ISO 27701:2019 Checklist
Privacy Information Management
Systems
1.0 Context
The Organisation
Have you determined and documented your role as PII Controller and/or Processor?
Interested Parties
Have you determined internal and external issues that will impact on your Privacy Information Management System? Including applicable legislation, judicial decisions, organizational context, contractual requirements etc.
Scope
Have you included the processing of PII in your ISMS scope?
2.0 Planning
Risk & Opportunities
Have you applied your information security risk assessment process to identify risks associated with confidentiality, integrity, and availability of PII and other information?
Have you ensured the relationship between information security and PII protection is appropriately managed?
Have you considered when assessing the applicability of control objectives from Annex A, in the context of both risks to information security as well as risks related to processing of PII?
Request a Quick Quote
Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.
Get Your ISO Checklist
Contact Us
3.0 Information Security Policies
Have you considered your commitment to achieving compliance to applicable PII regulations in your Privacy Policies and your contractual agreements?
Have you produced a statement (either in existing policies or as a standalone policy) concerning support or and commitment to achieving compliance with applicable PII protection legislation /regulations and with any contractual obligations?
4.0 Organisation of Information Security
Internal Organisation
Have you designated a point of contact for the customer with regards to their PII?
Have you developed and implemented an organisation-wide governance and privacy program for staff to understand and comply with applicable privacy regulations?
Have you appointed at least one person to be responsible for the maintenance of the governance and privacy program and are they are aware of their responsibilities?
5.0 Human Resource Community
Have you made relevant staff aware of incident reporting and the consequences to themselves, the organisation and the PII principal in the case of a breach of privacy or security?
6.0 Asset Management
Has your information classification system explicitly considered PII, where it is stored and the systems through which it can flow?
Are you documenting any use of removable media and/or devices used for the storage of PII?
Are you disposing of PII on removable media such that it will no longer be accessible?
7.0 Access Control
Do you have documented procedures for registration and de-registration of users who administer or operate systems that process PII?
8.0 Cryptographic Controls
Do you communicate to your customers the circumstances in which cryptography is used to protect PII?
9.0 Physical and Environmental Security
Are you ensuring that when storage space is re-assigned, any previously stored PII is no longer accessible?
Are you restricting the production of hard copy material including PII to the minimum?
10.0 Communications Security
Information Transfer
Have you put procedures in place to ensure that rules regarding PII are enforced throughout the organisation?
Confidentiality or Non-Disclosure Agreements
Do you ensure everyone with access to PII signs and agrees to a non-disclosure agreement or similar?
11.0 Operations Security
Back Up
Do you have a documented policy that includes the requirements for backup, recovery and restoration of PII that is communicated and available to all relevant staff?
Do you have processes in place to identify incompleteness/inaccuracy and to resolve this?
Do you have responsibilities in relation to communicating with customers about PII back up and restoration?
Is there a procedure for and log of PII restoration efforts?
Do you have external obligations with respect to back up and are you compliant?
Are you able to document and demonstrate all of your compliance with external obligations in relation to restoring log content?
Do you have processes in place to ensure PII is restored to a state where integrity can be assured?
Do you have a process to review event logs either using continuous automated monitoring and alerting processes or manually?
For PII Process Only
Do you have a documented set of criteria that defines if, when and how log information can be made available to the customer?
Have you put controls in place to ensure customers can only access their own logs and not that of others?
Protection of Log Information
Have you put controls in place to ensure log information is used only as intended?
Have you put in place a procedure (preferably automatic) to ensure logged information is either deleted or de-identified?
12.0 Systems Acquisition, Development & Maintenance
Securing Application Services n Public Networks
Do you ensure that PII is only transmitted over trusted networks, or where it must be transmitted over untrusted networks it is encrypted?
Secure Systems Engineering Principals
Are your systems and components involved in the processing of PII designed in alignment with local privacy regulations?
Test Data
How do you ensure that PII is not used for testing purposes?
Security in Development & Support Processes
Do your system development and design policies consider PII needs based on local regulations?
Do your policies contribute to privacy by design and privacy by default and consider the following aspects:
Guidance on PII protection through the software development cycle
Privacy and PII protection requirements in the design phase, which can be based on the risk assessment
PII protection checkpoints and miles stones
Required privacy knowledge
Minimize PII processing by default
13.0 Information Security Management
Responsibilities & Procedures
Do you have an independent third party contracted to conduct audits on your information security to ensure it is implemented and operated in accordance with your policies and procedures?
For PII Processors
Do provisions covering the notification of a breach form part of the contract with your customer?
Does the contract specify how this information should be provided?
Are there obligations to notify the PII controller of a breach?
Do you have processes for recording the following details of a breach?
- Description
- Time Period
- Consequence
- Who reported it
- To whom it was reported
- How it was resolved
- Description of the loss/unavailability of PII
Does the record include a description of the PII comprised?
Do you have a process to record all notifications to the customer and/or regulatory agencies
14.0 Compliance
Identification of Applicable Legislation & Contractual Requirements
Have you identified any legal consequences that can arise from noncompliance with privacy regulations related to processing of PII
Protection of Records
Do you retain historical copies of your privacy policies and associated procedures for the time specified by your local privacy regulations?
Independent Review of Information Security
Do you have an independent third party contracted to conduct audits on your information security to ensure it is implemented and operated in accordance with your policies and procedures?
Technical Compliance Review
Have you implemented methods of reviewing tools and components related to processing PII?
15.0 Supplier Relationships
Addressing Security Within Supplier Agreements
Do you specify in supplier agreements whether PII is processed, and the minimum protection measures the supplier needs to meet?
ANNEX – Additional Information
Documented legality & purposes for data collection.
Documented processes for obtaining consent from the PII.
Roles and responsibilities of any joint PII controller(s).
7.3 Obligations to PII Principals
Documented legal, regulatory, and business obligations to PII principals Method by which the PII Principal can access, correct
and/or erase data and modify or withdraw consent or object to processing, and have changes communicated to any third parties.
Ability to provide a copy of processed data to the PII Principal on request.
Documented policies and procedures on handling legitimate PII Principal requests.
7.4 Privacy by design and privacy by default
Limit data collection and processing to only what information is relevant and necessary. Documented data minimisation objectives and mechanisms to meet objectives. Delete or de-identify PII upon completion of processing and. Only retain PII for as long as necessary. Documented policies and procedures for secure disposal of PII
7.5 PII sharing, transfer and disclosure
Documented justification for the transfer of PII between jurisdictions as well as which countries and international organisations PII may be allowed to be transferred. Record transfers of PII between third parties
The contract to process PII addresses your role in providing assistance with the customer’s obligations
Ensure PII are only processed for the purposes expressed by the customer and inform the customer if a processing instruction infringes any applicable legislation and/or regulation. Document and maintain records in support of demonstrating compliance with the obligations as specified in the contract
8.3 Obligations to PII Principals
Provide the customer with the means to comply with obligations related to PII principals. Provide PII Principals with the appropriate information
relating to processing of their PII
8.4 Privacy by design and privacy by default
Temporary files created as a result of the processing of PII are disposed of securely Documented policy on secure return, transfer, and disposal of PII available to the customer controls in place for the transmission of PII to ensure the information reaches the intended destination
8.5 PII sharing, transfer and disclosure
Obligation to inform the customer of the justification for any intended transfers between jurisdictions, giving the customer the option to object. Maintain records of what PII has been disclosed to third parties as well as to whom and when. Obligation to notify the customer of any legally binding requests for PII to be disclose. Reject non-legally binding requests for disclosure of PII or consult the customer before disclosing PII
Disclose any use of subcontractors to the customer and engage with subcontractors in accordance with the agreement with the customer, and inform the customer of intended changes regarding the use of subcontractors giving the customer the option to object.
Have our own Checklist
What is Privacy Information Management Systems?
ISO 27701 Privacy Information Management Systems is an extension of ISO 27001 designed to help organisations meet these everchanging legal requirements surrounding data collection and privacy.
Why do I need ISO 27701 Privacy Certification?
Certification to ISO 27701 provides you with an independent endorsement that your Privacy Information Management System meets international standards, giving your stakeholders confidence that you take privacy seriously.
What are the benefits of Privacy Certification?
ISO 27701 Privacy Certification provides your organisation with an independent endorsement to stakeholders that your organisation takes privacy seriously and has adequate systems in place to manage sensitive information.
How can I get certified?
Getting ISO certification is a lot easier than you might think, We take you through the three step audit process from your initial enquiry to the final certification decision.
ISO 27701 Certification Throughout America
Compass Assurance Services is able to certify businesses throughout America
Want to speak to someone?
Contact Us
Contact us and speak to one of our helpful team about your ISO certification needs. We can offer certification to smaller, niche standards and to other non-accredited (non ISO) standards as well.
Request a Quote
Request an obligation free quote today, tailored specifically to your business’ certification needs and industry.
