ISO 27701:2019

Privacy Information Management

Systems

SELF ASSESSMENT CHECKLIST

See how it works
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

CONTEXT
THE ORGANISATION INTERESTED PARTIES
☐ Have we determined and documented our ☐ Have we determined internal and external
role as PII Controller and/or Processor? issues that will impact on our Privacy
Information Management System? including
SCOPE applicable legislation, judicial decisions,
☐ Have we included the processing of PII in organizational context, contractual
our ISMS scope? requirements etc.)

PLANNING
RISK AND OPPORTUNITIES
☐Have we applied our information security risk assessment process to identify risks associated with
confidentiality, integrity, and availability of PII and other information?

☐Have we ensured the relationship between information security and PII protection is appropriately
managed?

☐Have we considered when assessing the applicability of control objectives from Annex A, in the context
of both risks to information security as well as risks related to processing of PII?

WHAT ARE THE BENEFITS OF CERTIFICATION?

Winning New Business Retaining Customers
This certification will entice potential clients to Currently customers will have reassurance that
your business, giving your company an edge over their information is secured.
the competition.
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

INFORMATION SECURITY POLICIES

☐ Have we considered our commitment to achieving compliance to applicable PII
regulations in our Privacy Policies and our contractual agreements?

☐ Have we produced a statement (either in existing policies or as a standalone policy)

concerning support or and commitment to achieving compliance with applicable PII
protection legislation /regulations and with any contractual obligations?

ORGANISATION OF INFORMATION
SECURITY
INTERNAL ORGANISATION

☐ Have we designated a point of contact for the customer with regards to their PII?
☐ Have we developed and implemented an organisation-wide governance and privacy
program for staff to understand and comply with applicable privacy regulations?

☐ Have we appointed at least one person to be responsible for the maintenance of

the governance and privacy program and are they are aware of their responsibilities?
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

HUMAN RESOURCE SECURITY

☐ Have we made relevant staff aware of incident reporting and the consequences to themselves, the
organisation and the PII principal in the case of a breach of privacy or security?

ASSET
MANAGEMENT
☐ Has our information classification system
explicitly considered PII, where it is stored and the
systems through which it can flow?

☐ Are we documenting any use of

removable media and/or devices used for the
storage of PII?

☐ Are we disposing of PII on removable

media such that it will no longer be
accessible?

ACCESS CONTROL
☐ Do we have documented procedures for registration and de-registration of
users who administer or operate systems that process PII?

WHAT ARE THE BENEFITS OF CERTIFICATION?

Knowledge Confidence
An in-depth knowledge of the current and Knowing that your processes to address
potential security threats that could severely your regulatory and legal obligations are
undermine your business. appropriate.
 ISO 27701:2019 Privacy Information Management Systems | www.compass.com.au |1300 495 855

CRYPTOGRAPHIC CONTROLS
☐ Do we communicate to our customers the circumstances in which cryptography is used to protect PII?

PHYSICAL AND ENVIRONMENTAL SECURITY

☐ Are we ensuring that when storage space ☐ Are we restricting the
is re-assigned, any previously stored PII is no production of hard copy material
longer accessible? including PII to the minimum?

Powerful Marketing Tool Processes and Strategies

Which may help you win new clients, enter new This is one of the benefits of having an
markets or put you in a different league to that of information security management system
your competitors. Certification.
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

OPERATIONS SECURITY
BACKUP

☐ Do we have a documented policy that ☐ Do we have processes in place to identify

includes the requirements for backup, recovery incompleteness/inaccuracy and to resolve this?
and restoration of PII that is communicated and
available to all relevant staff?

☐ Is there a procedure for and log of PII restoration

☐ Do we have responsibilities in relation to efforts?
communicating with customers about PII back
up and restoration?

☐ Are we able to document and demonstrate all of

☐ Do we have external obligations with our compliance with external obligations in relation
respect to back up and are we compliant? to restoring log content?

☐ Do we have processes in place to ensure PII ☐ Do we have a process to review event logs either
is restored to a state where integrity can be using continuous automated monitoring and alerting
assured? processes or manually?

FOR PII PROCESSORS ONLY

☐ Do we have a documented set of criteria that defines if, when
and how log information can be made available to the customer?

☐ Have we put controls in place to ensure customers can only

access their own logs and not that of others?

PROTECTION OF LOG INFORMATION

☐ Have we put controls in place to ensure log

information is used only as intended?

☐ Have we put in place a procedure (preferably

automatic) to ensure logged information is either deleted
or de-identified?

1300 495 855 | info@cas.com.au

 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

COMMUNICATIONS SECURITY
INFORMATION TRANSFER

☐ Have we put procedures in place to ensure that rules regarding PII are enforced throughout the
organisation?

CONFIDENTIALITY OR NON-DISCLOSURE AGREEMENTS

☐ Do we ensure everyone with access to PII signs and agrees to a non-disclosure agreement or similar?

Winning New Business Retaining Customers

This certification will entice potential clients to Currently customers will have reassurance that
your business, giving your company an edge over their information is secured.
the competition.
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

SYSTEMS ACQUISITION, DEVELOPMENT AND

MAINTENANCE
SECURING APPLICATION SERVICES ON PUBLIC NETWORKS
☐ Do we ensure that PII is only transmitted over trusted
networks, or where it must be transmitted over untrusted
networks it is encrypted?

SECURITY IN DEVELOPMENT AND SUPPORT

PROCESSES
☐ Do our system development and design
policies consider PII needs based on local
regulations?
☐ Do our policies contribute to privacy by SECURE SYSTEMS ENGINEERING PRINCIPLES

design and privacy by default and consider the ☐ Are our systems and components
following aspects: involved in the processing of PII designed in
☐ Guidance on PII protection through the alignment with local privacy regulations?

software development cycle

☐ Privacy and PII protection requirements in
the design phase, which can be based on the risk
assessment TEST DATA
☐ PII protection checkpoints and miles stones ☐ How do we ensure that PII is not used
for testing purposes?
☐ Required privacy knowledge
☐ Minimize PII processing by default

Winning New Business Retaining Customers

This certification will entice potential clients to Currently customers will have reassurance that
your business, giving your company an edge over their information is secured.
the competition.
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

SUPPLIER RELATIONSHIPS
ADDRESSING SECURITY WITHIN SUPPLIER AGREEMENTS

☐ Do we specify in supplier agreements whether PII is processed, and the minimum protection measures
the supplier needs to meet?

INFORMATION SECURITY INCIDENT

MANAGEMENT
RESPONSIBILITIES AND PROCEDURES

☐ Have we established responsibilities and procedures for identification and recording of PII breaches
that take into consideration local privacy regulation, as part of our overall information security incident
management procedures?
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

For PII Processors:

☐ Do provisions covering the notification of a breach form part of the contract with our customer?
☐ Does the contract specify how this information should be provided?
☐ Are there obligations to notify the PII controller of a breach?
☐ Do we have processes for recording the following details of a breach?
☐ Description
☐ Time Period
☐ Consequence
☐ Who reported it
☐ To whom it was reported
☐ How it was resolved
☐ Description of the loss/unavailability of PII

☐ Does the record include a description of the PII compromised?

☐ Do we have a process to record all notifications to the customer and/or regulatory agencies?
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

COMPLIANCE
IDENTIFICATION OF APPLICABLE LEGISLATION
AND CONTRACTUAL REQUIREMENTS

INDEPENDENT REVIEW OF INFORMATION

☐ Have we identified any legal consequences SECURITY
that can arise from noncompliance with privacy
regulations related to processing of PII? ☐ Do we have an independent third party
PROTECTION OF RECORDS contracted to conduct audits on our
information security to ensure it is
implemented and operated in accordance
☐ Do we retain historical copies of our privacy with our policies and procedures?
policies and associated procedures for the time
specified by our local privacy regulations? TECHNICAL COMPLIANCE REVIEW

☐ Have we implemented methods of

reviewing tools and components related to
processing PII?
 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

ANNEX A
Additional Guidance for PII Controllers
7.2 Conditions for Documented legality & purposes for data collection
collecting and Documented processes for obtaining consent from
processing the PII
Roles and responsibilities of any joint PII controller(s)
7.3 Obligations to PII Documented legal, regulatory, and business
Principals obligations to PII principals
Method by which the PII Principal can access, correct
and/or erase data and modify or withdraw consent or
object to processing, and have changes
communicated to any third parties
Ability to provide a copy of processed data to the PII
Principal on request
Documented policies and procedures on handling
legitimate PII Principal requests
7.4 Privacy by design Limit data collection and processing to only what
and privacy by default information is relevant and necessary
Documented data minimisation objectives and
mechanisms to meet objectives
Delete or de-identify PII upon completion of
processing and
Only retain PII for as long as necessary
Documented policies and procedures for secure
disposal of PII
7.5 PII sharing, transfer Documented justification for the transfer of PII
and disclosure between jurisdictions as well as which countries and
international organisations PII may be allowed to be
transferred.
Record transfers of PII between third parties

CONTACT US FOR ANY ENQUIRIES

1300 495 855 | info@cas.com.au

 ISO 27701:2019 Privacy Information Management Systems | www.cas.com.au |1300 495 855

ANNEX B
Additional Guidance for PII Processors
8.2 Conditions for The contract to process PII addresses our role in providing
collecting and assistance with the customer’s obligations
processing Ensure PII are only processed for the purposes expressed by
the customer and inform the customer if a processing
instruction infringes any applicable legislation and/or
regulation
Document and maintain records in support of demonstrating
compliance with the obligations as specified in the contract
8.3 Obligations to Provide the customer with the means to comply with
PII Principals obligations related to PII principals
Provide PII Principals with the appropriate information
relating to processing of their PII
8.4 Privacy by Temporary files created as a result of the processing of PII
design and privacy are disposed of securely
by default Documented policy on secure return, transfer, and disposal
of PII available to the customer
Controls in place for the transmission of PII to ensure the
information reaches the intended destination
8.5 PII sharing, Obligation to inform the customer of the justification for any
transfer and intended transfers between jurisdictions, giving the customer
disclosure the option to object
Maintain records of what PII has been disclosed to third
parties as well as to whom and when
Obligation to notify the customer of any legally binding
requests for PII to be disclosed
Reject non-legally binding requests for disclosure of PII or
consult the customer before disclosing PII
Disclose any use of subcontractors to the customer and
engage with subcontractors in accordance with the
agreement with the customer, and inform the customer of
intended changes regarding the use of subcontractors giving
the customer the option to object
CONTACT US FOR ANY ENQUIRIES

1300 495 855 | info@cas.com.au

 SO WHAT NOW?

Contact us for a quick quote to get a better idea of

costs and timings. Visit our website.

www.cas.com.au