ISO 27701 Clause 6.9.7: Strengthening Information Systems Audits
Auditing usually involves gathering large amounts of information on any given system – including user actions, customer data and critical events.
The process of auditing itself can represent a risk to PII and privacy protection, given that such activities have the potential to impact on data availability, and sometimes require specialised methods to interrogate sensitive datasets.
What’s Covered in ISO 27701 Clause 6.9.7
ISO 27701 6.9.7 contains one sub-clause related to ICT auditing and the associated privacy risks – ISO 6.9.7.1 – which includes guidance from ISO 27002 Control 8.34.
ISO provides no additional PIMS or PII-related guidance points, nor are there any UK GDPR considerations to keep in mind.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.9.7.1 – Information Systems Audit Controls
References ISO 27002 Control 8.34
When performing periodic auditing (and other network assurance activities) plans should be drafted to ensure that the integrity and availability of PII and privacy-related assets is protected at all times.
To achieve this, organisations should:
- Ensure that access to systems is appropriately managed, for auditing purposes.
- Clearly outline the scope of auditing activities, before they are implemented.
- Where possible, limit access to sensitive data to read-only privileges. If elevated permissions are required, organisations should consider delegating auditing duties to an ‘experienced administrator’.
- Scrutinise the security configuration of the devices that are being used to conduct the audit.
- Operate with an agreed procedure for requesting specialised auditing tools.
- Where possible, execute all auditing activities outside of business hours, where such activities have the potential to impact upon system availability.
- Maintain a thorough log of all auditing activities (including requests), for compliance purposes.
- Consider the privacy implications of auditing testing and development facilities and environments.
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.9.7.1 | Information Systems Audit Controls | 8.34 – Protection of Information Systems During Audit Testing for ISO 27002 | None |
How ISMS.online Helps
Our PIMS adheres to the international standard ISO 27001, but it can also accommodate a growing number of national, regional, and sector-specific privacy standards, frameworks, and regulations.
- GDPR
- POPIA
- BS 10012
- Australian Privacy Principles
- NIST Privacy Framework
- OECD Privacy Guidelines
- APEC Privacy Framework
- And more
With our intuitive platform, you can map your work across multiple frameworks, eliminating duplication and repetition.
Find out more by booking a demo.
