The specific requirements of 27001: 2013 for information security risk assessment discusses the loss of CIA (Confidentiality, integrity & availability) of risks associated within the scope to be assessed. By adopting ISO 27701 the scope will require extension to address PII.

The PII issues will need risk treatment. This may be within the 27001 risk treatment framework or a separate model might suffice.

Possible options include an amalgamation of previous DPIA’s (Data protection privacy impact assessments) or a high-level assessment of the type and nature of PII that the organisation is handling. Here you would refer to the local regulation in force such as the UK DPA 2018 which sits alongside the GDPR regulation.

The organisation should fully appreciate the PII risks and options for treatment and create meaningful controls to reduce PII breaches.

BS ISO IEC 27701 outlines the option for integrating the above within a 27001: 2013 model or separating the PII elements into a supplementary risk table.

The author would advocate integration simply because the high-level framework of Annex SL attempts to simplify corporate risk treatment.

Again, it is important when considered PII risk at a high level to consider whether the organisation’s scope extension is for PIMS as a data controller or processor or indeed both. Refer to sections 7 & 8 of 27701: 2019.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: marcus@thamerjames.co.uk

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.