ISO 27001:2013 and it's associated guidance sets out very clear requirements on organisations that are holding Personally Identifiable Information (PII). PII is defined by the ICO very clearly (see here) and in summary states that:
If, by looking solely at the information you are processing, you can distinguish an individual from other individuals, that individual will be identified (or identifiable). You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual. If an individual is directly identifiable from the information, this may constitute personal data.
Before reviewing the control points in ISO 27001, organisations should consider the context of thier organisation and activities they carry out. Under GDPR, organisations should define whether they are Data Controllers or Data Processors. This distinction will have significant impact on the level of controls they place on data and PII.
There are several Control points in ISO 27001 and it's associated guidance (ISO 27002) where PII is referenced:
Standard | Control Point in Statement of Applicability | Requirement |
---|---|---|
ISO 27001 | 7.1.1. Screening (Prior to Employment) | Verification should take into account all relevant privacy, protection of personally identifiable information and employment based legislation |
ISO 27002 | 5.1 Management direction for Information Security | Organisations should consider developing appropriate policies for PII |
ISO 27002 | 12.1.4 Logging and Monitoring | This requirement notes that event logs can contain PII and that appropriate controls should be put on them |
ISO 27002 | 14.3 Test Data | This requirements notes that Operational Data that contains PII should not be used for testing purposes, but if this is unavoidable, it should be cleaned in advance |
ISO 27001 and ISO 27002 | 18.1.4 Privacy and protection of personally identifiable information | Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable. |
An organisation’s data and sensitive information policy for privacy and protection of personally identifiable information should be carefully developed and implemented to ensure internal compliance with ISO 27001. This policy should be communicated to all persons involved in the processing of personally identifiable information.
Business compliance with this policy and all relevant imposed legislation and regulations concerning the protection of the privacy of people and the protection of personally identifiable data and information requires appropriate management structures, protocols and controls. This can be best achieved by the appointment of a person or group responsible within the context of the organisation, such as a Privacy Officer, who should be able to provide guidelines to managers, users, service providers and employees on their individual responsibilities regarding personally identifiable data and sensitive information.
Furthermore, as illustrated by the guidelines set out under ISO 27001, they will be required to inform the relevant parties and individuals on the specific procedures that should be followed. The responsibility for handling personally identifiable data and information, as well as ensuring correct levels of awareness of privacy principles within the organisation, should be dealt with in accordance to the relevant legislation and regulations. In addition, the appropriate technical and organisational measures to protect personally identifiable data and information should be implemented.
This Standard is an extension to ISO 27001 and provides further guidance for organisations seeking further compliance with GDPR or customer-driven privacy requirements. ISO 27701, which has been abbreviated to PIMS (Privacy (or Personal) Information Management System) outlines a framework for PII Controllers and PII Processors to manage data privacy. ISO 27701 can be used by PII controllers and PII processors. It will provide an organisation a framework of documentary evidence of how it handles the processing of PII. This evidence can be used as part of contractual agreements between business partners where the processing of PII is relevant. This can also assist in relationships with other stakeholders.
This International Standard provides a high-level framework for the protection of personally identifiable information (PII) within information and communication technology (ICT) systems. A number of countries have introduced legislation and regulations (like the GDPR and DPA 2018) placing strict controls on the collection, processing and transmission of personally identifiable data and information. Depending on the respective national legislation and regulations, such controls may impose duties on those processing, collecting and disseminating personally identifiable data and information, and may also restrict the ability to transfer personally identifiable data and information to other countries or legal entities based in other countries.
This Standard is general in nature and provides an overall privacy framework for organisational, technical, and procedural aspects. This is useful for organisations seeking to define privacy safeguarding requirements related to PII by:
provides a comprehensive and high-level framework for the protection of personally identifiable data and information within information and communication technology systems.
Spedan Ltd provide a range of support packages and consultancy to support your ISO 27001 projects. Call or email for a no-obligation chat to see how we can help you suceed.
Related Articles
Comparing Cyber Essentials to ISO 27001Adam has been working on Quality and Environmental management systems for most of his career in small, medium and corporate organisations. A keen advocate of the ISO approach as a platform for improvement, Adam ensures that systems are practical and useful for Managers and Staff to use.
Following a number of years working on software development projects, Adam has diversified into Information Security and Business Continuity management. Keen to formalise his industry experience, he is currently undertaking a Diploma in Business Continuity Management at Buckingham University.
Adam has a PhD from Cranfield University and now supports the MSc Environmental Management programmes through the advisory panel and visiting lectures.
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:
CONTACT USTel: 01908 255 525
Email: sales@spedan.co.uk