Achieving Compliance with ISO 27701 Clause 6.15: A Complete Overview
Compliance is a vital part of any privacy protection operation – organisations need to be able to demonstrate that they are fulfilling their obligations towards PII, and the systems that are used to store and process privacy-related material.
What’s Covered in ISO 27701 Clause 6.15
ISO 27701 6.15 deals with compliance in two main areas – compliance with legal and contractual requirements, and information security reviews (the latter being the main vehicle to uncover instances of non-compliance, and resolve any privacy-related issues).
- ISO 27701 6.15.1.1 – Identification of applicable legislation and contractual requirements (ISO 27002 Control 5.31)
- ISO 27701 6.15.1.2 – Intellectual property rights (ISO 27002 Control 5.32)
- ISO 27701 6.15.1.3 – Protection of records (ISO 27002 Control 5.33)
- ISO 27701 6.15.1.4 – Privacy and protection of personally identifiable information (ISO 27002 Control 5.34)
- ISO 27701 6.15.1.5 – Regulation of cryptographic controls (ISO 27002 Control 5.31)
- ISO 27701 6.15.2.2 – Compliance with security policies and standards (ISO 27002 Control 5.36)
- ISO 27701 6.15.2.3 – Technical compliance review (ISO 27002 Control 5.36)
Four sub-clauses contain information that is relevant to UK GDPR legislation – we’ve provided the article references underneath each sub-clause for your convenience:
- ISO 27701 6.15.1.1
- ISO 27701 6.15.1.3
- ISO 27701 6.15.2.1
- ISO 27701 6.15.2.3
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
ISO 27701 Clause 6.15.1.1 – Identification of Applicable Legislation and Contractual Requirements
References ISO 27002 Control 5.31
Organisations should conform to legal, statutory, regulatory and contractual requirements when:
- Drafting and/or amending privacy information security procedures.
- Categorising information.
- Embarking upon risk assessments relating to privacy information security activities.
- Forging supplier relationships, including any contractual obligations throughout the supply chain.
Legislative and Regulatory Factors
Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.
Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.
Cryptography
When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:
- Observe any laws that govern the import and export of hardware or software that has the potential to fulfil a cryptographic function.
- Provide access to encrypted information under the laws of the jurisdiction they are operating within.
- Utilise three key elements of encryption:
- Digital signatures.
- Seals.
- Digital certificates.
Applicable GDPR Articles
- Article 5 – (1)(f)
- Article 28 – (1), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g), (3)(h)
- Article 30 – (2)(d)
- Article 32 – (1)(b)
Relevant ISO 27002 Controls
- ISO 27002 5.20
ISO 27701 Clause 6.15.1.2 – Intellectual Property Rights
References ISO 27002 Control 5.32
To safeguard any data, software or assets that could be deemed intellectual property (IP), organisations should:
- Adhere to a “topic-specific” policy that deals with IP rights, which takes into account IP on a case-by-case basis.
- Adhere to procedures that define how IP integrity can be maintained whilst utilising organisational software and products.
- Only utilise reputable sources to acquire software, when purchasing, renting or leasing software and software subscriptions.
- Retain proof of ownership documentation (electronic or physical).
- Adhere to software usage limits.
- Undergo periodic software reviews to avoid utilising any unauthorised or potentially harmful applications.
- Ensure that software licenses are valid and up to date, and fair use guidelines are being adhered to.
- Draft procedures that ensure the safe secure and compliant disposal of software assets.
- (Where commercial recordings are concerned), ensure that no part of the recording is extracted, copied or converted by any unauthorised means.
- Ensure that textual data is considered alongside digital media.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 6.15.1.3 – Protection of Records
References ISO 27002 Control 5.33
Organisations should consider record management across 4 key areas:
- Authenticity
- Reliability
- Integrity
- Useability
To maintain a functional records system that safeguards PII and privacy-related information, organisations should:
- Publish guidelines that deal with:
- Storage.
- Handling (chain of custody).
- Disposal.
- Preventing manipulation.
- Outline how long each record type should be retained.
- Observe any laws that deal with record keeping.
- Adhere to customer expectations in how organisations should handle their records.
- Destroy records once they’re no longer required.
- Classify records based on their security risk, e.g:
- Accounting.
- Business transactions.
- Personnel records.
- Legal
- Ensure that they are able to retrieve records within an acceptable period of time, if asked to do so by a third party or law enforcement agency.
- Always adhere to manufacturer guidelines when storing or handling records on electronic media sources.
Applicable GDPR Articles
- Article 5 – (2)
- Article 24 – (2)
ISO 27701 Clause 6.15.1.4 – Privacy and Protection of Personally Identifiable Information
References ISO 27002 Control 5.34
Organisations should treat PII as a topic-specific concept that needs to be addressed within the scope of numerous distinct business functions.
First and foremost, organisations should implement policies that cater to three main aspects of PII processing and storage:
- Preservation
- Privacy
- Protection
Organisations should ensure that all employees are aware of their obligations towards handling PII, not merely those that encounter it daily as part of their job.
Privacy Officers
Organisations should appoint a Privacy Officer, whose job it is to provide guidance to employees and third-party organisations on the subject of PII, alongside offering advice to senior management on how to maintain the integrity and availability of privacy information.
ISO 27701 Clause 6.15.1.5 – Regulation of Cryptographic Controls
References ISO 27002 Control 5.31
See ISO 27701 Clause 6.15.1.1
ISO 27701 Clause 6.15.2.1 – Independent Review of Information Security
References ISO 27002 Control 5.35
Organisations should develop processes that cater for independent reviews of their privacy information security practices, including both topic-specific policies and general policies.
Reviews should be conducted by:
- Internal auditors.
- Independent departmental managers.
- Specialised third-party organisations.
Reviews should be independent and carried out by individuals with sufficient knowledge of privacy protection guidelines and the organisations own procedures.
Reviewers should establish whether privacy information security practices are compliant with the organisation’s “documented objectives and requirements”.
As well as structured periodic reviews, organisations may come across the need to conduct ad-hoc reviews that are triggered by certain events, including:
- Following amendments to internal policies, laws, guidelines and regulations which affect privacy protection.
- After major incidents that have impacted upon privacy protection.
- Whenever a new business is created, or major changes are enacted to the current business.
- Following the adoption of a new product or service that deals with privacy protection in any way.
Applicable GDPR Articles
- Article 32 – (1)(d), (2)
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.15.2.2 – Compliance With Security Policies and Standards
References ISO 27002 Control 5.36
Organisations need to ensure that personnel are able to review privacy policies across the full spectrum of business operations.
Management should develop technical methods of reporting on privacy compliance (including automation and bespoke tools). Reports should be recorded, stored and analysed to further improve PII security and privacy protection efforts.
Where compliance issues are discovered, organisations should:
- Establish the cause.
- Decide upon a method of corrective action to plug and compliance gaps.
- Revisit the issue after an appropriate period of time, to ensure the problem is resolved.
It is vitally important to enact corrective measures as soon as possible. If issues aren’t fully resolved by the time of the next review, at a minimum, evidence should be provided to show that progress is being made.
ISO 27701 Clause 6.15.2.3 – Technical Compliance Review
References ISO 27002 Control 5.36
See ISO 27701 Clause 6.15.2.2
Applicable GDPR Articles
- Article 32 – (1)(d), (2)
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.15.1.1 | Identification of Applicable Legislation and Contractual Requirements |
5.31 – Legal, Statutory, Regulatory and Contractual Requirements for ISO 27002 |
Articles (5), (28), (30), (32) |
| 6.15.1.2 | Intellectual Property Rights |
5.32 – Intellectual Property Rights for ISO 27002 |
None |
| 6.15.1.3 | Protection of Records |
5.33 – Protection of Records for ISO 27002 |
Articles (5), (24) |
| 6.15.1.4 | Privacy and Protection of Personally Identifiable Information |
5.34 – Privacy and Protection of PII for ISO 27002 |
None |
| 6.15.1.5 | Regulation of Cryptographic Controls |
5.31 – Legal, Statutory, Regulatory and Contractual Requirements for ISO 27002 |
None |
| 6.15.2.1 | Independent Review of Information Security |
5.35 – Independent Review of Information Security for ISO 27002 |
Article (32) |
| 6.15.2.2 | Compliance With Security Policies and Standards |
5.36 – Compliance With Policies, Rules and Standards for Information Security for ISO 27002 |
None |
| 6.15.2.3 | Technical Compliance Review |
5.36 – Compliance With Policies, Rules and Standards for Information Security for ISO 27002 |
Article (32) |
How ISMS.online Helps
ISO 27701 is not just a framework for organisations to adopt; it means adapting the way people understand, interface and interact with data.
At ISMS.online, we have designed our system so that you and your staff can take advantage of our easy-to-use interface for documenting your ISO journey.
We also provide video resources and access to information security professionals to help you integrate standards into your company.
Find out more by booking a hands on demo.
