsibilities

63
Q

The key requirements of ISO/IEC 27701

A

Clause 1: Scope

64
Q

Clause 1: Scope

A

ISO/IEC 27701 is aimed at providing requirements and guidance to establish, implement, maintain and improve a privacy information management system
in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002. Focused on both PII controllers and PII processors who hold responsibility and accountability for processing PII.

65
Q

What sets out the requirements for the management system and its intended application in ISO 27701?

A

Clause 1: Scope 1

66
Q

Clause 2: Normative references

A

For ISO/IEC 27701 these include:
ISO/IEC 27000 Information security management systems – overview and vocabulary
ISO/IEC 27001 Information security management systems – requirements
ISO/IEC 27002 Code of practice for information security controls
ISO/IEC 29100 Privacy framework

67
Q

What are Normative references?

A

They are documents referred to throughout a standard.

68
Q

Clause 3: Terms and definitions

A

This section provides a couple of additional definitions for important terms used throughout the standard that are not included in ISO/IEC 27000 and ISO/IEC 29100

69
Q

Clause 4: General

A

This clause ‘sets the scene’ for ISO/IEC 27701. It provides an overview of the documents structure and indicates, at a high-level, the location of PIMS specific requirements in relation to ISO/IEC 27001 and ISO/IEC 27002

70
Q

Clause 5: PIMS specific requirements related to ISO/IEC 27001

A

1) This clause is all about extending information security requirements from ISO/IEC 27001 to incorporate the protection of privacy.
2) As part of the context of the organization, you need to determine your role as a processor and/or controller and consider the impact of internal and external factors such as privacy specific regulations and contractual requirements.
3) Depending on your role, relevant controls from Annexes A and/or B need to be implemented and applied to your existing statement of applicability.
4) You must also consider interested parties associated with processing PII, the scope of your PIMS and how you’ll effectively implement, maintain and continually improve the system.

71
Q

List most important requirements in Clause 5:

A

1) Requirements for leadership,
2) planning,
3) support,
4) operation,
5) performance evaluation and improvement from ISO/IEC 27001 must be considered and extended as appropriate to ensure the protection of privacy.
6) In particular, risks to information and processing of PII must now be assessed and treated appropriately.

72
Q

Clause 6: PIMS specific guidance related to ISO/IEC 27002

A

This clause is all about extending information security guidance from ISO/IEC 27002 to incorporate the protection of privacy.

73
Q

Clause 6 states that organizations need to consider the additional implementation guidance around information security policies to incorporate relevant privacy statements, based on compliance, contractual and stakeholder requirements.

True/ False

A

True

74
Q

Clause 6 provides clearer guidance on

A

1) roles and responsibilities in relation to PII processing.
2) awareness of incident reporting and 3) the consequences of a privacy breach.
4) Guidance to ensure consideration of PII within your information classification is provided.
5) You must understand the PII your organization processes, where it is stored and the systems it flows through.
6) People must also be aware of what PII is and how to recognize it.
7) More detailed implementation guidance is included on incident management, removable media, user access on systems and services that process PII, cryptographic protection, re-assigning storage space that previously stored PII, back-up and recovery of PII, event log reviews, information transfer policies and confidentiality agreements.
8) Plus, guidance in this clause encourages you to consider PII up front before data transmission on public networks, and as part of system development and design.
9) Importantly, supplier relationships, expectations and responsibilities need addressing.

75
Q

Clause 8: Additional guidance for PII Processors

A

This clause covers PIMS specific implementation guidance for PII processors. It relates to controls listed in Annex B.

76
Q

Clause 8 states that customer contracts should address your organization’s role as a PII Processor to assist with customer obligations, including those of

A

PII principals.

77
Q

Which clause provides guidances that suggests prior consent must be made to use PII data for marketing and advertising purposes.

A

Clause 8

78
Q

In clause 8, Guidance is outlined to identify and maintain the necessary records to help demonstrate compliance with agreed PII processing you conduct.

True/ False

A

True

79
Q

Clause 8 provides detailed guidance on

A

1) helping your customer respond to individual requests,
2) managing temporary files created during processing,
3) returning, transferring or disposing PII securely and
4) appropriate transmission controls are included.

80
Q

In Clause 8, PII sharing, transfer and disclosure guidance is detailed to address

A

1) jurisdictional transfers,
2) third-party and
3) sub-contractor requirements and 4) management of legally binding PII disclosures.

81
Q

How many Annexes are included in ISO/IEC 27701?

A

6

82
Q

What are Annexes A and B about?

A

Annexes A and B are for controllers and processors respectively.

83
Q

What do Annexes C – F provide?

A

additional knowledge that can support with setting up and operating an effective PIMS.

84
Q

Annex A

A
85
Q

Annex B

A
86
Q

Annex C

A
87
Q

Annex D

A
88
Q

Annex E

A
89
Q

Annex F

A
90
Q

What is the world’s most popular information security standard?

A

BS 7799, now ISO/IEC 27001,