Privacy Context, Requirements and Scope
ISO/IEC 27701 Toolkit: Version 2
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This document sets out the organizational context of the PIMS. It describes what the organization does, how it does it, what factors influence the way it operates and the reasons for the definition of the scope of the PIMS.
Areas of the standard addressed
The following areas of the ISO/IEC 27701 standard are addressed by this document:
ā¢ 4. Context of the Organization
o 4.1 Understanding the organization and its context
o 4.2 Understanding the needs and expectations of interested parties
o 4.3 Determining the scope of the PIMS
o 4.4 Privacy Information management system
ā¢ 5 Leadership
o 5.1 Leadership and commitment
General guidance
If your organization already has ISO27001 certification then much of the contents of this document may already be documented, in which case this information will need to be readily available at the ISO/IEC 27701 audit.
This is a key document that will need involvement from senior management to put together. In overview, it describes why an effective PIMS is needed and what may happen to the organization if one is not in place. The risk assessments required by later sections of the standard will then define this in more detail.
As part of the implementation you may need to meet with the various interested parties to understand their view of the risk areas and consequences of failure. You may also need to obtain legal advice if your industry is subject to significant legal or regulatory requirements.
As with most of the documents in the PIMS you should ensure that all relevant parties are aware of the contents of this document, particularly as it sets out the need for additional
procedures which may involve asking employees to do more work. Understanding the reason for this may reduce resistance to the PIMS within the organization.
It is worth spending some time getting the scope of the PIMS right as the other areas of the standard rely upon this. As with most international standards, it is acceptable to start with a limited scope definition and then to expand it over time as more familiarity and experience is gained by the organization.
Review frequency
We would recommend that this document is reviewed as part of an annual exercise which should include significant business involvement to ensure that changed requirements are captured and feedback obtained.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property āOrganization Nameā.
To update this field (and any others that may exist in this document):
1. Update the custom document property āOrganization Nameā by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to āAlwaysā. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is Ā©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Privacy Context, Requirements and Scope [Insert classification]
Privacy Context, Requirements and Scope
DOCUMENT CLASSIFICATION [Insert classification]
DOCUMENT REF PIMS-DOC-04-1
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
Revision history
Approval NAME
1 Introduction
[Organization Name] is committed to protecting the security of its personally identifiable information (PII) in the face of incidents and unwanted events and has implemented a Privacy Information Management System (PIMS) that is compliant with ISO/IEC 27701.
The purpose of this document is to describe the way the business operates, internal and external factors influencing it and to highlight in general terms the potential consequences of a breach of PII. This will allow the most appropriate mix of control measures to be put in place to reduce the level of risk and to ensure that plans are available and tested to manage the impact of any interruptions that do occur.
Specifically, this document sets out:
ā¢ The context of the organization
ā¢ External and internal issues relevant to the purpose of [Organization Name]
ā¢ Interested parties relevant to the PIMS
ā¢ Privacy requirements of these interested parties
ā¢ The scope of the PIMS, including its boundaries and applicability
This document will be updated at least annually and when significant change happens to the relevant areas covered.
2 Context of the organization
2.1 Background
Given the fast-moving nature of the business and the markets in which it operates the organizational context will change over time. This document will be reviewed on an annual basis and any significant changes incorporated. The PIMS will also be updated to cater for the implications of such changes.
[Organization Name] undertakes a wide range of business activities within its target sectors and is constantly developing new products and services to bring to market.
[Give some brief background to the organization, for example:
ā¢ What does the organization do?
ā¢ What type of cloud services are provided e.g. SaaS, PaaS, IaaS (CSPs only)
ā¢ When was it formed?
ā¢ What is its structure e.g. group of companies?
ā¢ What is its main industrial sector?
ā¢ Who are its main customers?
ā¢ In which geographical regions does it operate?
ā¢ What is its annual turnover?
ā¢ How is it organised into business functions or teams?
ā¢ Where are its main offices?
ā¢ Which products and services create the most revenue and profit?
ā¢ Which products and services are the most high profile?
ā¢ Are any of the products and services subject to external regulation?
ā¢ Do any of the products and services have a health and safety aspect?
ā¢ What supply chains does the organization rely on?]
2.2 PII controller and processor roles
[Organization Name] acts in the role of a controller of PII with respect to a number of areas of its processing, including:
ā¢ As an employer
ā¢ As a provider of goods and services to its customers
ā¢ In order to comply with relevant legislation
ā¢ [List additional ways in which the organization acts as a controller of PII]
[Organization Name] acts in the role of a joint controller of PII with respect to a number of areas of its processing, including:
ā¢ [List specific cases where the organization acts as a joint controller of PII]
Privacy Context, Requirements and Scope [Insert classification]
In each of these cases, the split of responsibilities between the parties acting as joint controllers has been agreed and formally documented.
[Organization Name] acts in the role of a processor of PII with respect to a number of areas of its processing, including:
ā¢ As a provider of goods and services to its customers
ā¢ [List additional ways in which the organization acts as a processor of PII]
2.3 External and internal factors
There are a number of external and internal factors that are relevant to the context of [Organization Name] and that affect the ability of the PIMS to achieve its intended outcome(s).
With regard to the external environment in which [Organization Name] operates, there are a number of relevant external factors.
These include:
[List any specific external factors. These are often grouped under the areas defined by the term PESTLE as shown below. Suggested privacy-specific factors are shown in italics in the following lists. For specific privacy legislation that may be relevant to your business operations and processing of PII, refer as a starting point to the document Applicable Privacy Legislation within the CertiKit ISO27701 Toolkit.
ā¢ Political
o Government policy changes
o Government policy towards the issue of privacy
o Government instability
o Unrest in countries in which the organization operates
o Trade restrictions and tariffs
o Significant political changes such as Brexit in the UK
ā¢ Economic
o Prevailing economic climate
o Attitudes and approaches of major suppliers towards privacy
o Significant privacy-related fines levied on organizations
o Interest and inflation rates
o Supplier failure
o Lack of customer demand
o Increasing globalization of supply and/or demand
o Increasing competition
ā¢ Social
o Changing demographics
o Population growth changes
o Societal attitudes towards privacy
Privacy Context, Requirements and Scope [Insert classification]
o Social attitudes
o Media coverage of breaches of PII
ā¢ Technology
o Pace of innovation
o Supporting technologies and infrastructure
o Automation and artificial intelligence
o Developments that affect, or could affect, privacy e.g. face recognition
ā¢ Legal
o Potential legislative changes
o Regulatory changes
o Judicial decisions on cases involving privacy
o New privacy laws in countries in which we operate
ā¢ Environmental
o Climate change
o Fire, flood, earthquake etc.
o Pollution]
These general external factors will be considered in more detail as part of the risk assessment process.
With regard to the [Organization Name] business itself, there are a number of relevant internal factors.
These include:
[List any specific internal issues, for example:
ā¢ Uncertainties in employee relations
ā¢ Significant organizational changes
ā¢ Location moves
ā¢ New products and services that involve the processing of PII
ā¢ Previous breaches relating to PII
ā¢ Company financial performance
ā¢ Company culture
ā¢ Resources and knowledge of the organization
ā¢ Governance and organizational structure
ā¢ Adopted standards and models
ā¢ Contractual relationships
You could choose to group internal issues using a SWOT analysis ā Strengths, Weaknesses, Opportunities and Threats]
These general internal factors will be considered in more detail as part of the risk assessment process.
Privacy Context, Requirements and Scope [Insert classification]
2.4 Understanding the needs and expectations of interested parties
This section of the document sets out the interested parties that are relevant to the ISMS and PIMS and their requirements. It also summarises the applicable legal and regulatory requirements to which the organization subscribes.
2.4.1 Interested parties
An interested party is defined as āa person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activityā.
The following are defined as interested parties that are relevant to the PIMS [Suggested privacy-specific interested parties are shown in italics in the following lists]:
ā¢ Shareholders
ā¢ Board of Directors
ā¢ Suppliers
ā¢ Customers
ā¢ PII principals
ā¢ Regulatory bodies
ā¢ Supervisory authorities
ā¢ Customer user groups
ā¢ Employees of the organization
ā¢ Contractors providing services to the organization
ā¢ PII processors
ā¢ PII sub-processors
If appropriate, list for each Interested Party:
ā¢ Name of organization
ā¢ The nature of the interest
ā¢ Degree of influence over the organization
ā¢ Value of the interest (if appropriate)
ā¢ Any other relevant information
ā¢ National or local government organizations
ā¢ Joint PII controllers
ā¢ Emergency services
ā¢ Trade associations and industry bodies
ā¢ Trade unions
ā¢ General public
ā¢ Investors
ā¢ Distributors
ā¢ Competitors
ā¢ Media
ā¢ Neighbours
ā¢ Dependents of employees
Applicable legal and regulatory requirements arise from the following:
ā¢ Sarbanes-Oxley Act 2002 (USA)
ā¢ EU General Data Protection Regulation
ā¢ UK Data Protection Act
ā¢ UK GDPR
ā¢ UK Data (Use and Access) Act
ā¢ California Consumer Privacy Act
ā¢ Health and Safety legislation
ā¢ Payment Card Industry ā Data Security Standard compliance
Privacy Context, Requirements and Scope [Insert classification]
ā¢ Financial Services legislation
ā¢ National and international standards e.g. ISO9001
ā¢ Consumer protection legislation
ā¢ [Specify laws and regulation relevant to your organization]
2.4.2 Requirements of interested parties
For details of how applicable legal, regulatory and contractual requirements are identified, accessed and assessed see the PIMS document Legal, Regulatory and Contractual Requirements Procedure. The applicable requirements of interested parties and legal and regulatory bodies are summarised in Table 1
Minutes of Annual General Meeting dd/mm/yyyy
Minutes of Board Meeting dd/mm/yyyy
Regulatory
Supervisory authorities
Customer user groups
Employees of the organization
Contractors providing services to organization
PII processors
PII sub-processors
National or local government bodies
Joint PII controllers
Emergency services
Trade associations and industry bodies
Trade unions
Sarbanes-Oxley Act 2002 (USA)
Health and Safety legislation
Payment Card Industry ā
Data Security Standard compliance
2.5 Determining the scope of the PIMS
The defined scope of [Organization Name]ās PIMS considers the internal and external factors referred to in this document and the relevant organizational interfaces and dependencies described. It also reflects the needs of interested parties and the legal and regulatory requirements that are applicable to the organization.
The scope is defined below in terms of the parts of the organization, products and services and related activities.
2.5.1 Organizational
The PIMS includes the following parts of the [Organization Name] organization:
[Specify the parts of the organization included in terms of business function, geographical location or other organizational boundary e.g. individual companies within a group structure. This must take account of outsourced processes which, although delivered by a third party, are under the organizationās direct control]
2.5.2
Products and services
The following products and services are within the scope of the PIMS:
[List the products and services at an appropriate level of detail. This is more likely to be in the form of product and service types rather than specifics which are likely to change rapidly over time. The products and services selected must be consistent with the organizational
Privacy Context, Requirements and Scope [Insert classification]
split given in the previous section. Those with particular requirements for the processing of PII may be highlighted]
2.5.3 Activities
The following activities are within the scope of the PIMS:
[List the business activities at an appropriate level of detail. The activities specified must be consistent with the organizational and product/service split given in the previous sections]
2.5.4 Exclusions
The following areas are specifically excluded from the scope of the PIMS:
[Detail what is excluded and why, in terms of organizational parts, products / services and activities. This must remain consistent with the overall approach and not compromise the ability of the PIMS to produce the desired results and meet its objectives.]