ISO 27701 is a privacy extension to ISO/IEC 27001 that establishes additional requirements and provides guidance for the safeguarding of privacy as potentially affected by personal data processing. 随着隐私和安全法规的重叠增加, 这两个团队需要新的合作方式, 更有效地沟通, 使用常用工具. Technology is needed for the maintenance and continual improvement of a privacy information management system (PIMS) in accordance with ISO 27701 (formerly known as “ISO 27552”), as well as the planning and implementation of global privacy laws and frameworks.
ISO 27701 includes a roadmap for determining both the internal and external issues that might affect privacy (including taking the interests of third parties into account) to determine scope and context, 然后制定相应的政策和程序. Use the ISO 27701 Privacy Information Management System (PIMS) Planning template in OneTrust to assist with PIMS decision-making according to clause 5 of the ISO 27701 standard, 包括评估您的组织及其环境, 了解相关方的需求和期望, 确定PIMS的范围, 确定领导角色和责任, 建立和跟踪目标, 定义风险标准, and more.
ISO 27701 requires a substantial amount of documentation to be created, reviewed, 更新和适当地控制PIMS的生命周期. This documentation is vital to the effectiveness and continuous improvement of the PIMS, 以及实现和维护认证. Use the Document Repository in OneTrust to store and organize PIMS documentation in a central location for access by the PIMS Team and other need-to-know personnel.
Clause 5.7 requires that you conduct internal audits of the ISMS against the ISO/IEC 27701:2019 standard (including all of clause 5 and applicable Annex A/B controls). 此外,条款5.7.要求每隔一段时间对PIMS进行管理评审. 使用OneTrust ISO 27701审计检查表模板, 一份基于ISO 27701的完全可定制的问卷, to assist in conducting internal or external audits to evaluate the maturity and overall effectiveness of the PIMS, 并跟踪纠正行动计划. 完成审核后, OneTrust allows you to easily generate an audit report showing an overview of your answers, 意见和证据附件.
Annexes A.7.2.8 and B.8.2.6 recommend organizations establish what records are necessary in support of its processing obligations, 以及维护和保护它们. Organizations should create and maintain an inventory or detailed list of all the personal data 处理活动 it executes. With OneTrust, you can create and maintain inventories of your organization’s 资产和供应商, 与之相关的风险, 以及组织内部的所有者. 数据映射自动化, 收集关于目的的信息, 收集个人资料的类型及程序, used, stored, and transferred, as well as generate visualizations and data flow diagrams as tools for easier analysis and executive communication.
Clause 5.4 requires the creation of a detailed risk assessment methodology that includes criteria for how to identify different levels of risk. Clause 5.那么就需要这些计划的实施, for example, 在进行风险评估时遵循风险方法, 制定风险治疗计划并跟踪其完成, 计算剩余风险, and ensuring that all of this is documented in a controlled manner. 使用OneTrust评估自动化, 还有大量的问卷模板, to identify and calculate risks to individuals as a result of processing their personal information, 并制定和跟踪风险治疗计划.
根据第6条.12.1.2, organizations should include specific terms in contracts between themselves and any subcontractor. Clause 7.2.6 states that contracts between the organization and any personal data processor should require implementation of the appropriate Annex B controls. Clause 7.5 recommends that organizations determine and document the applicable basis for international transfers of personal data. 使用OneTrust Vendorpedia, 第三方风险管理软件, 使供应商契约生命周期自动化, 从登机到下机, 协助取得和维持ISO 27701认证.
Incident & Breach Response
Clause 126.96.36.199 states that an organization’s incident management process should feature the responsibilities and processes related to identifying and recording breaches of personal data processing. Enable self-service reporting of security incidents and weaknesses, 维护事故和违规记录, 评估违约通知义务, and analyze overall risk with connections to your underlying inventories of data, 处理活动, 资产和供应商. OneTrust can be used to put incident management policies and procedures into action.
Data Subject & 消费者权益管理
Consent & 首选项管理
Under ISO 27701, 必须获得同意, where applicable, 从个人和记录，使细节, 比如当同意被提供的时候, 个人的身份证明, 以及同意声明, 可以根据要求提供吗. Use OneTrust Consent Management tool to demonstrate compliance with granular records of consent. OneTrust provides the platform and instruments necessary to collect valid consent as required by ISO 27701, 以及GDPR等隐私法规, CCPA, and LGPD.