ISO 27701, Clause 5.5 – Support

ISO 27701 Controls and Clauses Explained

Book a demo

coworkers,work,modern,studio.production,managers,team,working,new,project.young,business

Alongside the implementation of specific policies and the PIMS itself, organisations need to be mindful of how to both support and disseminate their broader privacy protection and PIMS-related activities, both internally and externally, to ensure continued adherence.

ISO 27701 5.5 addresses the concept of support in four main areas:

  1. Resources – How well placed an organisation is to implement a PIMS from a financial and manpower perspective.

  2. Competence – The skills and proficiencies required to operate within a secure data environment.

  3. Awareness – Ensuring that staff understand both the policies themselves, and what is expected of them.

  4. Communication – How privacy protection activities and events are communicated both within and outside the organisation.

What’s Covered in ISO 27701 Clause 5.5

To articulate the various privacy protection, PII and PIMS-related guidelines, ISO 27701 5.5 relies heavily on the guidance contained within ISO 27001 section 7 (Support).

ISO 27701 5.5 contains four sub-clauses that take each element of organisational support activity in turn:

  • ISO 27701 5.5.1 – Resources (References ISO 27001 Control 7.1)

  • ISO 27701 5.5.2 – Competence (References ISO 27001 Control 7.2)

  • ISO 27001 5.5.3 – Awareness (References ISO 27001 Control 7.3)

  • ISO 27001 5.5.4 – Communication (References ISO 27001 Control 7.4)

Unlike most other clauses in ISO 27701, clause 5.5 doesn’t contain any additional guidance that is applicable to the implementation of a PIMS, nor are any of its sub-clauses relevant to articles contained within GDPR legislation.

Jump to Topic
Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 5.5.1 – Resources

References ISO 27001 Control 7.1

Organisations need to ensure that they have adequate resources to plan, implement and improve a PIMS that meets their stated privacy protection objectives.

ISO 27701 Clause 5.5.2 – Competence

References ISO 27001 Control 7.2

Anyone who works on controls, policies and/or procedures that deal with organisational privacy protection should have the necessary competence to do so.

To safeguard PII and prevent against accidental exposure or loss of data, organisations should:

  • Ensure that anyone doing work that has the potential to impact privacy protection and PII has the requisite skillset(s) to do so.

  • Keep in mind three factors that denote an individual’s level of competence:

    • Education.

    • Training.

    • Experience.

  • Take steps to recruit, train and/or otherwise acquire the necessary competence levels.

  • Maintain thorough documentation that is able to demonstrate compliance with the requisite level of competence, as is required by the organisation’s PIMS and/or privacy protection policy.

ISO 27701 Clause 5.5.3 – Awareness

References ISO 27001 Control 7.3

Promoting awareness of a PIMS and organisational privacy protection policy is paramount in ensuring adherence to broader information security and PII objectives.

Individuals doing work that has the potential to impact privacy protection should be explicitly aware of:

  1. The organisation’s privacy protection policy.

  2. Their obligations towards maintaining an efficient and compliant PIMS.

  3. The consequences of weather wilfully or accidentally bypassing any of the organisation’s privacy protection controls – both for themselves, the organisation and the data subjects.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 5.5.4 – Communication

References ISO 27001 Control 7.4

As with most other business functions, efficient communication (both internal and external) should be front and centre of any organisational privacy protection efforts.

When implementing or changing a privacy protection policy or procedure, or making announcements about a PIMS or PII-related matter, organisation’s should decide:

  • Precisely what needs to be communicated.

  • When to communicate internally and externally (e.g. to a data subject, or group of subjects, following a PII-related event).

  • Who to communicate to (e.g. staff members affected by a policy change).

  • Who from the organisation should be communicating.

how to communicate (i.e. what channels or media, and any processes that need to be followed, including initial drafting and approval).

Supporting Controls From ISO 27001 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27001 RequirementAssociated GDPR Articles
5.5.1Resources7.1 – Resources for ISO 27001None
5.5.2Competence7.2 – Competence for ISO 27001None
5.5.3Awareness7.3 – Awareness for ISO 27001None
5.5.4Communication7.4 – Communication for ISO 27001None

How ISMS.online Helps

The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to achieve ISO 27701 is substantially reduced.

You will also benefit from a range of powerful time-saving features.

See all our features in action by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more