A framework for combined Information Security Management System (ISMS) according to ISO/IEC 27001:2022 and Privacy Information Management System (PIMS) according to ISO/IEC DIS 27701. This framework has been implemented and gone through certification audit passing without any finding.
|
# |
ISO 27001 Clause |
Documented ISO 27001 Information |
ISO 27701 Clause |
Documented ISO 27701 Information |
Evidence |
Ownership |
|
1 |
4.1 |
Internal
& External Issues |
5.2.1 |
Internal
& External Issues: Role as a PII controller or PII processor. |
Information Security and
Privacy Management Framework (IPMF) |
Information Security and Privacy Function
(ISPF) |
|
2 |
4.2 |
Interested parties |
5.2.2 |
Interested parties: PII processing responsibilities |
IPMF |
ISPF |
|
3 |
4.2 |
Requirement
of interested parties |
5.2.2 |
Requirement
of interested parties relevant to PII |
IPMF |
ISPF |
|
4 |
4.3 |
External parties |
5.2.3 |
External parties |
IPMF |
ISPF |
|
5 |
4.3 |
Dependencies |
5.2.3 |
Dependencies |
IPMF |
ISPF |
|
6 |
4.3 |
Scope Statement |
5.2.3 |
Scope Statement |
IPMF |
ISPF |
|
7 |
4.4 |
Information
Security Management System |
5.2.4 |
Privacy
Information Management System |
IPMF |
ISPF |
|
8 |
5.1 |
Leadership |
5.3.1 |
Leadership |
ISMS/PIMS, Information Security and Privacy Policy |
ISPF |
|
9 |
5.2 |
Policy |
5.3.2 |
Policy |
Information
Security and Privacy Policy |
ISPF |
|
10 |
5.3 |
Roles, Responsibilities and
authorities |
5.3.3 |
Roles, Responsibilities and
authorities |
IPMF |
ISPF |
|
11 |
6.1 |
Address
risks and opportunities |
5.4.1 |
Risks and
Opportunities, including Privacy Impact Assessment |
Risk
Management Framework v1.0 Risk
assessment reports |
ISPF |
|
12 |
6.1.3. d |
Statement of applicability |
5.4.1.3 |
Statement of applicability |
ISMS/PIMS Statement of Applicability |
ISPF |
|
13 |
6.2 |
Information
Security Objectives |
5.4.2 |
Information
Security [and Privacy] Objectives |
Information
Security and Privacy Policy |
ISPF |
|
14 |
7.1 |
Resources |
5.5.1 |
Resources |
IPMF |
ISPF |
|
15 |
7.2 |
Competence |
5.5.2 |
Competence |
IPMF |
ISPF |
|
16 |
7.3 |
Awareness |
5.5.3 |
Awareness |
IPMF |
ISPF |
|
17 |
7.4 |
Communication |
5.5.4 |
Communication |
IPMF |
ISPF |
|
18 |
7.5 |
Documented Information |
5.5.5 |
Documented Information |
IPMF |
ISPF |
|
17 |
8.1 |
Operational
Planning and Control |
5.6.1 |
Operational
Planning and Control |
IPMF |
ISPF |
|
18 |
8.2 |
Risk Assessment |
5.6.2 |
Risk Assessment and Privacy Impact Assessment |
Risk Assessment Report |
ISPF |
|
19 |
8.3 |
Risk
Treatment |
5.6.3 |
Risk
Treatment |
Risk
Assessment Report |
ISPF |
|
20 |
9.1 |
Monitoring, Measurement, Analysis and Evaluation |
5.7.1 |
Monitoring, Measurement, Analysis and Evaluation |
Regular Monitoring Reports |
ISPF |
|
21 |
9.2 |
Internal
Audit |
5.7.2 |
Internal
audits |
Internal
audit and Management Review process and Internal Audit Reports |
ISPF |
|
22 |
9.3 |
Management Review |
5.7.3 |
Management Reviews |
Internal audit and Management Review process, Management
Review Report & MOM |
ISPF |
|
24 |
10.1 |
Continual
Improvement |
5.8.1 |
Continual Improvement |
Regular
Progress Reports |
ISPF |
|
25 |
10.2 |
Non-conformities & Corrective Action |
5.82 |
Non-conformities & Corrective Action |
Regular NCCA Reports |
ISPF |
For more information send an email to security@internet.is or contact Marino G. Njalsson on LinkedIn