小中型企业

Watch the Webinar: ISO 27701 New Privacy Standard: How We Got Certified & How You Can Too!

Learn how OneTrust achieved the world’s first ISO 27701 certification.

Watch Now

ISO 27701的值


ISO 27701 is a privacy extension to ISO/IEC 27001 that establishes additional requirements and provides guidance for the safeguarding of privacy as potentially affected by personal data processing. 随着隐私和安全法规的重叠增加, 这两个团队需要新的合作方式, 更有效地沟通, 使用常用工具. Technology is needed for the maintenance and continual improvement of a privacy information management system (PIMS) in accordance with ISO 27701 (formerly known as “ISO 27552”), as well as the planning and implementation of global privacy laws and frameworks.

OneTrust如何帮助


隐私信息管理系统(PIMS)决策

ISO 27701 includes a roadmap for determining both the internal and external issues that might affect privacy (including taking the interests of third parties into account) to determine scope and context, 然后制定相应的政策和程序. Use the ISO 27701 Privacy Information Management System (PIMS) Planning template in OneTrust to assist with PIMS decision-making according to clause 5 of the ISO 27701 standard, 包括评估您的组织及其环境, 了解相关方的需求和期望, 确定PIMS的范围, 确定领导角色和责任, 建立和跟踪目标, 定义风险标准, and more.

img_2

PIMS的文档

ISO 27701 requires a substantial amount of documentation to be created, reviewed, 更新和适当地控制PIMS的生命周期. This documentation is vital to the effectiveness and continuous improvement of the PIMS, 以及实现和维护认证. Use the Document Repository in OneTrust to store and organize PIMS documentation in a central location for access by the PIMS Team and other need-to-know personnel.

隐私培训、测试和认证

ISO 27701条款5.5 requires that employees and contractors be made aware of the organization’s privacy policy, 个人的贡献, PIMS中的角色和职责, 以及不符合要求的后果. Annex A/B requires that all employees and contractors receive information privacy awareness education and training, 并定期更新适用的政策和程序. OneTrust训练模板, such as the “Privacy and Security Training Quiz and Attestation” template, 能否协助测试意识培训的有效性, as well as to record employee attestations to acceptable use policies or employee responsibility documents.

Internal Audits

Clause 5.7 requires that you conduct internal audits of the ISMS against the ISO/IEC 27701:2019 standard (including all of clause 5 and applicable Annex A/B controls). 此外,条款5.7.要求每隔一段时间对PIMS进行管理评审. 使用OneTrust ISO 27701审计检查表模板, 一份基于ISO 27701的完全可定制的问卷, to assist in conducting internal or external audits to evaluate the maturity and overall effectiveness of the PIMS, 并跟踪纠正行动计划. 完成审核后, OneTrust allows you to easily generate an audit report showing an overview of your answers, 意见和证据附件.

处理活动记录

Annexes A.7.2.8 and B.8.2.6 recommend organizations establish what records are necessary in support of its processing obligations, 以及维护和保护它们. Organizations should create and maintain an inventory or detailed list of all the personal data 处理活动 it executes. With OneTrust, you can create and maintain inventories of your organization’s 资产和供应商, 与之相关的风险, 以及组织内部的所有者. 数据映射自动化, 收集关于目的的信息, 收集个人资料的类型及程序, used, stored, and transferred, as well as generate visualizations and data flow diagrams as tools for easier analysis and executive communication.

风险评估和治疗

Clause 5.4 requires the creation of a detailed risk assessment methodology that includes criteria for how to identify different levels of risk. Clause 5.那么就需要这些计划的实施, for example, 在进行风险评估时遵循风险方法, 制定风险治疗计划并跟踪其完成, 计算剩余风险, and ensuring that all of this is documented in a controlled manner. 使用OneTrust评估自动化, 还有大量的问卷模板, to identify and calculate risks to individuals as a result of processing their personal information, 并制定和跟踪风险治疗计划.

OneTrust视频供应商

供应商、处理器和供应商管理

根据第6条.12.1.2, organizations should include specific terms in contracts between themselves and any subcontractor. Clause 7.2.6 states that contracts between the organization and any personal data processor should require implementation of the appropriate Annex B controls. Clause 7.5 recommends that organizations determine and document the applicable basis for international transfers of personal data. 使用OneTrust Vendorpedia, 第三方风险管理软件, 使供应商契约生命周期自动化, 从登机到下机, 协助取得和维持ISO 27701认证.

Incident & Breach Response

Clause 6.13.1.1 states that an organization’s incident management process should feature the responsibilities and processes related to identifying and recording breaches of personal data processing. Enable self-service reporting of security incidents and weaknesses, 维护事故和违规记录, 评估违约通知义务, and analyze overall risk with connections to your underlying inventories of data, 处理活动, 资产和供应商. OneTrust can be used to put incident management policies and procedures into action.

Data Subject & 消费者权益管理

Annex A.7.3 details that individuals should be provided with the proper information about the processing of their personal data. 一个组织应该建立, document, and uphold their obligations to Individuals as demanded by legal and business requirements. OneTrust provides a standardized way for privacy programs to receive requests and manage them in a centralized system. Additionally, to tailor a branded web form – linked from your company’s privacy policy web page – as well as the ability to receive notification of a submitted request, 验证身份, 如果截止日期临近,可以自动申请延期.

Consent & 首选项管理

Under ISO 27701, 必须获得同意, where applicable, 从个人和记录,使细节, 比如当同意被提供的时候, 个人的身份证明, 以及同意声明, 可以根据要求提供吗. Use OneTrust Consent Management tool to demonstrate compliance with granular records of consent. OneTrust provides the platform and instruments necessary to collect valid consent as required by ISO 27701, 以及GDPR等隐私法规, CCPA, and LGPD.

推荐资源


Webinar

ISO 27701新的隐私标准:OneTrust如何获得认证 & How You Can Too

+ View Resource

White Paper

ISO 27701 - OneTrust如何帮助

+ View Resource

Datasheet

OneTrust ISO 27701

+ View Resource
Onetrust版权所有
友情链接: 1 2 3 4 5 6 7 8 9 10