Implementing ISO 27701:2019 PIMS – Two common fallacies
By Sandhya Khamesra, Founder and CEO, Pricoris LLP
This article covers two common implementation aspects of ISO 27701 which may be ignored by practitioners/consultants.
Application of ISO 27701:2019 – Importance of Annex F and two of the referenced standards (ISO 20889 and ISO 19944)
Fallacy #1 – Implement Annexure A of ISO 27701 if you are a controller or Annexure B of ISO 27701 and you have implemented ISO 27701
Very often I encounter people who think that implementing Annex A and Annex B of ISO 27701 will result in implementation of PIMS. These are the people who can not comprehend how this standard can be used for implementing a Privacy Information Management System Framework and hence this mistake.
Application of ISO 27701:2019 – Importance of Annex F
One should start reading this standard by reading the last annexure first – i.e. Annexure F – How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
Annexure F refers to three cases for applying ISO 27701 to protection of privacy of PII principals when processing PII.
- Application of Security standards AS-Is
- Additions to security standards : Additional Privacy – specific requirements or implementation guidance
- Refinement of Security standards: Referred standards are refined by Privacy specific requirements or implementation guidance.
In this article we focus on the implication of As IS requirements as an extension to referred standard as well as importance of Referenced standards other than ISO 27001 and ISO 27002.
- Application of security standards AS- Is: Here extensions are to be applied.
Table F.1 is to be read as follows:
This means information security is now to be read as Information Security & Privacy. Information Security Policy is to be read as Information Security & Privacy Policy and so forth.
The extension would result in the following implementation requirements as an extension to ISO 27001:2013
| ISO 27001:2013 | Extension to ISO 27701 |
| Cl 5.1 – Leadership | Demonstration and commitment for Privacy Policy, Objectives, integration of PIMS within organization, resource provision for PIMS, communication of importance of PIMS, outcome achievement of PIMS including setting direction and control for effectiveness of PIMS and promoting continual improvement of PIMS and support various privacy roles in leadership |
| Cl. 5.2 – Policy | Inclusion of Privacy aspects in Policy which could be separate or combined with ISMS |
| Cl. 5.3 – Roles | Privacy Information Management Systems roles to be included |
| Cl. 6.2 – Objectives | Privacy objectives including the objectives plan to be made |
| Cl 7.1 – Resources | Resources for PIMS required |
| Cl. 7.2 – Competence | Competence of people impacting Privacy Information Security performance |
| Cl 7.3 – Awareness | Awareness of Privacy Policy, contribution to effectiveness of PIMS and implication of non conformance to PIMS requirements |
| Cl. 7.4 – Communications | Communications for PIMS – internal and external |
| Cl. 7.5 – Documented Information | Documented Information for PIMS to be maintained with special consideration on changes, retention and disposition including documents of external origin |
| Cl 8.1 – Operational Planning & Control | Implementation of Risk Treatment for PIMS, objectives of PIMS, changes impacting PIMS, and Privacy controls on outsourced processes |
| Cl. 8.2 – RA | PIMS Risk Assessment to be done at planned intervals and when changes occur with necessary Risk Registers |
| Cl. 8.2 – RTP | PIMS Risk Treatment Plan to be implemented and Risk Treatment Registers to be maintained |
| Cl. 9 – Performance Evaluation | Performance Evaluation of PIMS Performance and its effectiveness including criteria for measuring controls implemented under Clause 7 and Clause 8 of ISO 27701 including the monitoring plan |
| Cl. 9.2 – Internal Audit | Internal audits to include PIMS along with the audit program for PIMS including selection of PIMS auditors |
| Cl. 9.3 – Management Review | Management Review to include PIMS in the agenda and minutes of meetings to contain decisions made on PIMS |
| Cl 10.1 – NCCA | Non Conformities and corrective actions for PIMS |
| Cl. 10.2 – CI | Continual Improvement of PIMS |
Fallacy #2 – There is no mention of Data Deidentification tools and techniques in ISO 27701 hence it is not a Privacy Information Management System
Very often I am told that unlike NIST Framework (Discussion Draft – NIST PRIVACY FRAMEWORK: AN ENTERPRISE RISK MANAGEMENT TOOL released on 6th September 2019) ISO 27701:2019 does not mention Data Deidentification techniques to be used for Data Minimization.
I am asked what is the equivalent of Disassociated Processing (CT.DP-P): Data processing solutions increase disassociability consistent with related policies, processes, procedures, and agreements and the organization’s risk strategy to protect individuals’ privacy. The answer lies in ISO 20889 and ISO 19944 which have been referenced in ISO 27701.
Importance of referenced standards (ISO 20889 and ISO 19944)
Data Minimisation objective in ISO 27701 refers to two standards ISO 20889:2018 – Privacy Enhancing data de-identification techniques and ISO 19944:2017 – Cloud services and devices: Data flow, data categories and data use for the use of Data Qualifiers.
ISO 20889 – Data Deidentification Techniques discusses in detail techniques ranging from Statistical tools: Sampling and Aggregation
Cryptographic tools: Deterministic encryption, Order-preserving encryption, Homomorphic encryption, Homomorphic secret sharing
Suppression: Masking, Local suppression, Record suppression, Sampling
Pseudonymization
Generalization – Rounding, Top/bottom coding
Randomization – Noise Addition, Permutation, Micro aggregation
Differential privacy
K-anonymity
This standard gives details of data de identification tools and techniques to be used for reducing the risks of singling out, linking, inference. ISO 19944 provides a definition of data identification qualifiers that can be used to classify the degree to which the data can identify a PII principal or associate a PII principal with a set of characteristics in the PII for cloud providers
| Data identification qualifiers | Definition |
| Identified data | Identified data is data that can unambiguously be associated with a specific person because PII is observable in the information. |
| Pseudonymized data | Pseudonymized data is data for which all identifiers are substituted by aliases for which the alias assignment is such that it cannot be reversed by reasonable efforts of anyone other than the party that performed them. |
| Unlinked pseudonymized data | Unlinked pseudonymized data is data for which all identifiers are erased or substituted by aliases for which the assignment function is erased or irreversible, such that the linkage cannot be re-established by reasonable efforts of anyone including the party that performed them. |
| Anonymized data | Anonymized data is data that is unlinked and which attributes are altered (e.g. attributes’ values are randomized or generalized) in such a way that there is a reasonable level of confidence that a person cannot be identified, directly or indirectly, by the data alone or in combination with other data. |
| Aggregated data | Aggregated data is statistical data that does not contain individual-level entries and is combined from information about enough different persons that individual-level attributes are not identifiable. |
Hashtags
Implementing ISO 27701:2019 PIMS
common fallacies ISO 27701
Mistake ISO 27701
Sandhya Khamesra
Pricoris
Data Deidentification tools and techniques
NIST PRIVACY FRAMEWORK: AN ENTERPRISE RISK MANAGEMENT TOOL
Disassociated Processing (CT.DP-P)
ISO 20889
ISO 19944
Privacy Enhancing Techniques
Deterministic encryption, Order-preserving encryption, Homomorphic encryption, Homomorphic secret sharing
Suppression: Masking
Pseudonymization
Anonymisation
Differential privacy
K-anonymity