Understanding ISO 27701 Clause 6.3.1.3 Requirements
The International Organization for Standardization (ISO) advocates for a holistic approach to privacy protection and PIMS-related activities that includes organisations making professional connections with ‘special interest groups’ (i.e. an individual or organisation involved with information security, and understanding how to react to incidents by involving the relevant external authorities.
Whoever the organisation decides to communicate with – and however they choose to do it – all efforts need to be focused on both improving current privacy protection standards, and bolstering resilience against the future loss, theft or misuse of PII.
What’s Covered in ISO 27701 Clause 6.3.1.3
ISO 27701 Clauses 6.3.1.3 and 6.3.1.4, whilst not constituting their own subsection of clause 6.3, are linked together in numerous ways, and should be considered together for practical purposes.
Both clauses are linked to guidance contained within ISO 27002, but instead of making reference to information security, deal solely with PII, privacy protection and the setup and maintenance of a PIMS (neither clause contains any GDPR-specific guidance).
- ISO 27701 Clause 6.3.1.3 – Contact with authorities (References ISO 27002 Control 5.5)
- ISO 27701 Clause 6.3.1.4 – Contact with special interest groups (References ISO 27002 Control 5.6)
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.3.1.3 – Contact With Authorities
References ISO 27002 Control 5.5
Organisations acting as a PII data controller who experience an intrusion should have a categorical set of instructions to rely on, which outlines how to communicate with external authorities to:
- Take action against the source.
- Set internal expectations.
- Improve resolution time.
External authorities may include:
- The emergency services.
- Utility providers.
- Internet/telephony providers.
All communication methods should be planned out and documented as part of a privacy protection policy that informs law enforcement agencies, regulatory bodies and any other industry or sector-specific agencies who have a right to know about privacy protection-related matters.
Contact with authorities is closely linked to:
- Organisational incident management (see ISO 27002 controls 5.24 to 5.28).
- BUDR and business continuity (see ISO 27002 controls 5.29 to 5.30).
Relevant Controls
- ISO 27002 5.24
- ISO 27002 5.28
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 6.3.1.4 – Contact With Special Interest Groups
References ISO 27002 Control 5.6
Alongside external authorities, organisations should maintain an ongoing professional relationship with industry and sector-specific ‘special interest groups’, to demonstrate compliance, improve their PII protection standards and develop a more efficient Privacy Information Management System.
Organisations should seek out membership of special interest groups in order to:
- Remain informed about current industry best practices, and gather specialised advice.
- Put themselves in the best possible position to receive early warnings of real and projected attack vectors.
- Participate in industry-wide forums and seminars that disseminate the latest technologies, security techniques, protection standards and operating procedures.
- Forge links with individuals and companies who will be able to assist in the event of an incident (see ISO 27002 5.24 to 5.28).
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.3.1.3 | Contact With Authorities |
5.5 – Contact with Authorities for ISO 27002 |
None |
| 6.3.1.4 | Contact With Special Interest Groups |
5.6 – Contact with Special Interest Groups for ISO 27002 |
None |
How ISMS.online Helps
By adding a PIMS to your ISMS on the ISMS.online platform, your security posture remains all-in-one-place and you’ll avoid duplication where the standards overlap.
With your PIMS instantly accessible to interested parties, it’s never been easier to monitor, report and audit against both ISO 27001 and ISO 27701 at the click of a button.
Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online.
Find out more by booking a demo.
