Last Updated on June 29, 2021
The new ISO 27701 “certifiable extension” to ISO 27001 lets you add a Privacy Information Management System (PIMS) to your Information Security Management System (ISMS). Escalating data privacy requirements make an ISO 27001 certificate an appealing option to show clients, investors, regulators and management that you have a solid privacy posture.
To unpack useful experiences from Pivot Point Security’s initial ISO 27701 engagements, a recent episode of The Virtual CISO Podcast features Andrew Frost and Aurore Watts, two GRC Consultants who have led a number of clients through successful ISO 27701 audits. Hosting the show as usual is John Verry, Pivot Point Security’s CISO and Managing Partner.
Data mapping is a critical element in any privacy initiative. What are some of the common challenges?
Andrew reports: “Data mapping is basically figuring out where all the PII lives and where it’s processed. A lot of companies don’t know that, and it’s hard to nail them down and figure out where it actually is. We usually start with talking to someone about their tools or what software they use, and drill down into what that software does. Some of the lessons learned are where people don’t think about where data is. Places like temporary files, or even a Contact Us page on a website, for example. People sometimes just don’t know where that data is going. An email comes into the company and people just send it all over the place, and that’s PII. So, we have to track that down and figure out where that’s going to end up living. Which sometimes takes a lot longer than you think it should.”
“When we start the conversation, we have maybe a few names that we know we’re going to talk to,” recounts Aurore. “But really, we end up talking to many more people because, like Andrew says, it’s really an investigation. It’s really looking for where is that PII, what do you do with it, who do you transfer it to? It does become a lot of conversation, though it’s something that some clients want to do just with questionnaires. We’ve found that this doesn’t work because of all those follow-up conversations that are needed.”
John echoes: “Very often, people might not fully understand the question. Sitting across the table from you, they get some sense of clarity. Whereas that clarification is very inefficient to get through a survey or questionnaire-style approach.”
“There’s always a follow-up question for any question—and for any answer, usually, too,” adds Andrew.
John points out data mapping in a privacy context is equivalent or analogous to the Record of Processing Activities (ROPA), which ISO 27701 and GDPR Article 30 both reference. A data map or ROPA enables you to connect elements of the PII that you’re gathering and/or processing to the internal processes that act on that data and to the people and systems that store it. You need all those connections to be able to service a data subject access request (DSAR), for example.
As Aurore then notes, you’ll probably need to identify additional information pertaining to PII as part of your ROPA. Like, is there a lawful basis for that processing, as GDPR Article 6 mandates. Or the source of the data, in the case of a data processor.
Moving towards ISO 27701 certification? Listen to this show with Aurore and Andrew and hopefully benefit from our “teething pains”!