ISO 27701 Controls List in Excel

A Breakdown of ISO 27701 Controls

Introduction

The importance of protecting personal data cannot be overstated. As organizations worldwide strive to comply with global privacy regulations, ISO 27701 has emerged as a crucial standard for privacy information management. ISO 27701 is an extension to ISO 27001 and ISO 27002, providing a framework for implementing, maintaining, and improving a Privacy Information Management System (PIMS). This article offers a comprehensive breakdown of ISO 27701 controls, highlighting their significance and how they integrate with existing information security measures.

What is ISO 27701?

ISO 27701 is designed to help organizations manage privacy risks related to personally identifiable information (PII). It builds upon the requirements of ISO 27001, which focuses on information security management, by adding specific controls and guidance related to privacy management. Organizations that implement ISO 27701 can demonstrate compliance with global privacy laws such as the GDPR, thereby building trust with customers and stakeholders.

Categories of ISO 27701 Controls

ISO 27701 controls are divided into several categories, aligning closely with the structure of ISO 27001 and ISO 27002. These controls are designed to address various aspects of privacy management and are applicable to both data controllers and data processors. Below is a breakdown of these controls:

1. Information Security Policies

• A.5.1.1 – Establishing privacy policies for managing personal data.
• A.5.1.2 – Reviewing and approving privacy policies regularly.

2. Organization of Information Security

• A.6.1.1 – Assigning roles and responsibilities related to PIMS.
• A.6.1.2 – Coordination of privacy-related activities with other functions.
• A.6.1.3 – Independent review of privacy controls.

3. Human Resource Security

• A.7.1.1 – Screening of employees and contractors handling PII.
• A.7.2.1 – Ensuring that employees are aware of their privacy obligations.
• A.7.3.1 – Enforcing disciplinary actions in case of privacy breaches.

4. Asset Management

• A.8.1.1 – Inventory of assets containing PII.
• A.8.1.2 – Ownership of assets related to privacy information.
• A.8.2.1 – Classification of PII to ensure appropriate protection.

5. Access Control

• A.9.1.1 – Access to PII based on business needs.
• A.9.2.1 – User access provisioning and review.
• A.9.3.1 – Management of privileged access rights to PII.

6. Cryptography

• A.10.1.1 – Using encryption to protect PII during transmission and storage.
• A.10.1.2 – Key management for cryptographic protection of PII.

7. Physical and Environmental Security

• A.11.1.1 – Secure areas for processing PII.
• A.11.2.1 – Protection of equipment used for processing PII.

8. Operations Security

• A.12.1.1 – Operational procedures for handling PII.
• A.12.2.1 – Protection against malware affecting PII.
• A.12.3.1 – Back-up and restoration of PII.

9. Communications Security

• A.13.1.1 – Network controls to protect PII during communication.
• A.13.2.1 – Secure transfer of PII across networks.

10. System Acquisition, Development, and Maintenance

• A.14.1.1 – Security requirements of information systems handling PII.
• A.14.2.1 – Ensuring secure development practices for systems processing PII.

11. Supplier Relationships

• A.15.1.1 – Privacy requirements for suppliers handling PII.
• A.15.2.1 – Monitoring supplier compliance with privacy obligations.

12. Incident Management

• A.16.1.1 – Reporting and managing privacy-related incidents.
• A.16.1.2 – Communicating privacy incidents to relevant stakeholders.

13. Information Security Aspects of Business Continuity Management

• A.17.1.1 – Business continuity planning to include privacy considerations.
• A.17.2.1 – Regular testing of privacy-related business continuity plans.

14. Compliance

• A.18.1.1 – Identification of applicable privacy laws and regulations.
• A.18.1.2 – Ensuring compliance with privacy-related legal requirements.

Example of ISO 27701 controls list Excel Breakdown:

Control Number	Control Title	Control Objective	Control Description	ISO 27001 Reference	Implementation Guidance	Responsible Party	Status	Remarks
A.7.2.1	Data Minimization	Ensure minimal data processing	Collect and process only the data necessary for the specified purpose.	A.9.1	Implement data collection policies to limit unnecessary data	Data Officer	Not Started
A.7.2.2	Purpose Limitation	Limit data use to explicit purposes	Use personal data only for the purposes for which it was collected and no more.	A.8.1	Define clear purposes for data collection	Data Officer	In Progress
A.7.2.3	Data Accuracy	Maintain accurate and up-to-date data	Ensure personal data is accurate and, where necessary, kept up to date.	A.10.1	Regularly review and update data records	Data Officer	Completed
A.7.2.4	Data Retention & Deletion	Retain data only as long as necessary	Establish and enforce data retention and deletion policies based on legal requirements.	A.11.1	Implement automated data retention and deletion processes	IT Department	In Progress
A.7.2.5	Data Subject Rights	Enable data subjects to exercise rights	Provide mechanisms for data subjects to access, correct, delete, or object to data processing.	A.12.1	Develop user interfaces and procedures for data subject requests	Legal Team	Not Started

Steps to Populate the Iso 27701 controls list Excel Sheet:

1. List All Controls: Start by listing all the controls from ISO 27701 under the “Control Number” and “Control Title” columns.
2. Objective and Description: Fill in the objectives and descriptions from the ISO 27701 standard.
3. Link to ISO 27001: Map each control to its related ISO 27001 control (if applicable).
4. Add Implementation Guidance: Provide tips or steps for implementation.
5. Assign Responsibility: Assign a responsible party for each control.
6. Track Progress: Update the status as you proceed with implementation.
7. Notes: Use the remarks column to add any additional information or notes.

Here is an Excel format you can use –

Conclusion

Implementing ISO 27701 controls is a strategic move for organizations looking to enhance their privacy management systems and achieve compliance with global privacy regulations. By integrating these controls into their existing information security frameworks, organizations can mitigate privacy risks, build trust with stakeholders, and ensure the responsible handling of personal data. Whether you’re a data controller or processor, ISO 27701 provides the guidance needed to manage privacy effectively and responsibly.

If you’re considering implementing ISO 27701 or want to learn more about how it can benefit your organization, our team of experts is here to help. Contact us to discuss how we can assist you in achieving your privacy management goals.