ISO 27701 Clause 5.7: A Guide to Performance Evaluation
Part and parcel of operating with a watertight set of privacy protection controls is acknowledging the need to continually monitor, asses and improve organisational adherence with
PII-related objectives and legal/regulatory requirements.
ISO 27701 Control 5.7 sets out a clear set of guidelines that inform organisations on how to assess their own performance, and equally as important, how to enact meaningful change so that privacy protection remains at the forefront of their broader information security policy.
What’s Covered in ISO 27701 Clause 5.7
ISO 27701 Clause 5.7 contains three sub-clauses that deal with the three main constituent parts of privacy protection evaluation – monitoring, auditioning and review.
Each sub-clause is linked to an accompanying set of information security guidelines from ISO 27001:
- ISO 27701 5.7.1 – Monitoring, measurement, analysis and evaluation (References ISO 27001 Control 9.1)
- ISO 27701 5.7.2 – Internal audit (References ISO 27001 Control 9.2)
- ISO 27701 5.7.3 – Management review (References ISO 27001 Control 9.3)
Clause 5.7 lacks any additional guidance on how to apply performance evaluation guidelines within the context of a PIMs, nor does it feature any guidance within the scope of GDPR.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 5.7.1 – Monitoring, Measurement, Analysis and Evaluation
References ISO 27001 Control 9.1
Organisations need to constantly monitor and evaluate how they perform from a privacy protection standpoint, and how efficient their PIMS is within the scope of their stated objectives.
In doing so, organisations need to establish:
- Precisely what areas of their operation require monitoring;
- How they are going to carry out said monitoring, and the mechanisms they’re going to use to analyse any data obtained;
- When monitoring activities are to be carried out;
- What staff members are going to be involved in monitoring activities;
- The period of time when results are to be analysed, following any monitoring activities.
As with all other privacy protection and PII-related activities, a thorough record of all monitoring activities needs to be kept in the form of official documentation.
ISO 27701 Clause 5.7.2 – Internal Audit
References ISO 27001 Control 9.2
Organisations need to be mindful of their responsibility to their own data and processes, by carrying out planned audits at appropriate intervals.
Audits need to establish:
- Whether the PIMS is in alignment with the organisation’s privacy protection requirements and relevant ISO standards;
- That PIMS has been implemented correctly, and it being adequately maintained.
To achieve these objectives, organisations should:
- Plan, create and maintain a programme of auditing that takes into account several key details:
- Audit frequency;
- Auditing method;
- Internal roles and responsibilities;
- Pre-implementation and planning requirements;
- Reporting of auditing data.
- Establish the scope of each individual audit.
- Reinforce the need for impartiality and an objective approach to data analysis, with whomever has been chosen to conduct the audit, be they internal or external staff.
- Ensure that auditing results reach the correct internal channels (senior management etc.), so that meaningful actions can be taken to improve the organisation’s information security management system, should the need arise.
- Keep a thorough record of all auditing activities in the form of documented information.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 5.7.3 – Management Review
References ISO 27001 Control 9.3
Senior management plays a key role in ensuring the viability and effectiveness of any privacy protection policy or PIMS implementation.
When reviewing organisational adherence to PII-related controls, policies and procedures, management should include:
- Any actions remaining from the previous review.
- Any changes to the organisation’s operation that have the potential to impact privacy protection or the processing and/or storage of PII.
- Feedback from all relevant sources on privacy protection, that includes noticeable trends in:
- Non-adherence and corrective actions;
- Any data obtained from monitoring activities;
- The results of recent audits;
- How the organisation is meeting its stated privacy protection goals.
- Feedback from any relevant personnel (internal or external).
- The results of any privacy protection risk assessments, and how they are going to be addressed via a dedicated risk treatment plan.
- How the organisation intends to develop and improve its privacy protection operation, including any changes that need to be made.
All reviews should be thoroughly documented for future analysis, and to ensure continuity from one review to the next.
Supporting Controls From ISO 27001 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27001 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 5.7.1 | Monitoring, Measurement, Analysis and Evaluation |
9.1 – Monitoring, Measurement, Analysis and Evaluation for ISO 27001 |
None |
| 5.7.2 | Internal Audit |
9.2 – Internal Audit for ISO 27001 |
None |
| 5.7.3 | Management Review |
9.3 – Management Review for ISO 27001 |
None |
How ISMS.online Helps
The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to achieve ISO 27701 is substantially reduced.
You will also benefit from a range of powerful time-saving features.
Explore the benefits with ISMS.online by booking a demo.
