Part 4 of a series on implementing ISO 27701 as a way to gain Privacy Certification. Click here for the rest of the series.
Human Resource Security
The ISO 27701 standard chooses not to add any additional guidance to this set of clauses with the exception of training and awareness.
This seems to be an oversight, as this is the area where the organisation is guaranteed to be a Data Controller.
All organisations will be Data Controllers for the data they hold on their employees. As a result, controls need to be applied specifically to this personal data at various stages of the recruitment lifecycle.
As part of any recruitment process, organisations will gather CVs of individuals who wish to be included in the selection process. This personal data is likely to be shared across the organisation to be evaluated by different hiring managers. This can then be extended with the creation of interview notes and other collections of personal data that belongs to the applicant, such as screening checks and medical health assessments.
Additional guidance should be given to ensure that this recruitment related personal data can be managed effectively and removed when no longer necessary. Strict Data Retention periods should be applied to this data, as in some cases unsuccessful candidates may wish to have their personal data deleted.
Training and Awareness
This is most probably the easiest bit of the standard to understand. The GDPR requires training and awareness to be provided to all staff. So does ISO 27001 for Information Security. The only difference here is that the training is likely to be two discrete sets of training and awareness, rather than some kind of composite that tries to cover both.
The additional implementation guidance in the ISO 27701 Standard is again confusing. Instead of explaining in simple terms the need to train all staff on their privacy responsibilities, the implementation guidance strays into incident management, legal and the disciplinary issues of having a data breach.
The implementation guidance in the ISO 27701 standard is not amended in any way in this section. Assuming that PII or Personal Data is added into the scope of clauses A.8.1.1 – A.8.1.4, then this is reasonably clear.
The additional guidance given for A.8.2.1 is actually clear and concise. Labelling of Information seems to have backed away from a requirement to label information based on its PII classification. The wording in the guidance for A.8.2.2 does not even mention the need for labelling.
This is however a problem that needs to be solved by the organisation. You need a way to label data such that staff can recognise it for what it is and protect it accordingly.
The more different ways you have of keeping data at different classification level, the messier and more uncontrollable it gets.
Historically, classification applied to data where different controls were needed due to their cost. Protecting really secret and sensitive data needed special environments, and you did not want to pay for protecting ordinary data in this way. So this concept of classification tiering was established (originally for paper records), where by marking the data you could affect which method was used to protect it.
Today this is not a key consideration. It is actually more expensive to try to operate a multi-tiered compartmentalised approach to data protection, then it is to just protect everything the same way, at the highest level of protection.
Take two simple examples, encrypting data at rest and encrypting data in transit.
If you were to say that only highly confidential data needed to be encrypted at rest and in transit, what you actually end up doing is encrypting at rest for everything on that disk, and using HTTPS for all network activity regardless of data classification.
You would have to assume that if data is unmarked or unlabelled than the default to be applied to it is the highest marking that you have. In this way, unmarked or unlabelled data does not break your policies, because there is a default action applied to unmarked data.
Management of Removable Media
In this day and age, a simple requirement that states all removable media must be encrypted is not an unreasonable request. This should be the default position for all organisations when dealing with PII.
An additional guidance point should be taken into consideration when handling removable media. The ISO 27701 standard is content with loss of data in transit providing it is encrypted. This is not always correct when applied to personal data.
If this removable data copy is the sole backup or is a key element of any personal data availability, then we are also concerned by its potential loss. Loss of data availability is also a data breach. If this data happens to be the last copy that you have available to you, then by losing it you will have a data breach.
Additional guidance should specify that controls should be in place to ensure the availability of personal data. Just encrypting it and not being concerned if it is lost is not enough. Therefore, multiple copies may need to be stored in different locations to reduce the chance of a final copy loss.
The access control principle is very clear. Unique logins for all. No shared credentials whatsoever. The original ISO27001 standard guidance is very clear and providing no shared credentials is assumed, no additional guidance seems appropriate.
It is strange therefore to see that Access Control in ISO 27701 has so much text against it. It is completely unnecessary and is more likely to confuse then support the understanding of the implementer.
Part 5 of this series will pick up with Cryptography controls.