Once the organisation has mastered the interpretations of the PIMS specific requirements relating to ISO 27001: 2013 the Standard, attention can then be focussed upon the guidance for enhancements of the PII controls.

Normally an entity would select controls from Annex A of ISO 27001: 2013 that are relevant and create the SOA (Statement of applicability). Specific guidance is given on controls for PII data controllers and processors within 27701.

Section six of BS ISO/IEC 27701: 2019 details the suggested control areas from 27002 that have been modified to address relevant PII requirements.

An example is section 6.3 Organisation of information security. The guidance document suggests that the organisation should assign a responsible individual as a point of reference to the customer with regards the processing of PII. 

By working through the tabulated framework of controls that are relevant to the scope. The relevant PII clauses can be considered in turn.

An example where a control area is enhanced is 6.4.2.2 Information security awareness, education, and training. Whilst the existing 27001: 2013 requirements apply – the PIMS specific guidance from 27002 suggests the following: measures should be adopted for awareness of PII incident reporting.  Staff should be made aware of the consequences of possible legal and reputational damage by failing to comply with policies and procedures.

In this instance the organisation could strengthen their existing controls to ensure appropriate programmes of training and education are adopted to prevent such scenarios occurring.

Once controls have been drafted, they should be included within the ISMS as detailed in section 5.2.4 and be approved in a structured manner.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: marcus@thamerjames.co.uk

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.