In my previous blog post, we looked at Context and Leadership. This post will pick up from Planning and cover the rest of clause 5 of the ISO 27701 standard.
Planning is mainly focused on risk assessment and risk treatment.
Information Security Risk Assessment
The ISO 27701 standard seems to imply a separation of information security risk assessment and privacy risk assessment processes.
It assumes that the Confidentiality, Integrity and Availability(CIA) of the data within the scope of the PIMS ( the Privacy Information Management System) should be assessed by the Information Security risk assessment process.
It also assumes that the Privacy risk assessment process only identifies risk related to the processing of PII.
In an attempt to be flexible and allow multiple risk assessment processes in potentially different areas of the business, the ISO 27701 standard fails to make clear the obvious interdependencies between these two risk assessment processes.
The CIA risks are directly related to the privacy requirements of that data. High-risk personal data as defined by the GDPR, should have a higher requirement for confidentiality, integrity and availability as a result. So the Privacy risk requirements must drive Information Security treatments.
You cannot conduct this activity as two completely separate risk assessments. At a minimum, the privacy risk assessment must feed into the CIA information security risk assessment. It is the Privacy risk assessment that will determine the value of that data to the organisation. It is only once you understand that value, that you can drive the CIA risk assessment and apply effective information security controls to the data.
Information Security Risk Treatment
This section within the ISO 27701 Standard assumes that the Statement of Applicability is fit for purpose, as it stands, without modification for Privacy. In doing so, it assumes that all of the listed applicable controls are discretionary, and that the organisation has the ability to choose whether to apply them.
Mandatory Privacy Controls
With Privacy controls added into the Statement of Applicability, we will now have a group of mandatory controls that are required by legislation (i.e by the GDPR).
The current ISO 27701 Standard misses this point, but it would be good practice to highlight in your Statement of Applicability, which of the new Privacy Controls you have added are mandatory controls forced by legislation. This shows your auditor that you understand the legislation and have applied controls correctly to cover it.
Monitoring of Mandatory Privacy Controls
It also follows that because you now have some mandatory controls, you should ensure that all of the mandatory controls have monitoring activities associated with them.
The logic for applying monitoring to applicable controls, is that you have performed a risk assessment, and you have selected your highest risk or highest value controls to be monitored.
The logic then also follows that if you now have some mandatory controls, clearly these must now become the highest priority to monitor. You should ensure that you mark on your Statement of Applicability, which controls are mandatory due to Privacy legislation, and ensure you assign at least one monitoring activity to each one.
This level of clarity should be supported with a few paragraphs of explanation within your ISMS Manual. Your external auditor is looking for clear logical reasoning for why you have implemented your ISMS in the way that you have. Putting this logic down in writing in your ISMS Manual is a clear way of allowing your auditor to understand in plain English, what you have done and why you have done it.
The ISO 27701 standard assumes that no further requirements are required to this section of your ISMS. However, you do need to make some modifications for Privacy in this area.
The Competence requirement needs to show that you have the Privacy skills available to support the PIMS/ISMS, which are new additions to your ISMS.
The Awareness requirement is likely to be two separate awareness programmes rather than one single Information Security and Privacy awareness programme. The requirements for awareness around Privacy are quite specific and trying to add them as a sub-topic of Information Security Awareness may not work. We need to be cognisant of the fact that whilst the ISMS came first, the legal driver here is Privacy and it naturally carries more weight.
It is Privacy issues that will get you the huge fine, and it is Privacy that is taking up air-time at Board level. Yes, Information Security controls underlie most of these issues. But it is Privacy that is driving the compliance bus, and that will be the case for the foreseeable future.
As a result, you now have two Awareness programmes to explain within your ISMS Manual, not one.
This applies to Communications also. You are likely to have Privacy messaging and Information security messaging, as two separate threads. Again, you now have two Communication approaches to explain in your ISMS Manual.
The construction and maintenance of a repository to store all of the appropriate controlled documents relevant to the ISMS and PIMS, seems to be an area where there is no specific Privacy requirement. Your folder structure simply has to be amended to allow the addition of all of your Privacy Controlled documents, with review cycles and version control kept as before.
Operational Planning and Control
The current ISO 27701 Standard misses the fact that due to organisational dependencies, Privacy and Information Security might actually reside in two separate parts of your business. If this is the case, you will have to describe both of these structures in you ISMS (i.e. how Information Security operates, and how Privacy operates). Again, a few paragraphs in your ISMS Manual should suffice.
As mentioned previously, monitoring should no longer be considered discretionary for the mandatory Privacy controls. If you have a legal obligation to implement a form of control, then you should consider this as an obvious candidate for monitoring.
The management review of monitoring should happen at a level in the organisation that covers both Information Security and Privacy domains. if you have the organisational split highlighted above, this may be a slightly more peer-to-peer arrangement of senior management, rather than a hierarchical one.
This senior management governance problem is the single biggest issue with adding privacy into an ISMS, for organisations where this is not a natural hierarchical fit.
Constructing an effective governance process in these circumstances can be theoretically, practically and politically challenging. I will leave specific guidance for how to handle such structures to a separate post.
The last area of the generic clauses 4-10 ISMS structural controls in ISO 27001 is improvement and this space does not need further modification. You simply need to be keeping track of Privacy non-conformities and corrective actions, Data Regulator recommendations and Internal Audit findings, as you would for your Information Security improvements.
Part 3 of this series will start with Policies and the 114 applicable controls in the ISO 27002 guidance.