PIMS Roles, Responsibilities and Authorities
ISO/IEC 27701 Toolkit: Version 2
PIMS Roles, Responsibilities and Authorities [Insert classification]
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text, and certain generic terms, see the Completion Instructions document.
Purpose of this document
The document sets out the various roles within the PIMS together with their relevant responsibilities and levels of authority.
Areas of the standard addressed
The following areas of the ISO/IEC 27701 standard are addressed by this document:
• 5. Leadership
o 5.3 Roles, responsibilities and authorities
• A.3 Security considerations for PII controllers and processors
o A.3.4 Information security roles and responsibilities
General guidance
There are many ways to define the organization structure associated with a PIMS, depending on size, geographical spread, technology, culture and whether customers are internal or external, amongst others. Because of this, you will need to tailor this document to reflect your own organization’s structure and job roles.
The outline approach taken by this document is to identify the areas set out in the standard and then to define the typical responsibilities associated with each. This may then be used as a starting point to decide how these areas and the responsibilities within them will be allocated to roles within in your specific organization structure.
In a larger organization, these areas will often be allocated to different people. In a smaller organization these responsibilities may need to be allocated to relatively few people, the main one possibly being the PIMS Manager or similar role.
If it’s relevant to your organization, this document also sets out the outline split of information security responsibilities between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC). These will vary according to the type of cloud service(s) offered (e.g. PaaS, SaaS) and should also be communicated to the CSC, ideally before contracts are signed.
PIMS Roles, Responsibilities and Authorities [Insert classification]
Review frequency
We would recommend this document is reviewed annually and upon significant changes to the organization structure.
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
PIMS Roles, Responsibilities and Authorities
PIMS Roles, Responsibilities and Authorities [Insert classification] Version 1
DOCUMENT CLASSIFICATION [Insert classification]
DOCUMENT REF PIMS-DOC-05-2
VERSION 1
DATED [Insert date]
DOCUMENT AUTHOR [Insert name]
DOCUMENT OWNER [Insert name/role]
5 of 25 [Insert date]
Distribution
PIMS Roles, Responsibilities and Authorities [Insert classification]
Approval
Roles, Responsibilities and Authorities [Insert classification]
1 Introduction
[Organization Name] treats the security of its information assets and those of its customers very seriously and has established a Privacy Information Management System (PIMS) which conforms to the ISO/IEC 27701 international standard for privacy. One of the key attributes of an effective PIMS is a clear allocation of roles, each with defined responsibilities and authorities. Each of these roles needs to be allocated either at the organization level, or to specific individuals or groups within the organization.
It is vital that everyone within the organization understands how they fit in to the PIMS and the part they must play in keeping the information we have responsibility for safe. This document should be read in conjunction with others that set out how the PIMS operates, including:
• Privacy Context, Requirements and Scope
• Privacy Information Management System Manual
By ensuring that roles, responsibilities and authorities are clearly defined we will be in a good position to prevent many incidents affecting personally identifiable information (PII) from happening and to react effectively and appropriately if they do.
We also need to be very clear about how the responsibilities for operating in a cloud service environment are split. This will avoid the situation where misunderstandings lead to areas such as backups, monitoring or vulnerability management, not being addressed by either party.
Roles, Responsibilities and Authorities
2 Privacy roles of the organization
[Note – Clause 4.1 of the ISO27701 standard requires that the organization determine if it is acting as a PII controller, joint PII controller and/or a PII processor within the context of its PIMS. Therefore the roles in this section should be included or excluded accordingly.]
[Organization Name] undertakes the following roles as an organization in compliance with relevant privacy legislation. These roles are not allocated to a specific individual within the organization.
2.1 PII controller
[Organization Name] acts in the role of a controller of PII with respect to a number of areas of its processing, including:
• As an employer
• As a provider of goods and services to its customers
• In order to comply with relevant legislation
• [List additional ways in which the organization acts as a controller of PII]
In the role of PII controller [Organization Name] generally has the following responsibilities (depending on the legislation that is relevant in a specific case):
• Ensure that the principles relating to processing of personal data are adhered to and be able to demonstrate compliance with them. In summary, these are to ensure that PII is:
o Processed lawfully, fairly and transparently
o Collected for specified, explicit and legitimate purposes
o Adequate, relevant and limited to what is necessary
o Accurate and, where necessary, kept up to date
o Kept in a form which permits identification of data subjects for no longer than is necessary
o Processed in a manner that ensures appropriate security
• Ensure that the consent of the PII principal to processing of PII is obtained where appropriate, including parental consent for children
• Provide all the information required under the relevant legislation to the PII principal in a concise, transparent, intelligible and easily accessible form, using clear and plain language
• Facilitate the exercise of PII principal rights under the relevant legislation and keep the PII principal informed of the progress of their request
• Implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the applicable laws
Roles, Responsibilities and Authorities [Insert classification]
• Ensure that only processors who provide enough guarantees to implement appropriate technical and organizational measures to meet the relevant legislation and PII, are used
• Maintain a record of processing activities related to PII which fall under the controller’s responsibility
• Cooperate, on request, with the supervisory authority in the performance of its tasks
• Ensure that any person acting under the authority of the controller who has access to PII does not process it except on instructions from the controller
• Notify a PII breach to the supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with organizational procedures
• Document any PII breaches, including the facts relating to the breach, its effects and the remedial action taken
• Where appropriate, communicate a PII breach to the PII principal without undue delay
• Carry out privacy impact assessments, where appropriate, in accordance with procedures
• Designate a data protection officer where required by relevant legislation, publish their details and communicate them to the supervisory authority
• Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to PII and processing operations, and to maintain his or her expert knowledge
• Transfer PII to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable PII principal rights and effective legal remedies for PII principals are available
2.2 Joint PII controller
[Organization Name] acts in the role of a joint controller of PII with respect to a number of areas of its processing, including:
• [List specific cases where the organization acts as a joint controller of PII]
In each of these cases, the split of responsibilities between the parties acting as joint controllers has been agreed and formally documented.
2.3 PII processor
[Organization Name] acts in the role of a processor of PII with respect to a number of areas of its processing, including:
• As a provider of goods and services to its customers
• [List additional ways in which the organization acts as a processor of PII]
In the role of PII processor [Organization Name] generally has the following responsibilities (depending on the legislation that is relevant in a specific case):
• Ensure that all processing of PII is governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of PII and categories of PII principals and the obligations and rights of the controller
• Process the PII only on documented instructions from the controller, including regarding transfers of PII to a third country or an international organization
• Ensure that persons authorised to process the PII have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of PII
• Obtain the prior specific or general written authorisation of the controller before engaging another processor
• Assist the controller in the fulfilment of the controller's obligation to respond to requests for exercising the PII principal’s rights
• Delete or return all the PII to the controller after the end of the provision of services relating to processing
• Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in relevant legislation and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller
• Maintain a record of all categories of processing activities carried out on behalf of a controller
• Cooperate, on request, with the supervisory authority in the performance of its tasks
• Ensure that any person acting under the authority of the processor who has access to PII does not process it except on instructions from the controller
• Notify the controller without undue delay after becoming aware of a PII breach
• Designate a data protection officer where required by relevant legislation, publish their details and communicate them to the supervisory authority
• Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to PII and processing operations, and to maintain his or her expert knowledge
Roles, Responsibilities and Authorities
3 Privacy roles within the organization
Within the PIMS the following major privacy-related roles are defined and allocated to one or more individuals:
• Top Management
• PIMS Manager
• PII Asset Owner
• Privacy Risk Owner
• Data Protection Officer
• Team Leader
• Team Member
• Internal Auditor
[Note that the titles of these roles and the split of responsibilities is not dictated by the ISO/IEC 27701 standard, so you may use different ones if desired].
The specific responsibilities and authorities of each of these roles are set out in later sections of this document.
In general, responsibilities that apply to all employees, contractors and other interested parties are set out within the relevant organizational policies.
PIMS Roles, Responsibilities and Authorities [Insert classification]
3.1 PIMS Organization chart
A subset of the organization chart showing the relevant privacy-related roles is shown below.
Top Management
PII Asset Owner Privacy Risk Owner Data Protection Officer Team Leaders Team Members Internal Auditor
PIMS Manager
Figure 1: PIMS Organization chart
[Explain the main parts of the structure and any relevant information such as geographical location, upcoming changes, part-time positions etc.]
3.2 PIMS responsibility matrix
Overall responsibility for the management of the various parts of the ISO/IEC 27701 standard is shown in the following RACI table. This defines the type of responsibility of each role in each area according to whether the listed role is:
• R: Responsible
• A: Accountable
• C: Consulted
• I: Informed
PIMS Roles, Responsibilities and Authorities
Table 1: RACI chart
These responsibilities are expanded on further within the rest of this document.
3.3 Top management
3.3.1
Members
The group is made up of members of the top management team and will as a minimum include the following roles:
• Chief Executive Officer (CEO)
• Chief Operating Officer (COO)
• Chief Financial Officer (CFO)
• Chief Information Officer (CIO)
• Chief Technology Officer (CTO)
• Chief Marketing Officer (CMO)
Further members may be nominated by existing members on an as-needed basis.
3.3.2
Responsibilities
Top management has the following responsibilities:
• Establish and maintain the PIMS policy, objectives and plans
• Communicate the importance of meeting the objectives and the need for continual improvement throughout the organization
PIMS Roles, Responsibilities and Authorities
[Insert classification]
• Maintain an awareness of business needs and major changes
• Ensure that privacy requirements are determined and are met with the aim of minimizing risk and maintaining effective controls for [Organization Name] and for our customers
• Determine and provide resources to plan, implement, monitor, review and improve privacy management e.g. recruit appropriate staff, manage staff turnover
• Oversee the management of privacy risks to the organization and its services
• Conduct management reviews of privacy, at planned intervals, to ensure continuing suitability, adequacy and effectiveness
• Select auditors and ensure that internal audits are conducted in an objective and impartial manner
• Establish a continual improvement policy with respect to privacy for [Organization Name]
• Review major privacy-related incidents
• Ensure that arrangements that involve external organizations having access to information systems and services are based on a formal agreement that defines all necessary privacy requirements
3.3.3 Authorities
Top management has the authority to:
• Approve significant expenditure on privacy-related matters
• Recruit additional resources for the management of privacy
• Approve high-level policies for privacy
• Initiate high-level incident management actions
3.4 PIMS manager
The PIMS Manager is the primary role with a dedicated focus on privacy and related issues.
3.4.1
Responsibilities
The PIMS Manager has the following responsibilities:
• Ensuring that the PIMS conforms to the requirements of the ISO/IEC 27701 standard
• Reporting to top management on all privacy-related matters, including the performance of the PIMS, on a regular and ad-hoc basis when required
• Communicate the privacy policy to all relevant interested parties where appropriate, including customers
• Implement the requirements of the privacy policy
PIMS Roles, Responsibilities and Authorities [Insert classification]
• Manage risks associated with access to PII
• Ensure that controls are in place and documented
• Quantify and monitor the types, volumes and impacts of incidents
• Define improvement plans and targets for the financial year
• Monitor achievement against targets
• Establish and maintain a continual improvement action list
• Report on improvement activities
• Identify and manage privacy-related incidents according to a process
• Attend management review meetings on a regular basis
3.4.2 Authorities
The PIMS Manager has the authority to:
• Declare major privacy-related incidents
• Approve limited expenditure on privacy-related matters
• Review the operation of controls within all business areas
3.5 PII asset owner
The PII Asset Owner has primary operational responsibility for one or more PII assets as defined in the [Organization Name] Information Asset Inventory.
[Note: This is a minor role that is likely to be carried out by multiple people with day to day operational roles, such as a team leaders]
3.5.1 Responsibilities
The PII Asset Owner has the following responsibilities:
• Responsible for specific, named information assets
• Maintain and review privacy controls for allocated asset(s)
• Participate in risk assessments concerning their asset(s)
• Ensure the relevant entry in the asset inventory is kept up to date
3.5.2 Authorities
The Information Asset Owner has the authority to:
Roles, Responsibilities and Authorities
[Insert classification]
• Implement controls with regard to the PII assets under their control
3.6 Privacy risk owner
The Privacy Risk Owner has primary responsibility for managing one or more privacy risks as defined in the [Organization Name] Risk Treatment Plan.
[Note: This is a minor role that is likely to be carried out by multiple people with day to day operational roles, such as a team leaders]
3.6.1 Responsibilities
The Privacy Risk Owner has the following responsibilities:
• Responsible for the monitoring and management of specific risks to privacy
• Maintain and review privacy controls that treat the managed risk(s)
• Participate in assessments concerning the risk(s) for which they are the owner
• Liaise with the owner(s) of the PII asset(s) affected by the risk(s) they own
3.6.2 Authorities
The Privacy Risk Owner has the authority to:
• Escalate to management where one or more of their risks is not adequately addressed
• Approve the level of residual risk after treatment actions have been identified in the Risk Treatment Plan
3.7 Data protection officer
The Data Protection Officer is a required appointment in line with applicable data protection legislation (for example the EU General Data Protection Regulation) and has specific responsibilities for the protection of PII.
3.7.1 Responsibilities
The Data Protection Officer has the following responsibilities:
PIMS Roles, Responsibilities and Authorities
[Insert classification]
• Inform and advise the data controller or the processor and the employees who carry out processing of their obligations under applicable data protection law
• Monitor compliance with data protection law and with the policies of the data controller or processor in relation to the protection of PII
• Assignment of responsibilities, awareness-raising and training of staff involved in the processing of PII, and the related audits
• Provide advice where requested regarding privacy impact assessments and monitor their performance
• Cooperate with all relevant supervisory authorities for data protection
• Act as the contact point for supervisory authorities on issues relating to PII processing and to consult, where appropriate, with regard to any other matter
• Act as a point of contact for use by cloud service customers regarding the processing of PII under relevant contract(s)
3.7.2 Authorities
The Data Protection Officer has the authority to:
• Take decisions regarding data subject requests allowable under the relevant data protection legislation
• Represent the organization to supervisory authorities with regard to data protection issues
• Represent the organization to cloud service customers with regard to data protection issues
3.8
Team leaders
Team Leaders may be heads or supervisors of operational units within the organization.
3.8.1 Responsibilities
A Team Leader has the following responsibilities:
• Review and manage employee competencies and training needs to enable them to perform their role effectively within the privacy area
• Ensure that employees are aware of the relevance and importance of their activities and how they contribute to the achievement of privacy objectives
3.8.2 Authorities
Roles, Responsibilities and Authorities
A Team Leader has the authority to:
• Arrange training and awareness activities for the employees under their direction, within budget constraints
• Take action to prevent a privacy incident from occurring or escalating, where possible
3.9 Team members
The responsibilities of Team Members are defined in a variety of organization-wide policies, such as the Acceptable Use Policy and are only summarized in brief below.
3.9.1 Responsibilities
A Team Member has the following main responsibilities:
• Ensure they are aware of and comply with all privacy policies of the organization relevant to their business role
• Report any actual or potential privacy breaches
• Contribute to risk assessment where required
3.9.2 Authorities
A Team Member has the authority to:
• Take action to prevent a privacy incident from occurring or escalating, where possible
3.10 Internal auditor
The Internal Auditor fulfils the internal audit requirements of the ISO/IEC 27701 standard and is generally responsible for checking that the PIMS is effectively implemented and maintained.
3.10.1 Responsibilities
The Internal Auditor has the following responsibilities:
• Plan, establish, implement and maintain an audit programme including the frequency, methods, responsibilities, planning requirements and reporting
• Define the audit criteria and scope for each audit
• Conduct internal audits at planned intervals
• Ensure the audit process is objective and impartial
• Report the results of audits to relevant management
• Retain documented information as evidence of the audit programme and the audit results
3.10.2 Authorities
The Internal Auditor has the authority to:
• Investigate privacy-related procedures and controls in order to assess their suitability and effectiveness
• Report findings to relevant management
Roles, Responsibilities and Authorities
4 Information security roles
With respect to the information security controls used within the PIMS the following major roles are defined and allocated:
• Chief Information Security Officer
• Information Security Administrator
• Customer Information Security Administrator (CSPs only)
[Note: It is up to the organization to decide which roles to have in their PIMS and what to call them. No specifics are mandated by the ISO/IEC 27701 standard].
4.1 Chief Information security officer
The Chief Information Security Officer is the primary role with a dedicated focus on information security and related issues.
4.1.1 Responsibilities
The Chief Information Security Officer has the following responsibilities:
• Reporting to top management on all security related matters on a regular and adhoc basis when required
• Communicate the information security policy to all relevant interested parties where appropriate, including customers
• Implement the requirements of the information security policy
• Manage risks associated with access to the service or systems
• Ensure that security controls are in place and documented
• Quantify and monitor the types, volumes and impacts of security incidents and malfunctions
• Define improvement plans and targets for the financial year
• Monitor achievement against targets
• Establish and maintain a continual improvement action list
• Report on improvement activities
• Identify and manage information security incidents according to a process
• Attend management review meetings on a regular basis
• Liaise with Cloud Service Customer representatives on information security-related matters
Roles, Responsibilities and Authorities [Insert classification]
4.1.2
Authorities
The Chief Information Security Officer has the authority to:
• Declare information security incidents
• Approve limited expenditure on information security-related matters
• Review the operation of controls within all business areas
4.2 Information security administrator
The Information Security Administrator is a technical role involved in the implementation and maintenance of many of the controls used to manage risk.
[Note: This role may not be required in a smaller organization]
4.2.1
Responsibilities
The Information Security Administrator has the following responsibilities:
• Ensure that security controls are in place and documented
• Manage the day to day maintenance of controls, including:
o Access control (user account lifecycle)
o Testing and implementing security patches
o Vulnerability scanning
o Software operation e.g. IDS, IPS, firewalls, DLP
o System and network hardening
o Remote access
o Cryptographic key management
o Log management
• Identify and manage information security incidents according to a process
4.2.2
Authorities
The Information Security Administrator has the authority to:
• Take action to prevent an information security incident from occurring or escalating, where possible
• Maintain information security records in accordance with defined policies and procedures
PIMS Roles, Responsibilities and Authorities
[Insert classification]
4.3 Customer information security administrator
[Note: This role is primarily relevant to organizations that operate as Cloud Service Providers (CSPs).]
The Customer Information Security Administrator is a role involved in the implementation and maintenance of many of the controls used to manage risk on behalf of the cloud service customer. This role may be split between one or more employees of the cloud service customer who makes use of facilities provided as part of our cloud service offering (such as access control, user registration and data restoration) to manage the information security aspects of the service received by the customer’s users.
4.3.1 Responsibilities
The Customer Information Security Administrator has the following responsibilities within the context of the cloud services provided to the customer by [Organization Name]:
[You will need to tailor this list according to the types of cloud services you provide and the split of responsibilities you decide upon]
• Definition of information security requirements for cloud service
• Assess and manage risk with regard to the customer cloud environment
• Ensure that available and appropriate security controls are in place and documented within the customer cloud environment
• Manage the day to day maintenance of provided controls that relate to the customer’s specific cloud environment , including:
o Software as a Service (SaaS)
▪ Access control to cloud services, functions and data
▪ User registration and deregistration
▪ Multi-factor authentication
▪ Management of secret authentication information (e.g. passwords)
▪ Log management
▪ Information labelling
▪ Capacity monitoring
o Platform as a Service (PaaS)
▪ Vulnerability scanning
▪ Software operation e.g. IDS, IPS, malware protection, firewalls
▪ System and network hardening
▪ Remote access
▪ Cryptographic key management
▪ Backup and recovery, including testing
▪ Clock synchronization
o Infrastructure as a Service (IaaS)
▪ Installation and configuration of virtual servers
PIMS Roles, Responsibilities and Authorities
[Insert classification]
▪ Testing and implementing security patches
▪ Virtual network configuration
• Liaison regarding changes to the cloud environment being carried out by the cloud service provider
• Identify and manage information security events and incidents according to a process
4.3.2 Authorities
The Customer Information Security Administrator has the authority to:
• Perform technical activities as defined within the scope of the cloud service agreed
• Take action to prevent an information security incident from occurring or escalating, where possible
• Maintain information security records in accordance with defined policies and procedures
