EN 17926:2023

SLOVENSKI STANDARD
01-maj-2024
Sistem upravljanja informacij o varstvu podatkov po ISO/IEC 27701 - Izboljšave v
evropskem kontekstu
Privacy Information Management System per ISO/IEC 27701 - Refinements in European
context
Datenschutz-Informationsmanagementsystem per ISO/IEC 27701 - Verfeinerungen im
europäischen Kontext
Système de management de la protection de la vie privée conformément à l'EN ISO/IEC
27701 - Affinements relatifs au contexte européen
Ta slovenski standard je istoveten z: EN 17926:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 17926
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 35.030
English version
Privacy Information Management System per ISO/IEC
27701 - Refinements in European context
Système de management de la protection de la vie Datenschutz-Informationsmanagementsystem per
privée conformément à l'EN ISO/IEC 27701 - ISO/IEC 27701 - Konkretisierungen im europäischen
Affinements relatifs au contexte européen Kontext
This European Standard was approved by CEN on 13 April 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 17926:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Structure of this document . 5
5 Privacy information management system for PII processing operations . 6
6 Requirement for PII processing operations . 6
Annex A (normative) Information security and privacy controls . 7
Annex B (normative) PIMS-specific reference control objectives and controls (PII Controllers) 19
Annex C (normative) PIMS-specific reference control objectives and controls (PII Processors) .26
Annex D (informative) Model for combination of management system certification governed by
certification requirements in ISO/IEC 17021 with a non-tangible product-based certification
governed by certification requirements in ISO/IEC 17065 .29
Annex E (informative) Relationship between this European Standard and the General Data
Protection Regulation .31
Bibliography .37

European foreword
This document (EN 17926:2023) has been prepared by Technical Committee CEN/CLC/JTC 13,
“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2024, and conflicting national standards shall be
withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN-CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,
Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North
Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the United
Kingdom.
Introduction
ISO/IEC 27701 specifies requirements and provides guidance for establishing, implementing,
maintaining, and continually improving a Privacy Information Management System (PIMS) which can be
implemented in any jurisdiction. As a management system designed for international use, its
requirements are generic, and the guidance can be adapted by the organizations according to their
context and applicable obligations.
Although ISO/IEC 27701 was written with the intention to be applicable under any jurisdiction, including
under the EU General Data Protection Regulation (GDPR) (ISO/IEC 27701 Annex D contains a mapping
between clauses of the standard and GDPR), it is the responsibility of the organization to determine how
to implement requirements and controls of ISO/IEC 27701 in the context of the GDPR.
This document provides refinements to ISO/IEC 27701 in the application of controls and guidance in
ISO/IEC 27701 specific to GDPR where necessary. This document is applicable to the same entities as is
ISO/IEC 27701: all types and sizes of organizations, including public and private companies, government
entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII
within an ISMS (information security management system). This is intended to be used by organizations
in the GDPR context for the purpose of demonstrating compliance with their obligations. ISO/IEC 27701
combined with the refinements of this document constitutes a set of requirements which is more
specifically designed and fit for the context of GDPR than the generic ones from ISO/IEC 27701 alone.
Thus ISO/IEC 27701 can be considered as an international framework, which can be refined for a
particular regional context (in the case of this document, the GDPR), and even to add requirements fit for
a given jurisdiction/country or sector (out of scope of this document).
The refinements to ISO/IEC 27701, for processing operations as part of products, processes, and services
specified in this document can be used for conformity assessment which can be conducted, either by first,
second, or third parties. In particular, certification bodies can use these requirements and refinements to
assess the conformity of both a privacy information management system per ISO/IEC 17021 and the
processing operations of a product, process or service per ISO/IEC 17065. Certification schemes for
products involving PII processing can reference this document, as described in ISO/IEC 17067 for “type
6” schemes.
NOTE “product” can be read as “process” or “service” (ISO/IEC 17065, Clause 1 and Annex B).
The requirements in this document can be part of scheme governed under both ISO/IEC 17065 for the
requirements on products involving PII processing activities (“products requirements” as per
ISO/IEC 17065 Clause 3.8) and ISO/IEC 17021 for the management system requirements
(ISO/IEC 17067 type 6 scheme).
GDPR Article 42 encourages the establishment of data protection certification mechanisms. Provisions of
this document can be used by competent bodies to specify data protection certification mechanisms as
per GDPR article 42 in order to assess the conformity of processing operations in the PIMS as per
ISO/IEC 17065 including assessment of privacy information management system systematic elements as
allowed by Clause 6 of ISO/IEC 17067.
1 Scope
This document specifies refinements for an application of ISO/IEC 27701 in a European context.
This document is applicable to the same entities as is ISO/IEC 27701: all types and sizes of organizations,
including public and private companies, government entities and not-for-profit organizations, which are
PII controllers and/or PII processors processing PII within an ISMS (information security management
system).
An organization can use this document for the implementation of the generic requirements and controls
of ISO/IEC 27701 according to its context and its applicable obligations.
Certification criteria based on these refinements can provide a certification model under ISO/IEC 17065
for processing operations performed within the scope of a privacy information management system
according to ISO/IEC 27701, which can be combined with certification requirements for ISO/IEC 27701
under ISO/IEC 17021.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27701:—, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy
information management - Requirements and guidelines
EN ISO/IEC 27001:2017, Information technology - Security techniques - Information security management
systems - Requirements (ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015)
3 Terms and definitions
No terms and definitions are listed in this document.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at https://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
4 Structure of this document
Clause 5 refers to the privacy information management system as defined in ISO/IEC 27701, and specifies
additional requirements and refinements of requirements.
Clause 6 specifies the requirements for PII processing operations as part of products, processes, or
services; these are requirements for the organization to implement specific controls from Annexes A, B,
C and related guidance.
Annex A refers to the ISO/IEC 27001 Annex A controls.
Annex B refers to the ISO/IEC 27701 Annex A controls for PII controllers.
Annex C refers to the ISO/IEC 27701 Annex B controls for PII processors.

Under preparation. Stage at time of publication: ISO/IEC DIS 27701:2023.
The informative Annex D provides a model for combining certifications governed by ISO/IEC 17021 and
ISO/IEC 17065. Finally, Annex E presents the relationship between this document and EU 2016/679
GDPR.
5 Privacy information management system for PII processing operations
The organization shall establish, implement, maintain, and continually improve a PIMS as defined in
ISO/IEC 27701.
The organization shall determine the PII processing operations within the scope of the management
system (ISO/IEC 27701, 5.2.3).
ISO/IEC 27701:2021, 5.2.3 is refined as follows:
When determining this scope, the organization shall consider interfaces and dependencies between PII
processing activities internal and external to the organization.
EN ISO/IEC 27001:2013, 6.1.3 c) is refined as follows:
The controls determined in ISO/IEC 27001:2013 6.1.3 b) shall be compared with the controls in Annex A,
Annex B and/or Annex C to verify that no necessary controls have been omitted.
When assessing the applicability of control objectives and controls from Annex A for the treatment of
risks, the control objectives and controls shall be considered in the context of both risks to information
security as well as risks related to the processing of PII, including risks to PII principals.
EN ISO/IEC 27001:2013, 6.1.3 d) is refined as follows:
Produce a Statement of Applicability that contains:
— the necessary controls [see ISO/IEC 27001:2013, 6.1.3 b) and c) as refined Cove];
— justification for their inclusion;
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the controls in Annex A, and in Annex B and/or Annex C
according to the organization’s determination of its role (see ISO/IEC 27701, 5.2.1).
Annexes A, B, C specify which controls that the organization shall implement, depending on the role of
the organization. Therefore, these controls cannot be excluded.
6 Requirement for PII processing operations
For all PII processing operations as determined in Clause 5, the organization shall implement the controls
required per Annexes A, B, C depending on the role of the organization (see ISO/IEC 27701, 5.2.1).
Annex A
(normative)
Information security and privacy controls
This annex is for use by all organizations, whatever their role is (acting as PII controller, PII processor, or
both). This annex lists all the controls from ISO/IEC 27001:2013 Annex A and states where extensions to
those controls are included in ISO/IEC 27701 and where refinements in a European context are
applicable.
In Table A.1, references to ISO/IEC 27001:2013 controls are of two types:
— references to ISO/IEC 27001:2013 controls in the form “The control ISO/IEC 27001:2013 [control
number A.x.y.z] applies.” mean that the organization shall consider the applicability of the control
according to its risk assessment (ISO/IEC 27701, 5.4.1.2) and risk treatment (ISO/IEC 27701,
5.4.1.3);
— requirements in the form “The organization shall implement control ISO/IEC 27001:2013 [control
number A.x.y.z], following the additional guidance in .”; mean that the organization shall implement
all these controls following the related guidance to fulfil the general requirements in Clause 6 (in all
cases, whatever the risk assessment and the risk treatment in the management system). Some
controls of this type include additional refinements to the guidance of ISO/IEC 27701 in line with the
scope of this document.
NOTE Clause numbers in this annex relate to the subclause numbers in ISO/IEC 27001:2013 Annex A.
Table A.1 — Control objectives and controls
PIMS.5 Information security policies
PIMS.5.1 Management direction for information security
Objective: To provide management direction and support for information security and privacy in
accordance with business requirements and relevant laws and regulations.
The organization shall implement control
Policies for information
PIMS ISMS 5.1.1 ISO/IEC 27001 A.5.1.1, following the additional
security
guidance in ISO/IEC 27701, 6.2.1.1.
Review of the policies
PIMS ISMS 5.1.2 The control ISO/IEC 27001 A.5.1.2 applies.
for information security
PIMS ISMS 6 Organization of information security
PIMS ISMS 6.1 Internal organization
Objective: To establish a management framework to initiate and control the implementation and
operation of information security and privacy within the organization.
The organization shall implement control
ISO/IEC 27001 A.6.1.1, following the additional
guidance in ISO/IEC 27701, 6.3.1.1, and these
additional refinements:
— The organization shall appoint a data protection
officer (DPO), if the nature, scope and purposes
of the processing requires it as per the
applicable obligations, as the responsible
person per ISO/IEC 27701:2021, 6.3.1.1.
Information security
PIMS ISMS 6.1.1 roles and — The organization shall ensure that the DPO has
responsibilities sufficient resources to undertake their tasks,
reports to the highest management level, is
involved in all issues related to the protection of
PII, and that contact details of the DPO are
published and communicated to the
supervisory authority and the PII principals.
— The organization shall ensure that the DPO does
not receive any instructions regarding the
exercise of those tasks.
The organization shall implement control
PIMS ISMS 6.1.2 Segregation of duties
ISO/IEC 27001 A.6.1.2.
PIMS ISMS 6.1.3 Contact with authorities The control ISO/IEC 27001 A.6.1.3 applies.
Contact with special
PIMS ISMS 6.1.4 The control ISO/IEC 27001 A.6.1.4 applies.
interest groups
Information security in
PIMS ISMS 6.1.5 The control ISO/IEC 27001 A.6.1.5 applies.
project management
PIMS ISMS 6.2 Mobile devices and teleworking
Objective: To ensure the security and privacy of teleworking and use of mobile devices
The organization shall implement control
PIMS ISMS 6.2.1 Mobile device policy ISO/IEC 27001 A.6.2.1, following the additional
guidance in ISO/IEC 27701, 6.3.2.1.
PIMS ISMS 6.2.2 Teleworking The control ISO/IEC 27001 A.6.2.2 applies.
PIMS ISMS 7 Human resource security
PIMS ISMS 7.1 Prior to employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable
for the roles for which they are considered.
PIMS ISMS 7.1.1 Screening The control ISO/IEC 27001 A.7.1.1 applies.
Terms and conditions of
PIMS ISMS 7.1.2 The control ISO/IEC 27001 A.7.1.2 applies.
employment
PIMS ISMS 7.2 During employment
Objective: To ensure that employees and contractors are aware of and fulfil their information security
and privacy responsibilities.
Management
PIMS ISMS 7.2.1 The control ISO/IEC 27001 A.7.2.1 applies.
responsibilities
Information security The organization shall implement control
PIMS ISMS 7.2.2 awareness, education ISO/IEC 27001 A.7.2.2, following the additional
and training guidance in ISO/IEC 27701, 6.4.2.2.
PIMS ISMS 7.2.3 Disciplinary process The control ISO/IEC 27001 A.7.2.3 applies.
PIMS ISMS 7.3 Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing or terminating
employment.
Termination or change
PIMS ISMS 7.3.1 of employment The control ISO/IEC 27001 A.7.3.1 applies.
responsibilities
PIMS ISMS 8 Asset management
PIMS ISMS 8.1 Responsibility for assets
Objective: To identify organizational assets and define appropriate protection responsibilities.
PIMS ISMS 8.1.1 Inventory of assets The control ISO/IEC 27001 A.8.1.1 applies.
PIMS ISMS 8.1.2 Ownership of assets The control ISO/IEC 27001 A.8.1.2 applies.
PIMS ISMS 8.1.3 Acceptable use of assets The control ISO/IEC 27001 A.8.1.3 applies.
PIMS ISMS 8.1.4 Return of assets The control ISO/IEC 27001 A.8.1.4 applies.
PIMS ISMS 8.2 Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance with
its importance to the organization.
The organization shall implement control
Classification of
PIMS ISMS 8.2.1 ISO/IEC 27001 A.8.2.1, following the additional
information
guidance in ISO/IEC 27701, 6.5.2.1.
The organization shall implement control
PIMS ISMS 8.2.2 Labelling of information ISO/IEC 27001 A.8.2.2, following the additional
guidance in ISO/IEC 27701, 6.5.2.2.
PIMS ISMS 8.2.3 Handling of assets The control ISO/IEC 27001 A.8.2.3 applies.
PIMS ISMS 8.3 Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information
stored on media.
The organization shall implement control
Management of
PIMS ISMS 8.3.1 ISO/IEC 27001 A.8.3.1, following the additional
removable media
guidance in ISO/IEC 27701, 6.5.3.1.
The organization shall implement control
PIMS ISMS 8.3.2 Disposal of media ISO/IEC 27001 A.8.3.2, following the additional
guidance in ISO/IEC 27701, 6.5.3.2.
The organization shall implement control
PIMS ISMS 8.3.3 Physical media transfer ISO/IEC 27001 A.8.3.3, following the additional
guidance in ISO/IEC 27701, 6.5.3.3.
PIMS ISMS 9 Access control
PIMS ISMS 9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
The organization shall implement control
PIMS ISMS 9.1.1 Access control policy
ISO/IEC 27001 A.9.1.1.
Access to networks and
PIMS ISMS 9.1.2 The control ISO/IEC 27001 A.9.1.2 applies.
network services
PIMS ISMS 9.2 User access management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and
services.
The organization shall implement control
User registration and
PIMS ISMS 9.2.1 ISO/IEC 27001 A.9.2.1, following the additional
de-registration
guidance in ISO/IEC 27701, 6.6.2.1.
The organization shall implement control
PIMS ISMS 9.2.2 User access provisioning ISO/IEC 27001 A.9.2.2, following the additional
guidance in ISO/IEC 27701, 6.6.2.2.
Management of The organization shall implement control
PIMS ISMS 9.2.3
privileged access rights ISO/IEC 27001 A.9.2.3.
Management of secret
PIMS ISMS 9.2.4 authentication The control ISO/IEC 27001 A.9.2.4 applies.
information of users
Review of user access The organization shall implement control
PIMS ISMS 9.2.5
rights ISO/IEC 27001 A.9.2.5.
Removal or adjustment The organization shall implement control
PIMS ISMS 9.2.6
of access rights ISO/IEC 27001 A.9.2.6.
PIMS ISMS 9.3 User responsibilities
Objective: To make users accountable for safeguarding their authentication information.
Use of secret
PIMS ISMS 9.3.1 authentication The control ISO/IEC 27001 A.9.3.1 applies.
information
PIMS ISMS 9.4 System and application control
Objective: To prevent unauthorized access to systems and applications.
Information access The organization shall implement control
PIMS ISMS 9.4.1
restriction ISO/IEC 27001 A.9.4.1.
The organization shall implement control
Secure log-on
PIMS ISMS 9.4.2 ISO/IEC 27001 A.9.4.2, following the additional
procedures
guidance in ISO/IEC 27701, 6.6.2.2.
Password management
PIMS ISMS 9.4.3 The control ISO/IEC 27001 A.9.4.3 applies.
system
Use of privileged utility
PIMS ISMS 9.4.4 The control ISO/IEC 27001 A.9.4.4 applies
programs
Access control to
PIMS ISMS 9.4.5 The control ISO/IEC 27001 A.9.4.5 applies
program source code
PIMS ISMS 10 Cryptography
PIMS ISMS 10.1 Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the confidentiality,
authenticity and/or integrity of information
The organization shall implement control
Policy on the use of
PIMS ISMS 10.1.1 ISO/IEC 27001 A.10.1.1, following the additional
cryptographic controls
guidance in ISO/IEC 27701, 6.7.1.1
PIMS ISMS 10.1.2 Key management The control ISO/IEC 27001 A.10.1.2 applies.
PIMS ISMS 11 Physical and environmental security
PIMS ISMS 11.1 Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s
information and information processing facilities.
Physical security
PIMS ISMS 11.1.1 The control ISO/IEC 27001 A.11.1.1 applies.
perimeter
PIMS ISMS 11.1.2 Physical entry controls The control ISO/IEC 27001 A.11.1.2 applies.
Securing offices, rooms
PIMS ISMS 11.1.3 The control ISO/IEC 27001 A.11.1.3 applies.
and facilities
Protecting against
PIMS ISMS 11.1.4 external and The control ISO/IEC 27001 A.11.1.4 applies.
environmental threats
PIMS ISMS 11.1.5 Working in secure areas The control ISO/IEC 27001 A.11.1.5 applies.
Delivery and loading
PIMS ISMS 11.1.6 The control ISO/IEC 27001 A.11.1.6 applies.
areas
PIMS ISMS 11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s
operations.
Equipment siting and
PIMS ISMS 11.2.1 The control ISO/IEC 27001 A.11.2.1 applies.
protection
PIMS ISMS 11.2.2 Supporting utilities The control ISO/IEC 27001 A.11.2.2 applies.
PIMS ISMS 11.2.3 Cabling security The control ISO/IEC 27001 A.11.2.3 applies.
PIMS ISMS 11.2.4 Equipment maintenance The control ISO/IEC 27001 A.11.2.4 applies.
PIMS ISMS 11.2.5 Removal of assets The control ISO/IEC 27001 A.11.2.5 applies.
Security of equipment
PIMS ISMS 11.2.6 The control ISO/IEC 27001 A.11.2.6 applies.
and assets off-premises
The organization shall implement control
Secure disposal or reuse
PIMS ISMS 11.2.7 ISO/IEC 27001 A.11.2.7, following the additional
of equipment
guidance in ISO/IEC 27701, 6.8.2.7.
Unattended user
PIMS ISMS 11.2.8 The control ISO/IEC 27001 A.11.2.8 applies.
equipment
The organization shall implement control
Clear desk and clear
PIMS ISMS 11.2.9 ISO/IEC 27001 A.11.2.9, following the additional
screen policy
guidance in ISO/IEC 27701, 6.8.2.9.
PIMS ISMS 12 Operations security
PIMS ISMS 12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
Documented operating
PIMS ISMS 12.1.1 The control ISO/IEC 27001 A.12.1.1 applies.
procedures
PIMS ISMS 12.1.2 Change management The control ISO/IEC 27001 A.12.1.2 applies.
PIMS ISMS 12.1.3 Capacity management The control ISO/IEC 27001 A.12.1.3 applies.
Separation of
development, testing The organization shall implement control
PIMS ISMS 12.1.4
and operational ISO/IEC 27001 A.12.1.4.
environments
PIMS ISMS 12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against
malware.
Controls against
PIMS ISMS 12.2.1 The control ISO/IEC 27001 A.12.2.1 applies.
malware
PIMS ISMS 12.3 Backup
Objective: To protect against loss of data.
The organization shall implement control
PIMS ISMS 12.3.1 Information backup ISO/IEC 27001 A.12.3.1, following the additional
guidance in ISO/IEC 27701, 6.7.1.1.
PIMS ISMS 12.4 Logging and monitoring
Objective: To record events and generate evidence.
The organization shall implement control
PIMS ISMS 12.4.1 Event logging ISO/IEC 27001 A.12.4.1, following the additional
guidance in ISO/IEC 27701, 6.9.4.1.
The organization shall implement control
Protection of log
PIMS ISMS 12.4.2 ISO/IEC 27001 A.12.4.2, following the additional
information
guidance in ISO/IEC 27701, 6.9.4.2.
Administrator and
PIMS ISMS 12.4.3 The control ISO/IEC 27001 A.12.4.3 applies.
operator logs
PIMS ISMS 12.4.4 Clock synchronisation The control ISO/IEC 27001 A.12.4.4 applies.
PIMS ISMS 12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
Installation of software
PIMS ISMS 12.5.1 The control ISO/IEC 27001 A.12.5.1 applies.
on operational systems
PIMS ISMS 12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
Management of
PIMS ISMS 12.6.1 The control ISO/IEC 27001 A.12.6.1 applies.
technical vulnerabilities
Restrictions on software
PIMS ISMS 12.6.2 The control ISO/IEC 27001 A.12.6.2 applies.
installation
PIMS ISMS 12.7 Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems.
Information systems
PIMS ISMS 12.7.1 The control ISO/IEC 27001 A.12.7.1 applies.
audit control
PIMS ISMS 13 Communications security
PIMS ISMS 13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information
processing facilities.
PIMS ISMS 13.1.1 Network controls The control ISO/IEC 27001 A.13.1.1 applies.
Security of network
PIMS ISMS 13.1.2 The control ISO/IEC 27001 A.13.1.2 applies.
services
PIMS ISMS 13.1.3 Segregation in networks The control ISO/IEC 27001 A.13.1.3 applies.
PIMS ISMS 13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any
external entity.
The organization shall implement control
Information transfer
PIMS ISMS 13.2.1 ISO/IEC 27001 A.13.2.1, following the additional
policies and procedures
guidance in ISO/IEC 27701, 6.10.2.1.
Agreements on
PIMS ISMS 13.2.2 The control ISO/IEC 27001 A.13.2.2 applies.
information transfer
PIMS ISMS 13.2.3 Electronic messaging The control ISO/IEC 27001 A.13.2.3 applies.
Confidentiality or The organization shall implement control
PIMS ISMS 13.2.4 nondisclosure ISO/IEC 27001 A.13.2.4, following the additional
agreements guidance in ISO/IEC 27701, 6.10.2.4.
PIMS ISMS 14 System acquisition, development and maintenance
PIMS ISMS 14.1 Security requirements of information systems
Objective: To ensure that information security and privacy is an integral part of information systems
across the entire lifecycle. This also includes the requirements for information systems which provide
services over public networks.
Information security
PIMS ISMS 14.1.1 requirements analysis The control ISO/IEC 27001 A.14.1.1 applies.
and specification
Securing application The organization shall implement control
PIMS ISMS 14.1.2 services on public ISO/IEC 27001 A.14.1.2, following the additional
networks guidance in ISO/IEC 27701, 6.11.1.2.
Protecting application
PIMS ISMS 14.1.3 The control ISO/IEC 27001 A.14.1.3 applies.
services transactions
PIMS ISMS 14.2 Security in development and support processes
Objective: To ensure that information security and privacy is designed and implemented within the
development lifecycle of information systems.
The organization shall implement control
Secure development
PIMS ISMS 14.2.1 ISO/IEC 27001 A.14.2.1, following the additional
policy
guidance in ISO/IEC 27701, 6.11.2.1.
System change control
PIMS ISMS 14.2.2 The control ISO/IEC 27001 A.14.2.2 applies.
procedures
Technical review of
applications after
PIMS ISMS 14.2.3 The control ISO/IEC 27001 A.14.2.3 applies.
operating platform
changes
Restrictions on changes
PIMS ISMS 14.2.4 The control ISO/IEC 27001 A.14.2.4 applies.
to software packages
The organization shall implement control
Secure system
PIMS ISMS 14.2.5 ISO/IEC 27001 A.14.2.5, following the additional
engineering principle
guidance in ISO/IEC 27701, 6.11.2.5.
Secure development
PIMS ISMS 14.2.6 The control ISO/IEC 27001 A.14.2.6 applies.
environment
The organization shall implement control
Outsourced
PIMS ISMS 14.2.7 ISO/IEC 27001 A.14.2.7, following the additional
development
guidance in ISO/IEC 27701, 6.11.2.7.
PIMS ISMS 14.2.8 System security testing The control ISO/IEC 27001 A.14.2.8 applies.
System acceptance
PIMS ISMS 14.2.9 The control ISO/IEC 27001 A.14.2.9 applies.
testing
PIMS ISMS 14.3 Test data
Objective: To ensure the protection of data used for testing.
The organization shall implement control
PIMS ISMS 14.3.1 Protection of test data ISO/IEC 27001 A.14.3.1, following the additional
guidance in ISO/IEC 27701, 6.11.3.1.
PIMS ISMS 15 Supplier relationships
PIMS ISMS 15.1 Information security in supplier relationships
Objective: To ensure protection of the organization’s assets that is accessible by suppliers.
Information security
The organization shall implement control
PIMS ISMS 15.1.1 policy for supplier
ISO/IEC 27001 A.15.1.1.
relationships
Addressing security The organization shall implement control
PIMS ISMS 15.1.2 within supplier ISO/IEC 27001 A.15.1.2, following the additional
agreement guidance in ISO/IEC 27701, 6.12.1.2.
Information and
The organization shall implement control
PIMS ISMS 15.1.3 communication
ISO/IEC 27001 A.15.1.3.
technology supply chain
PIMS ISMS 15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and privacy, and service delivery in line
with supplier agreements.
Monitoring and review The organization shall implement control
PIMS ISMS 15.2.1
of supplier services ISO/IEC 27001 A.15.2.1.
Managing changes to The organization shall implement control
PIMS ISMS 15.2.2
supplier services ISO/IEC 27001 A.15.2.2.
PIMS ISMS 16 Information security incident management
PIMS ISMS 16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security
and privacy incidents, including communication on security and privacy events and weaknesses.
The organization shall implement control
ISO/IEC 27001 A.16.1.1, following the additional
guidance in ISO/IEC 27701, 6.13.1.1 and these
additional refinements:
— The organization shall establish responsibilities
and procedures for information security and
privacy incident management which includes:
o criteria for notifications to required parties
(supervisory authority, customer, (joint)
Responsibilities and
controller, PII principals);
PIMS ISMS 16.1.1
procedures
o timing of notifications; and
o content of notifications.
— The organization shall identify applicable
obligations related to notifications and
document alignment with those obligations (e.g.
notification to a competent supervisory
authority without undue delay, where feasible
within 72 h after having become aware of it).
Reporting information
PIMS ISMS 16.1.2 The control ISO/IEC 27001 A.16.1.2. applies.
security events
Reporting information
PIMS ISMS 16.1.3 The control ISO/IEC 27001 A.16.1.3. applies.
security weaknesses
Assessment of and
PIMS ISMS 16.1.4 decision on information The control ISO/IEC 27001 A.16.1.4 applies.
security events
The organization shall implement control
ISO/IEC 27001 A.16.1.5, following the additional
guidance in ISO/IEC 27701, 6.13.1.5 and these
additional refinements:
Refinements for PII controllers:
The organization shall identify applicable
obligations related to criteria for notifications to the
supervisory authority, and/or to the PII principals,
and document alignment with those obligations (for
example criteria related to risks for the PII
principals).
Notifications shall contain as a minimum the
following:
— a contact point where more information can be
Response to information
PIMS ISMS 16.1.5
obtained;
security incidents
— a description of and the likely consequences of
the breach;
— the number of individuals concerned as well as
the number of records concerned;
— measures taken or planned to be taken.
Refinements of PII processors:
In case of breach of PII, the PII processor shall notify
the PII controller of the existence of the breach
without undue delay after becoming aware of the
breach so that the PII controller can take the
appropriate actions.
Learning from
PIMS ISMS 16.1.6 information security The control ISO/IEC 27001 A.16.1.6. applies.
incidents
PIMS ISMS 16.1.7 Collection of evidence The control ISO/IEC 27001 A.16.1.7 applies.
PIMS ISMS 17 Information security aspects of business continuity management
PIMS ISMS 17.1 Information security continuity
Objective: Information security and privacy continuity shall be embedded in the organization’s
business continuity management systems.
Planning information
PIMS ISMS 17.1.1 The control ISO/IEC 27001 A.17.1.1 applies.
security continuity
Implementing
PIMS ISMS 17.1.2 information security The control ISO/IEC 27001 A.17.1.2 applies.
continuity
Verify, review and
PIMS ISMS 17.1.3 evaluate information The control ISO/IEC 27001 A.17.1.3 applies.
security continuity
PIMS ISMS 17.2 Redundancies
Objective: To ensure availability of information processing facilities.
Availability of
PIMS ISMS 17.2.1 information processing The control ISO/IEC 27001 A.17.2.1 applies.
facilities
PIMS ISMS 18 Compliance
PIMS ISMS 18.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and privacy and of any security and privacy requirements.
Identification of
The organization shall implement control
applicable legislation
PIMS ISMS 18.1.1 ISO/IEC 27001 A.18.1.1, following the additional
and contractual
guidance in ISO/IEC 27701, 6.15.1.1.
requirements
Intellectual property
PIMS ISMS 18.1.2 The control ISO/IEC 27001 A.18.1.2 applies.
rights
The organization shall implement control
PIMS ISMS 18.1.3 Protection of records ISO/IEC 27001 A.18.1.3, following the additional
guidance in ISO/IEC 27701, 6.15.1.3.
Privacy and protection
The organization shall implement control
PIMS ISMS 18.1.4 of personally
ISO/IEC 27001 A.18.1.4.
identifiable information
Regulation of
PIMS ISMS 18.1.5 The control ISO/IEC 27001 A.18.1.5 applies.
cryptographic control
PIMS ISMS 18.2 Information security reviews
Objective: To ensure that information security and privacy is implemented and operated in accordance
with the organizational policies and procedures.
The organization shall implement control
Independent review of
PIMS ISMS 18.2.1 ISO/IEC 27001 A.18.2.1, following the additional
information security
guidance in ISO/IEC 27701, 6.15.2.1.
Compliance with
PIMS ISMS 18.2.2 security policies and The control ISO/IEC 27001 A.18.2.2 applies.
standards
The organization shall implement control
Technical compliance
PIMS ISMS 18.2.3 ISO/IEC 27001 A.18.2.3, following the additional
review
guidance in ISO/IEC 27701, 6.15.2.3.
Annex B
(normative)
PIMS-specific reference control objectives and controls (PII Controllers)
This annex is for use by organizations acting as PII controllers, with or without the use of PII processors.
It refines ISO/IEC 27701:2021, Annex A.
In Table B.1, references to ISO/IEC 27701:2021 controls are in the form “The organization shall
implement control ISO/IEC 27701 [control number A.x.y.z.] following the additional guidance in …”; it
means that the organization shall implement all these controls following the related guidance to fulfil the
general requirement in Clause 6 (in all cases, whatever the risk assessment and risk treatment).
NOTE Clause numbers in this annex relate to the subclause numbers in ISO/IEC 27701:2021, Annex A.
Table B.1 — Control objectives and controls
PIMS CTR 7.2 Conditions for collection and processing
Objective: To determine and document that processing is lawful, with legal basis as per applicable
jurisdictions, and with clearly defined and legitimate purposes
PIMS CTRL Identify and document The organization shall implement control ISO/IEC 27701
7.2.1 purpose A.7.2.1, following the guidance in ISO/IEC 27701, 7.2.1.
PIMS CTRL The organization shall implement control ISO/IEC 27701
Identify lawful basis
7.2.2 A.7.2.2, following the guidance in ISO/IEC 27701, 7.2.2.
Determine when and
PIMS CTRL The organization shall implement control ISO/IEC 27701
how consent is to be
7.2.3 A.7.2.3, following the guidance in ISO/IEC 27701, 7.2.3.
obtained
PIMS CTRL Obtain and record The organization shall implement control ISO/IEC 27701
7.2.4 consent A.7.2.4, following the guidance in ISO/IEC 27701, 7.2.4.
The organization shall implement control ISO/IEC 27701
A.7.2.5, following the guidance in ISO/IEC 27701, 7.2.5 and
these additional refinements:
- The organization shall identify processing operations
which may result in high risks to the rights and
freedoms of PII principals.
- The organization shall undertake and document
privacy impact assessments for high risk processing
operations.
- The organization shall involve the DPO or the persons
in charge of privacy matters (where a DPO is not
designated) in the review of high risk processing and
in carrying out the PIA.
- The organization, where appropriate, shall seek the
views of the PII principals or their representative,
without prejudice to the protection of commercial or
PIMS CTRL Privacy impact public interests or the security of processing
7.2.5 assessment
operations.
- When a PIA identifies processing that may result in
high risks to PII principals, in the absence of measures
taken by the controller to mitigate residual risk, the
organization shall consult the supervisory authorities
prior to processing, and supply them with the details
required.
The PIA shall at the minimum:
− describe systematically the envisaged processing
operations and their purposes;
− describe the legal basis of the processing activity;
− assess the necessity and proportionality of the
processing operations in relation to the purposes;
− identify and assess risks to PII principals;
− identify the measures that will address the risks to PII
principals.
PIMS CTRL Contracts with PII The organization shall implement control ISO/IEC 27701
7.2.6 processors A.7.2.6, following the guidance in ISO/IEC 27701, 7.2.6.
PIMS CTRL The organization shall implement control ISO/IEC 27701
Joint PII controller
7.2.7 A.7.2.7, following the guidance in ISO/IEC 27701, 7.2.7.
PIMS CTRL Records related to The organization shall implement control ISO/IEC 27701
7.2.8 processing PII A.7.2.8, following the guidance in ISO/IEC 27701, 7.2.8.
PIMS CTRL 7.3 Obligations to PII principals
Objective: To ensure that PII principals are provided with appropriate information about the
processing of their PII and to meet any other applicable obligations to PII principals related to the
processing of their PII.
Determining and
The organization shall implement control ISO/IEC 27701
PIMS CTRL
fulfilling obligations to
A.7.3.1, following the guidance in ISO/IEC 27701, 7.3.1.
7.3.1
PII principals
Determining
The organization shall implement control ISO/IEC 27701
PIMS CTRL
informa
...