ISO27701隐私信息管理体系认证流程 发布时间: 2020-11-20 22:52
Authentication process of iso27701 privacy information management system
客户若想雇佣供应商代表自己处理和维护 PII,应考虑以合同的形式要求这些供应商不仅遵从 IS 27001,还要遵从 ISO27701,或者在数据敏感度适用的情况下取得符合该标准的认证。
If customers want to employ suppliers to handle and maintain PII on their own behalf, they should consider requiring these suppliers not only to comply with is 27001, but also to comply with ISO 27701, or to obtain certification to comply with this standard when data sensitivity is applicable.
即使客户不要求供应商经过独立第三方的新标准合规认证,可能也想要更新合同,确保供应商能够符合 ISO27701 的要求。鉴于 ISO27701 才刚发布,合同中也可写入供应商符合新标准要求的合理时延。
Even if the customer does not require the supplier to be certified by an independent third party for new standard compliance, he may want to update the contract to ensure that the supplier can meet the requirements of iso27701. Since iso27701 has just been released, a reasonable time delay for suppliers to meet the requirements of the new standard can also be included in the contract.
已经通过 ISO27001 认证,希望实现 ISO27701 要求的组织机构,中鸿认证服务认为可以考虑采取下列步骤:
For organizations that have passed ISO27001 certification and hope to meet the requirements of iso27701, Zhonghong certification service thinks that the following steps can be taken:
1. 按照 ISO27701 的要求对现有 ISMS 执行漏洞评估,生成如何解决这些漏洞的行动计划。
1. According to the requirements of iso27701, perform vulnerability assessment on existing isms and generate action plans on how to solve these vulnerabilities.
2. 对组织机构收集的 PII 执行数据映射,了解所收集 PII 的范围,弄清处理者共享和使用 PII 的方式。
2. Perform data mapping on PII collected by organizations, understand the scope of PII collected, and find out how processors share and use PII.
3. 依据上下文相关的内部或外部因素,比如适用的隐私立法、规定、司法判决或合同要求等,确定组织机构作为控制者和/或处理者的角色。
3. Determine the role of the organization as a controller and / or processor based on contextual internal or external factors, such as applicable privacy legislation, regulations, judicial decisions or contractual requirements.
4. 审核并更新隐私政策,确保含有所要求的信息。
4. Review and update the privacy policy to ensure that it contains the required information.
5. 制定适用于该组织机构角色的策略和规程。
5. Develop strategies and procedures applicable to the role of the organization.
6. 开始规划和实现设计隐私与默认隐私原则。
6. Start planning and implementing design privacy and default privacy principles.
Iso27701 iso27701 certification ISO / iec27701 certification privacy information management system certification iso27701 certification company iso27701 certification body iso27701 certification consulting company