Scribd Logo
Upload

Welcome to Scribd!

  • 284 views

    Iso27701 New Version Rev2

    Uploaded by

    mauriciojuniorxd
    The document discusses changes to ISO/IEC 27701. It outlines the structure and requirements of the new version, including additional clauses related to ISO/IEC 27001 and 27002. There is also discussion of specific organizational control requirements.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Iso27701 New Version Rev2

    Uploaded by

    mauriciojuniorxd
    284 views38 pages
    The document discusses changes to ISO/IEC 27701. It outlines the structure and requirements of the new version, including additional clauses related to ISO/IEC 27001 and 27002. There is also discussion of specific organizational control requirements.

    Original Description:

    Tambem

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses changes to ISO/IEC 27701. It outlines the structure and requirements of the new version, including additional clauses related to ISO/IEC 27001 and 27002. There is also discussion of specific organizational control requirements.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    284 views38 pages

    Iso27701 New Version Rev2

    Uploaded by

    mauriciojuniorxd
    The document discusses changes to ISO/IEC 27701. It outlines the structure and requirements of the new version, including additional clauses related to ISO/IEC 27001 and 27002. There is also discussion of specific organizational control requirements.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 38

    Internal

     มีอะไรไหม ใน
    ISO/IEC 27701 new version

    Kittipong Keatniyomrung
    Technical Product Manager
    BSI Group (Thailand)
    ห ัวข้อชวนคุย 2

    Basic ISO/IEC 27701structure

    Why change for ISO/IEC 27701

    Requirement ISO/IEC 27701 new version


    3

    Basic ISO/IEC 27701


    structure

    3
    ISO/IEC 27701
    4

    Privacy Information
    Management System (PIMS)
    PIMS Plan, Do, Check, Act cycle 5

    PLAN DO

    ACT Improvement CHECK





    Integration – High level structure 6

    Context of
    INPUT the
    Records Customers
    management organization and
    requirements stakeholders
    and
    expectations Leadership

    Planning Improvement

    Performance
    Support
    evaluation Right
    managerial
    Operation decisions to
    Customers achieve
    and policy and
    stakeholders OUTPUT expectations
    Doc info
    Public

    Requirement and Guidelines


    Extension to ISO/IEC27001 and ISO/IEC
    27002 for Privacy Information
    Management
    Public

    1. Scope
    2. Normative Reference
    3. Terms, definitions and
    abbreviations
    4 General 9
    4 General 10
    11

    Clause 5: PIMS-specific requirements related to


    ISO/IEC 27001

    Clause 6: PIMS-specific guidance related to ISO/IEC


    27002

    Clause 7: Additional ISO/IEC 27002 guidance for PII


    controllers

    Clause 8: Additional ISO/IEC 27002 guidance for PII


    processors
    Annex A- F 12

    Annex Detail

    Annex A (informative) PIMS-specific reference control objectives and controls (PII


    Controllers)
    Annex B (normative) PIMS-specific reference control objectives and controls (PII
    Processors)

    Annex C (informative) Mapping to ISO/IEC 29100


    Table C.1 — Mapping of controls for PII controllers and
    ISO/IEC 29100
    Table C.2 — Mapping of controls for PII processors and
    ISO/IEC 29100
    Annex D (informative) Mapping to the General Data Protection Regulation

    Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151

    Annex F (informative) How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC
    27002
    Public

    13

    Why change for ISO/IEC


    27701
    Structure ISO/IEC 27701 14

    1. Scope
    2. Normative Reference
    3. Terms, definitions and abbreviations
    4. General
    5. Clause 5: PIMS-specific requirements Change to ISO/IEC 27001:2022
    related to ISO/IEC 27001: 2013

    Clause 6: PIMS-specific guidance related to Change to ISO/IEC 27002:2022


    ISO/IEC 27002:2013

    Clause 7: Additional ISO/IEC 27002


    guidance for PII controllers

    Clause 8: Additional ISO/IEC 27002


    guidance for PII processors
    Requirement
    ISO/IEC 27701
    new version

    15
    ISO/IEC DIS 27701:2022 16
    ISO/IEC DIS 27701:2022 17

    Requirement and Guidelines


    Extension to ISO/IEC27001 and
    ISO/IEC 27002 for Privacy
    Information Management
    ISO/IEC DIS 27701:2022 18

    1. Scope

    2. Normative Reference

    3. Terms, definitions and abbreviations

    4. General
    ISO/IEC DIS 27701:2022 19

    Clause 5: PIMS-specific requirements related


    to ISO/IEC 27001

    Clause 6: PIMS-specific guidance related to


    ISO/IEC 27002

    Clause 7: Additional ISO/IEC 27002


    guidance for PII controllers

    Clause 8: Additional ISO/IEC 27002


    guidance for PII processors
    ISO/IEC DIS 27701:2022 20

    Annex Detail

    Annex A- F Annex A (informative) PIMS-specific reference control objectives and controls (PII
    Controllers)
    Annex B (normative) PIMS-specific reference control objectives and controls (PII
    Processors)

    Annex C (informative) Mapping to ISO/IEC 29100


    Table C.1 — Mapping of controls for PII controllers and
    ISO/IEC 29100
    Table C.2 — Mapping of controls for PII processors and
    ISO/IEC 29100
    Annex D (informative) Mapping to the General Data Protection Regulation

    Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151

    Annex F (informative) How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC
    27002
    Annex G (informative) Correspondence with ISO/IEC 27001:2019
    ISO/IEC DIS 27701:2022 21
    22

    Clause 5 Additional requirement


    Clause 5: PIMS-specific
    requirements related to from ISO/IEC
    ISO/IEC 27001:2022 27001:2022
    A - 5.2
    - 5.4
    ISO/IEC DIS 27701:2022 23
    ISO/IEC DIS 27701:2022 (6.2 Organizational controls) 24

    6.2.1 Policies for information security 6.2.11 Return of assets

    6.2.2 Information security roles and responsibilities 6.2.12 Classification of information

    6.2.3 Segregation of duties 6.2.13 Labelling of information

    6.2.4 Management responsibilities 6.2.14 Information transfer


    6.2.5 Contact with authorities 6.2.15 Access control
    6.2.6 Contact with special interest groups 6.2.16 Identity management
    6.2.7 Threat intelligence 6.2.17 Authentication information

    6.2.8 Information security in project management 6.2.18 Access rights

    Inventory of information and other associated Information security in supplier


    6.2.9 6.2.19
    assets relationships
    Acceptable use of information and other Addressing information security within
    6.2.10 6.2.20
    associated assets supplier agreements
    ISO/IEC DIS 27701:2022 (6.2 Organizational controls) 25

    Managing information security in the


    6.2.21 6.2.29 Information security during disruption
    ICT supply chain

    Monitoring, review and change


    6.2.22 6.2.30 ICT readiness for business continuity
    management of supplier services
    Information security for use of cloud Legal, statutory, regulatory and contractual
    6.2.23 6.2.31
    services requirements
    Information security incident
    6.2.24 management planning and 6.2.32 Intellectual property rights
    preparation
    Assessment and decision on
    6.2.25 6.2.33 Protection of records
    information security events
    Response to information security
    6.2.26 6.2.34 Privacy and protection of PII
    incidents
    Learning from information security
    6.2.27 6.2.35 Independent review of information security
    incidents
    Compliance with policies, rules and standards
    6.2.28 Collection of evidence 6.2.36
    for information security
    6.2.37 Documented operating procedures
    ISO/IEC DIS 27701:2022 (6.3 People control) 26

    6.3.1 Screening

    6.3.2 Terms and conditions of employment

    6.3.3 Information security awareness, education and training

    6.3.4 Disciplinary process

    6.3.5 Responsibilities after termination or change of employment

    6.3.6 Confidentiality or non-disclosure agreements

    6.3.7 Remote working

    6.3.8 Information security event reporting


    ISO/IEC DIS 27701:2022 (6.4 Physical controls) 27

    6.4.1 Physical security perimeters 6.4.8 Equipment siting and protection

    6.4.2 Physical entry 6.4.9 Security of assets off-premises

    6.4.3 Securing offices, rooms and facilities 6.4.10 Storage media

    6.4.4 Physical security monitoring 6.4.11 Supporting utilities

    Protecting against physical and


    6.4.5 6.4.12 Cabling security
    environmental threats

    6.4.6 Working in secure areas 6.4.13 Equipment maintenance

    Secure disposal or re-use of


    6.4.7 Clear desk and clear screen 6.4.14
    equipment
    ISO/IEC DIS 27701:2022 (6.5 Technological controls) 28

    6.5.1 User endpoint devices 6.5.11 Data masking

    6.5.2 Privileged access rights 6.5.12 Data leakage prevention

    6.5.3 Information access restriction 6.5.13 Information backup


    Redundancy of information processing
    6.5.4 Access to source code 6.5.14
    facilities
    6.5.5 Secure authentication 6.5.15 Logging

    6.5.6 Capacity management 6.5.16 Monitoring activities

    6.5.7 Protection against malware 6.5.17 Clock synchronization


    Management of technical
    6.5.8 6.5.18 Use of privileged utility programs
    vulnerabilities
    Installation of software on operational
    6.5.9 Configuration management 6.5.19
    systems
    6.5.10 Information deletion 6.5.20 Networks security
    ISO/IEC DIS 27701:2022 (6.5 Technological controls) 29

    6.5.21 Security of network services 6.5.28 Secure coding

    Security testing in development and


    6.5.22 Segregation of networks 6.5.29
    acceptance

    6.5.23 Web filtering 6.5.30 Outsourced development

    Separation of development, test and


    6.5.24 Use of cryptography 6.5.31
    production environments

    6.5.25 Secure development life cycle 6.5.32 Change management

    6.5.26 Application security requirements 6.5.33 Test information

    Secure system architecture and Protection of information systems during


    6.5.27 6.5.34
    engineering principles audit testing
    ISO/IEC DIS 27701:2022 30

    Clause 7: Additional ISO/IEC 27002 guidance


    for PII controllers
    ► Not changed

    Clause 8: Additional ISO/IEC 27002 guidance


    for PII processors
    ► Not changed
    31

    Summary change
    ISO/IEC DIS 27701:2022 32

    Clause 5: PIMS-specific requirements


    related to ISO/IEC 27001

    ► Change as requirement ISO/IEC


    27001:2022
    ISO/IEC DIS 27701:2022 33

    Clause 6: PIMS-specific guidance related to


    ISO/IEC 27002

    ► Change as ISO/IEC 27002:2022


    34
    ISO/IEC DIS 27701:2022

    Clause 7: Additional ISO/IEC 27002 guidance


    for PII controllers

    ► Not changed

    Clause 8: Additional ISO/IEC 27002 guidance


    for PII processors

    ► Not changed
    Consequence for Implementation 35

    Transition ISO/IEC 27001:2022 (within 1 November


    2025)

    Study requirement ISO/IEC 27701:202x and


    implement

    Inform BSI for transition (If BSI is approved to


    audit ISO/IEC 27701:202X)

    Transition period will be announcement. After


    deadline, ISO/IEC 27701:2019 will be expired.
    36
    ISO/IEC DIS 27701:2022
    Certified and Transition – BSI 37

    Waiting public for ISO/IEC 27701:202X

    Waiting AB (ANAB) approve for ISO/IEC 27701:202X


    ● Contact us
    38

    www.bsigroup.com/th-TH/
    BSI Thailand @bsithailand

    Tel: 02 294 4889-92 Email: [email protected]

    You might also like