The key changes in ISO/IEC FDIS 27701 ISO/IEC FDIS 27701 的主要變更
INTRODUCTION 簡介
ISO/IEC 27701 is an international standard for privacy information management systems (PIMS) published by ISO. ISO/IEC 27701 是由 ISO 發布的隱私資訊管理系統(PIMS)國際標準。
The first edition was released in 2019 (i.e., ISO/IEC 27701:2019) as an extension to ISO/IEC 27001 and ISO/IEC 27002. As a result of this approach, an organization must obtain the ISO/IEC 27001 certification before being ISO/IEC 27701 certified. In addition, the PIMS scope must be the same as or within the ISMS scope. Another reason for having to certify to ISO/IEC 27001 first is to ensure that, personal identifiable information (PII), being an important information asset of an organization, 第一版於 2019 年發布(即 ISO/IEC 27701:2019),作為 ISO/IEC 27001 和 ISO/IEC 27002 的擴充標準。基於此方式,組織必須先取得 ISO/IEC 27001 認證,才能獲得 ISO/IEC 27701 認證。此外,PIMS 的範圍必須與 ISMS 範圍相同或包含於其中。另一個必須先取得 ISO/IEC 27001 認證的原因,是為了確保個人可識別資訊(PII)作為組織重要的資訊資產,
must also have some information security governance and controls to protect its confidentiality, integrity and availability. 也必須具備一些資訊安全治理和控制措施,以保護其機密性、完整性及可用性。
ISO/IEC 27701:2019 was written based on ISO/IEC 27001:2013 and ISO/IEC 27002:2013. In 2022, the latter two standards were replaced by ISO/IEC 27001:2022 and ISO/IEC 27002:2022, respectively, with significant changes in Annex A controls (read our ISO/IEC 27001 and ISO/IEC 27002 whitepapers for the key changes). ISO/IEC 27701:2019 是基於 ISO/IEC 27001:2013 及 ISO/IEC 27002:2013 編寫而成。於 2022 年,後兩項標準分別被 ISO/IEC 27001:2022 及 ISO/IEC 27002:2022 所取代,附錄 A 的控制措施有重大變更(詳情請參閱我們關於 ISO/IEC 27001 及 ISO/IEC 27002 的白皮書)。
Following the release of ISO/IEC 27001:2022 in October 2022, ISO/IEC initiated the revision of ISO/IEC 27701:2019 in the same month. 繼 2022 年 10 月發布 ISO/IEC 27001:2022 後,ISO/IEC 於同月啟動了 ISO/IEC 27701:2019 的修訂工作。
After considering the comments from the usage community regarding the use of the first edition, ISO redrafted the standard as a stand-alone document. it is at the Final Draft International Standard (FDIS) stage as of the writing of this white paper. Ultimately, the approved FDIS will be registered as ISO/IEC 27701:2025 to supersede ISO/IEC 27701:2019. 在考量使用社群對第一版的意見後,ISO 將該標準重新草擬為獨立文件。於本白皮書撰寫時,該標準已進入最終國際標準草案(FDIS)階段。最終,經核准的 FDIS 將登錄為 ISO/IEC 27701:2025,取代 ISO/IEC 27701:2019。
This article compares the changes in ISO/IEC FDIS 27701 with ISO/IEC 27701:2019. 本文比較了 ISO/IEC FDIS 27701 與 ISO/IEC 27701:2019 的變更。
TITLE 標題
ISO/IEC FDIS 27701 is retitled to Information security, cybersecurity and privacy protection - Privacy information management systems - Requirements and guidance. ISO/IEC FDIS 27701 的標題更改為「資訊安全、網路安全與隱私保護-隱私資訊管理系統-要求與指引」。
The title change reflects that ISO/IEC FDIS 27701 has no extension relationship with ISO/IEC 27001 and ISO/IEC 27002. 標題的變更反映出 ISO/IEC FDIS 27701 與 ISO/IEC 27001 及 ISO/IEC 27002 之間不存在擴充關係。
ISO/IEC FDIS 27701
IS0/IEC 27701:2019 ISO/IEC 27701:2019
Information security, cybersecurity and privacy protection - Privacy 資訊安全、網路安全與隱私保護 - 隱私
Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for
information management systems - Requirements and guidance
Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for
information management systems - Requirements and guidance| Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for |
| :--- |
| information management systems - Requirements and guidance |
ISO/IEC FDIS 27701 IS0/IEC 27701:2019
Information security, cybersecurity and privacy protection - Privacy "Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for
information management systems - Requirements and guidance"| ISO/IEC FDIS 27701 | IS0/IEC 27701:2019 |
| :--- | :--- |
| Information security, cybersecurity and privacy protection - Privacy | Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for <br> information management systems - Requirements and guidance |
STRUCTURE &
REOUIREMENTS 結構與要求
As aforementioned, ISO/IEC FDIS 27701 is redrafted as a stand-alone document. It applies the high-level structure developed by ISO to improve the alignment with other ISO management system standards, e.g., ISO 9001, ISO/IEC 20000-1, ISO/IEC 27001, ISO/IEC 42001 etc. 如前所述,ISO/IEC FDIS 27701 被重新起草為獨立文件。它採用了 ISO 制定的高階結構,以提升與其他 ISO 管理系統標準的對齊度,例如 ISO 9001、ISO/IEC 20000-1、ISO/IEC 27001、ISO/IEC 42001 等。
Consequently, an organization does not need to be ISO/IEC 27001 certified as a condition of attaining the ISO/IEC 27701 certification. 因此,組織不需要取得 ISO/IEC 27001 認證作為獲得 ISO/IEC 27701 認證的前提條件。
ISO/IEC FDIS 27701 Clauses 4 to 10 set out the requirements of the Privacy Information Management System (PIMS). An organization must demonstrate that it conforms to the requirements with no exclusion allowed when it claims conformity to the document. ISO/IEC FDIS 27701 第 4 至 10 條規定了隱私資訊管理系統(PIMS)的要求。組織在聲稱符合本文件時,必須證明其符合所有要求,不得有任何排除。
In ISO/IEC 27701:2019, only clause 5 consists of PIMS requirements; clauses 6 to 8 are implementation guidance that an organization can choose to implement as appropriate. 在 ISO/IEC 27701:2019 中,只有第 5 條款包含 PIMS 要求;第 6 至 8 條款則是組織可視情況選擇實施的指導方針。
TABLE 1 at the end of this whitepaper consists of the clause mapping of ISO/IEC FDIS 27701 and ISO/IEC 27701:2019. 本白皮書末尾的表 1 包含 ISO/IEC FDIS 27701 與 ISO/IEC 27701:2019 條款對應表。
SECURITY OF PII 個人可識別資訊(PII)的安全性
Although ISO/IEC FDIS 27701 is no longer an extension of ISO/IEC 27001, security of PII is not abandoned in the new edition. 雖然 ISO/IEC FDIS 27701 不再是 ISO/IEC 27001 的擴充標準,但新版中並未放棄 PII 的安全性。
According to Clauses 6.1.2 (Privacy risk assessment) and 6.1.3 (Privacy risk treatment), an organization needs to identity the privacy risk associated with the protection of privacy and information security risks within the scope of the Privacy information management system" and subsequently treat the risks by identifying and documenting the information security programme implemented with the appropriate security controls. 根據條款 6.1.2(隱私風險評估)和 6.1.3(隱私風險處理),組織需要識別與隱私保護及隱私資訊管理系統範圍內資訊安全風險相關的隱私風險,並隨後透過識別及記錄所實施的資訊安全計畫及適當的安全控制來處理這些風險。
In Clause 6.1.3, 15 security elements are suggested to be addressed in the information security programme, including information security 在條款 6.1.3 中,建議在資訊安全計畫中處理 15 個安全要素,包括資訊安全
risk management and 14 security domains. ISO/IEC 27001 and ISO/IEC 27002 are referenced in Clause 6.1.3, note 2. 風險管理及 14 個安全領域。條款 6.1.3 的註解 2 中參考了 ISO/IEC 27001 及 ISO/IEC 27002。
In ISO/IEC FDIS 27701 Annex A, 29 possible information security controls are listed for PII controllers and PII processors. 在 ISO/IEC FDIS 27701 附錄 A 中,列出了 29 項可能適用於 PII 控制者及 PII 處理者的資訊安全控制措施。
ANNEXES A AND B 附錄 A 與 B
Like ISO/IEC 27001, ISO/IEC FDIS 27701 Annex A contains a list of possible privacy controls. 與 ISO/IEC 27001 相似,ISO/IEC FDIS 27701 附錄 A 包含可能的隱私控制清單。
Generally, the controls and control objectives remain unchanged by comparing to ISO/IEC 27701:2019. The information security controls with additional implementation guidance in ISO/IEC 27701:2019 Clause 6 are moved to ISO/IEC FDIS 27701 Annex A. 整體而言,與 ISO/IEC 27701:2019 相比,控制措施及控制目標基本保持不變。ISO/IEC 27701:2019 第 6 條中附加實施指導的資訊安全控制已移至 ISO/IEC FDIS 27701 附錄 A。
The Annex A is comprised of 3 tables. Table A. 1 contains controls applicable to PII controllers. Table A. 2 contains controls applicable to PII processors and Table A. 3 contains information security controls applicable to both PII controllers and PII processors. In summary, there are 31 controls for PII controllers, 18 controls for PII processors, and 29 controls for PII controllers and PII processors. 附錄 A 由三個表格組成。表 A.1 包含適用於個人可識別資訊(PII)控制者的控制措施。表 A.2 包含適用於 PII 處理者的控制措施,表 A.3 則包含適用於 PII 控制者與 PII 處理者的資訊安全控制措施。總結來說,PII 控制者有 31 項控制措施,PII 處理者有 18 項控制措施,PII 控制者與處理者共有 29 項控制措施。
Some ISO/IEC 27001 practitioners believe that the ISO/IEC 27001 Annex A controls are exhaustive and no additional information security controls can be included in the ISMS. To avoid the ISO/IEC FDIS 27701 implementors having similar comprehension, ISO/IEC FDIS 27701 Clause 6.1.3 states: “The privacy controls listed in Annex A are not exhaustive and additional privacy controls can be included if needed.” 部分 ISO/IEC 27001 的實務者認為 ISO/IEC 27001 附錄 A 的控制措施已經非常完整,資訊安全管理系統(ISMS)中不應包含其他額外的資訊安全控制措施。為避免 ISO/IEC FDIS 27701 的實施者產生類似的誤解,ISO/IEC FDIS 27701 第 6.1.3 條款指出:「附錄 A 中列出的隱私控制措施並非全面,必要時可包含其他隱私控制措施。」
As the title suggests, ISO/IEC FDIS 27701 consists of implementation guidance for privacy and information security controls. The guidance is in Annex B (normative) Implementation guidance for PII controllers and PII processors. The word “normative” seems to imply that the selected controls must be implemented according to the guidance in Annex B. 顧名思義,ISO/IEC FDIS 27701 包含隱私與資訊安全控制措施的實施指引。該指引位於附錄 B(規範性)「PII 控制者與 PII 處理者的實施指引」。其中「規範性」一詞似乎暗示所選擇的控制措施必須依照附錄 B 的指引來實施。
Nevertheless, ISO/IEC FDIS 27701 Clause 6.1.3 h) clarifies that an ganization the consider the guidance in Annex B only for the implementation of controls 然而,ISO/IEC FDIS 27701 第 6.1.3 條款 h)澄清,組織僅需將附錄 B 的指引視為控制措施實施的參考。
In view of the content, there are no significant changes to the implementation guidance in by cercering in ISO/IEC 27701:2019 Clauses 6 to 8, except for some minor editorial updates. 綜觀內容,除了一些小幅的編輯更新外,ISO/IEC 27701:2019 第 6 至 8 條款中關於實施指引的內容並無重大變動。
The TABLE 2 consists of control and implementation guidance mapping of ISO/IEC FDIS 27701 and ISO/IEC 27701:2019. 表 2 包含 ISO/IEC FDIS 27701 與 ISO/IEC 27701:2019 的控制與實施指導對應。
NOTE ON CERTIFICATION AND TRANSITION TO THE 2ND EDITION 關於認證及轉換至第二版的說明
Organizations who are seeking new certification or certified organizations seeking upgrade to the 2 nd edition should consult their certification body regarding the latest certification arrangement and deadlines. As of the writing of this whitepaper, the certification and transition rules for the 2nd edition are not released yet. Historically, the certification and transition rules are released within 1-2 months after the release of the standard. The accreditation bodies will then adopt these rules, with or without additional requirements imposed by respective accreditation body 尋求新認證的組織或已認證組織欲升級至第二版,應諮詢其認證機構有關最新的認證安排及截止日期。撰寫本白皮書時,第二版的認證及轉換規則尚未發布。歷史上,認證及轉換規則通常會在標準發布後 1 至 2 個月內發布。認可機構將採納這些規則,並可能會依各認可機構的要求增訂額外條件。
SUMMARY 摘要
On 19 Dec 2024, ISO/IEC FDIS 27701 was registered for formal approval. Next, an 8-week FDIS ballot will be initiated before the new edition is officially launched to supersede ISO/IEC 27701:2019. SGS will keep on top of the development of the standard and that of the certification and transition rules and will keep our clients and the certification community abreast of the transition plan to the new edition of ISO/IEC 27701 as soon as they come out. 2024 年 12 月 19 日,ISO/IEC FDIS 27701 已登記進行正式批准。接下來,將啟動為期 8 週的 FDIS 投票,然後新版本將正式發布,取代 ISO/IEC 27701:2019。SGS 將持續關注該標準的發展,以及認證和過渡規則的變化,並會在新版本 ISO/IEC 27701 的過渡計畫一公布時,第一時間通知我們的客戶及認證社群。 qquad\qquad
TABLE 1 表 1
The table below maps the ISO/IEC FDIS 27701 clauses with that of the ISO/IEC 27701:2019 to illustrate the structural change of the new edition. 下表將 ISO/IEC FDIS 27701 條款與 ISO/IEC 27701:2019 條款對應,以說明新版本的結構變化。
- Removed "...in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization." in the FDIS
- Removed the condition of requiring an organization to be a PII controller and / or PII processor processing PII within an ISMS
- Removed "...in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization." in the FDIS
- Removed the condition of requiring an organization to be a PII controller and / or PII processor processing PII within an ISMS| - Removed "...in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization." in the FDIS |
| :--- |
| - Removed the condition of requiring an organization to be a PII controller and / or PII processor processing PII within an ISMS |
Clause 2 第 2 條
Normative references 規範性引用文件
Clause 2 第 2 條
Normative references 規範性引用文件
- Removed ISO/IEC 27000, ISO/IEC 27001 and ISO/IEC 27002 in the FDIS - 在 FDIS 中移除了 ISO/IEC 27000、ISO/IEC 27001 及 ISO/IEC 27002
- Removed the application of the terms and definitions in ISO/IEC 27000
- Added management system terms and definitions, e.g., organization, top management, policy, etc.
- Added standard-specific terms and definitions, e.g., customer, information security programme, statement of applicability
- Removed the application of the terms and definitions in ISO/IEC 27000
- Added management system terms and definitions, e.g., organization, top management, policy, etc.
- Added standard-specific terms and definitions, e.g., customer, information security programme, statement of applicability| - Removed the application of the terms and definitions in ISO/IEC 27000 |
| :--- |
| - Added management system terms and definitions, e.g., organization, top management, policy, etc. |
| - Added standard-specific terms and definitions, e.g., customer, information security programme, statement of applicability |
/
/
Clause 4.2 條款 4.2
Structure of this document 本文件的結構
/
Clause 4.3 條款 4.3
Application of ISO/IEC 27002:2013 guidelines ISO/IEC 27002:2013 指南的應用
Removed in the FDIS 在 FDIS 中移除
Clause 4.4 條款 4.4
Customer 客戶
The definition of "customer" is retained in ISO/IEC FDIS 27701 Clause 4.2. 「客戶」的定義保留於 ISO/IEC FDIS 27701 條款 4.2。
Clause 4 第 4 條
Context of the organization 組織的背景
Clause 5.2 第 5.2 條
Context of the organization 組織的背景
/
Clause 4.1 條款 4.1
Understanding the organization and its context 了解組織及其環境
Clause 5.2.1 條款 5.2.1
Understanding the organization and its context 了解組織及其環境
- Included the climate change requirement- "The organization shall determine whether climate change is a relevant issue." - 包含氣候變遷要求—「組織應判定氣候變遷是否為相關議題。」
Clause 4.2 條款 4.2
Understanding the needs and expectations of interested parties 了解利害關係人的需求與期望
Clause 5.2.2 條款 5.2.2
Understanding the needs and expectations of interested parties 了解相關方的需求與期望
- Include the climate change note- "Relevant interested parties can have requirements related to climate change."
- Added standard-specific requirements:
- Parties that having interests or responsibilities associated with the processing of PII shall be determined as interested parties, including the PII principals
- The definition of "customer" in PIMS
- Include the climate change note- "Relevant interested parties can have requirements related to climate change."
- Added standard-specific requirements:
- Parties that having interests or responsibilities associated with the processing of PII shall be determined as interested parties, including the PII principals
- The definition of "customer" in PIMS| - Include the climate change note- "Relevant interested parties can have requirements related to climate change." |
| :--- |
| - Added standard-specific requirements: |
| - Parties that having interests or responsibilities associated with the processing of PII shall be determined as interested parties, including the PII principals |
| - The definition of "customer" in PIMS |
Clause 4.3 條款 4.3
Determining the scope of the privacy information management system 確定隱私資訊管理系統的範圍
Clause 5.2.3 條款 5.2.3
Determining the scope of the information security management system 確定資訊安全管理系統的範圍
- Removed the note "The determination of the scope of the PIMS can require revising the scope of the information security management system, because of the extended interpretation of "information security" according to 5.1." - 刪除註解「根據 5.1 對『資訊安全』的擴展解釋,確定 PIMS 範圍可能需要修訂資訊安全管理系統的範圍。」
Clause 4.4 條款 4.4
Privacy information management system 隱私資訊管理系統
Clause 5.2.4 條款 5.2.4
Information security management system 資訊安全管理系統
- Removed the requirement that PIMS shall be developed in accordance with ISO/IEC 27001:2013 Clauses 4 to 10 - 移除 PIMS 須依據 ISO/IEC 27001:2013 第 4 至 10 條款制定的要求
Actions to address risks and opportunities 採取行動以應對風險與機會
Clause 5.4.1 條款 5.4.1
Actions to address risks and opportunities 採取行動以應對風險與機會
/
Clause 6.1.1 條款 6.1.1
General 一般規定
Clause 5.4.1.1 條款 5.4.1.1
General 一般規定
/
Clause 6.1.2 條款 6.1.2
Privacy risk assessment 隱私風險評估
Clause 5.4.1.2 條款 5.4.1.2
Information security risk assessment 資訊安全風險評估
/
Clause 6.1.3 條款 6.1.3
Privacy risk treatment 隱私風險處理
Clause 5.4.1.3 條款 5.4.1.3
Information security risk treatment 資訊安全風險處理
Clause 6.2 條款 6.2
Privacy objectives and planning to achieve them 隱私目標及達成目標的規劃
Clause 5.4.2 條款 5.4.2
Information security objectives and planning to achieve them 資訊安全目標及達成目標的規劃
/
ISO/IEC FDIS 27701 ISO/IEC 27701:2019 REMARK
Clause 1 Scope Clause 1 Scope "- Removed "...in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization." in the FDIS
- Removed the condition of requiring an organization to be a PII controller and / or PII processor processing PII within an ISMS"
Clause 2 Normative references Clause 2 Normative references - Removed ISO/IEC 27000, ISO/IEC 27001 and ISO/IEC 27002 in the FDIS
Clause 3 Terms, definitions and abbreviations Clause 3 Terms, definitions and abbreviations "- Removed the application of the terms and definitions in ISO/IEC 27000
- Added management system terms and definitions, e.g., organization, top management, policy, etc.
- Added standard-specific terms and definitions, e.g., customer, information security programme, statement of applicability"
/ / Clause 4.2 Structure of this document /
Clause 4.3 Application of ISO/IEC 27002:2013 guidelines Removed in the FDIS
Clause 4.4 Customer The definition of "customer" is retained in ISO/IEC FDIS 27701 Clause 4.2.
Clause 4 Context of the organization Clause 5.2 Context of the organization /
Clause 4.1 Understanding the organization and its context Clause 5.2.1 Understanding the organization and its context - Included the climate change requirement- "The organization shall determine whether climate change is a relevant issue."
Clause 4.2 Understanding the needs and expectations of interested parties Clause 5.2.2 Understanding the needs and expectations of interested parties "- Include the climate change note- "Relevant interested parties can have requirements related to climate change."
- Added standard-specific requirements:
- Parties that having interests or responsibilities associated with the processing of PII shall be determined as interested parties, including the PII principals
- The definition of "customer" in PIMS"
Clause 4.3 Determining the scope of the privacy information management system Clause 5.2.3 Determining the scope of the information security management system - Removed the note "The determination of the scope of the PIMS can require revising the scope of the information security management system, because of the extended interpretation of "information security" according to 5.1."
Clause 4.4 Privacy information management system Clause 5.2.4 Information security management system - Removed the requirement that PIMS shall be developed in accordance with ISO/IEC 27001:2013 Clauses 4 to 10
Clause 5 Leadership Clause 5.3 Leadership /
Clause 5.1 Leadership & commitment Clause 5.3.1 Leadership & commitment /
Clause 5.2 Privacy Policy Clause 5.3.2 Policy /
Clause 5.3 Roles, responsibilities and authorities Clause 5.3.3 Organizational roles, responsibilities & authorities /
Clause 6 Planning Clause 5.4 Planning /
Clause 6.1 Actions to address risks and opportunities Clause 5.4.1 Actions to address risks and opportunities /
Clause 6.1.1 General Clause 5.4.1.1 General /
Clause 6.1.2 Privacy risk assessment Clause 5.4.1.2 Information security risk assessment /
Clause 6.1.3 Privacy risk treatment Clause 5.4.1.3 Information security risk treatment
Clause 6.2 Privacy objectives and planning to achieve them Clause 5.4.2 Information security objectives and planning to achieve them /| ISO/IEC FDIS 27701 | | ISO/IEC 27701:2019 | | REMARK |
| :--- | :--- | :--- | :--- | :--- |
| Clause 1 | Scope | Clause 1 | Scope | - Removed "...in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization." in the FDIS <br> - Removed the condition of requiring an organization to be a PII controller and / or PII processor processing PII within an ISMS |
| Clause 2 | Normative references | Clause 2 | Normative references | - Removed ISO/IEC 27000, ISO/IEC 27001 and ISO/IEC 27002 in the FDIS |
| Clause 3 | Terms, definitions and abbreviations | Clause 3 | Terms, definitions and abbreviations | - Removed the application of the terms and definitions in ISO/IEC 27000 <br> - Added management system terms and definitions, e.g., organization, top management, policy, etc. <br> - Added standard-specific terms and definitions, e.g., customer, information security programme, statement of applicability |
| / | / | Clause 4.2 | Structure of this document | / |
| | | Clause 4.3 | Application of ISO/IEC 27002:2013 guidelines | Removed in the FDIS |
| | | Clause 4.4 | Customer | The definition of "customer" is retained in ISO/IEC FDIS 27701 Clause 4.2. |
| Clause 4 | Context of the organization | Clause 5.2 | Context of the organization | / |
| Clause 4.1 | Understanding the organization and its context | Clause 5.2.1 | Understanding the organization and its context | - Included the climate change requirement- "The organization shall determine whether climate change is a relevant issue." |
| Clause 4.2 | Understanding the needs and expectations of interested parties | Clause 5.2.2 | Understanding the needs and expectations of interested parties | - Include the climate change note- "Relevant interested parties can have requirements related to climate change." <br> - Added standard-specific requirements: <br> - Parties that having interests or responsibilities associated with the processing of PII shall be determined as interested parties, including the PII principals <br> - The definition of "customer" in PIMS |
| Clause 4.3 | Determining the scope of the privacy information management system | Clause 5.2.3 | Determining the scope of the information security management system | - Removed the note "The determination of the scope of the PIMS can require revising the scope of the information security management system, because of the extended interpretation of "information security" according to 5.1." |
| Clause 4.4 | Privacy information management system | Clause 5.2.4 | Information security management system | - Removed the requirement that PIMS shall be developed in accordance with ISO/IEC 27001:2013 Clauses 4 to 10 |
| Clause 5 | Leadership | Clause 5.3 | Leadership | / |
| Clause 5.1 | Leadership & commitment | Clause 5.3.1 | Leadership & commitment | / |
| Clause 5.2 | Privacy Policy | Clause 5.3.2 | Policy | / |
| Clause 5.3 | Roles, responsibilities and authorities | Clause 5.3.3 | Organizational roles, responsibilities & authorities | / |
| Clause 6 | Planning | Clause 5.4 | Planning | / |
| Clause 6.1 | Actions to address risks and opportunities | Clause 5.4.1 | Actions to address risks and opportunities | / |
| Clause 6.1.1 | General | Clause 5.4.1.1 | General | / |
| Clause 6.1.2 | Privacy risk assessment | Clause 5.4.1.2 | Information security risk assessment | / |
| Clause 6.1.3 | Privacy risk treatment | Clause 5.4.1.3 | Information security risk treatment | |
| Clause 6.2 | Privacy objectives and planning to achieve them | Clause 5.4.2 | Information security objectives and planning to achieve them | / |
ISO/IEC FDIS 27701
ISO/IEC 27701:2019
REMARK
Clause 7 第 7 條
Support 支援
Clause 5.5 條款 5.5
Support 支援
/
Clause 7.1 條款 7.1
Resources 資源
Clause 5.5.1 條款 5.5.1
Resources 資源
/
Clause 7.2 條款 7.2
Competence 能力
Clause 5.5.2 條款 5.5.2
Competence 能力
/
Clause 7.3 條款 7.3
Awareness 意識
Clause 5.5.3 條款 5.5.3
Awareness 意識
/
Clause 7.4 條款 7.4
Communication 溝通
Clause 5.5.4 條款 5.5.4
Communication 溝通
/
Clause 7.5 條款 7.5
Documented information 文件化資訊
Clause 5.5.5 條款 5.5.5
Documented information 文件化資訊
/
Clause 7.5.1 條款 7.5.1
General 一般事項
Clause 5.5.5.1 條款 5.5.5.1
General 一般規定
/
Clause 7.5.2 條款 7.5.2
Creating and updating documented information 建立及更新文件化資訊
Clause 5.5.5.2 條款 5.5.5.2
Creating and updating 建立與更新
/
Clause 7.5.3 條款 7.5.3
Control of documented information 文件資訊的控制
Clause 5.5.5.3 條款 5.5.5.3
Control of documented information 文件化資訊的控制
/
Clause 8 條款 8
Operation 運作
Clause 5.6 條款 5.6
Operation 運作
/
Clause 8.1 條款 8.1
Operational planning and control 運作規劃與控制
Clause 5.6.1 條款 5.6.1
Operational planning and control 運作規劃與控制
/
Clause 8.2 條款 8.2
Privacy risk assessment 隱私風險評估
Clause 5.6.2 條款 5.6.2
Information security risk assessment 資訊安全風險評估
/
Clause 8.3 條款 8.3
Privacy risk treatment 隱私風險處理
Clause 5.6.3 條款 5.6.3
Information security risk treatment 資訊安全風險處理
/
Clause 9 條款 9
Performance 績效
Clause 5.7 條款 5.7
Performance evaluation 績效評估
/
Clause 9.1 條款 9.1
Monitoring, measurement, analysis and evaluation 監控、測量、分析與評估
Clause 5.7.1 條款 5.7.1
Monitoring, measurement, analysis and evaluation 監控、測量、分析與評估
- 排除兩點,這兩點在其他管理系統標準中常見: - 誰應該監控和測量 - 誰應該分析和評估這些結果
- Excluded two points that are commonly seen in other management system standards:
- Who shall monitor and measure
- Who shall analyse and evaluate these results
- Excluded two points that are commonly seen in other management system standards:
- Who shall monitor and measure
- Who shall analyse and evaluate these results| - Excluded two points that are commonly seen in other management system standards: |
| :--- |
| - Who shall monitor and measure |
| - Who shall analyse and evaluate these results |
- Excluded three points that are commonly seen in other management system standards:
- Fulfilment of objectives
- Feedback from interested parties
- Results of risk assessment and status of risk treatment plan
- Excluded three points that are commonly seen in other management system standards:
- Fulfilment of objectives
- Feedback from interested parties
- Results of risk assessment and status of risk treatment plan| - Excluded three points that are commonly seen in other management system standards: |
| :--- |
| - Fulfilment of objectives |
| - Feedback from interested parties |
| - Results of risk assessment and status of risk treatment plan |
Clause 9.3.3 條款 9.3.3
Management review results 管理審查結果
/
Clause 10 條款 10
Improvement 改進
Clause 5.8 條款 5.8
Improvement 改進
/
Clause 10.1 條款 10.1
Continual improvement 持續改進
Clause 5.8.2 條款 5.8.2
Continual improvement 持續改進
/
Clause 10.2 條款 10.2
Nonconformity and corrective action 不符合與矯正措施
Clause 5.8.1 條款 5.8.1
Nonconformity and corrective action 不符合與矯正措施
/
Annex A (normative) 附錄 A(規範性)
PIMS reference control objectives and controls for PII Controllers and PII Processors PII 控制者與 PII 處理者之 PIMS 參考控制目標與控制措施
/
/
/
Table A. 1 表 A. 1
Control objectives and controls for PII controllers 個人識別資訊(PII)控制者的控制目標與控制措施
Annex A (normative) 附錄 A(規範性)
PIMS-specific reference control objectives and controls (PII Controllers) 個人資訊管理系統(PIMS)專用參考控制目標與控制措施(PII 控制者)
- The controls and control objectives remain unchanged with minor editorial changes to two controls
- Total 31 controls for PII controllers
- The controls and control objectives remain unchanged with minor editorial changes to two controls
- Total 31 controls for PII controllers| - The controls and control objectives remain unchanged with minor editorial changes to two controls |
| :--- |
| - Total 31 controls for PII controllers |
Table A. 2 表 A. 2
Control objectives and controls for|PII processors PII 處理者的控制目標及控制措施
Annex B (normative) 附錄 B(規範性)
PIMS-specific reference control objectives and controls (Pll Processors) PIMS 特定參考控制目標與控制措施(PII 處理者)
- The controls and control objectives remain unchanged with:
- Minor editorial changes to several controls
- Renamed control "Obligations to PII principals" to "Comply with obligations to PII principals"
- Total 18 controls for PII processors
- The controls and control objectives remain unchanged with:
- Minor editorial changes to several controls
- Renamed control "Obligations to PII principals" to "Comply with obligations to PII principals"
- Total 18 controls for PII processors| - The controls and control objectives remain unchanged with: |
| :--- |
| - Minor editorial changes to several controls |
| - Renamed control "Obligations to PII principals" to "Comply with obligations to PII principals" |
| - Total 18 controls for PII processors |
Table A. 3 表 A.3
Control objectives and controls for PII controllers and PII processors PII 控制者與 PII 處理者的控制目標與控制措施
Clause 6 第 6 條
PIMS-specific guidance related to ISO/IEC 27002 與 ISO/IEC 27002 相關的 PIMS 專屬指導
- Table A. 3 is a list of non-exclusive information security controls for PII controllers and PII processors
- Total 29 information security controls
- The information security controls with additional implementation guidance in ISO/IEC 27701:2019 Clause 6 are extracted to the table
- Minor editorial changes to two controls
- Table A. 3 is a list of non-exclusive information security controls for PII controllers and PII processors
- Total 29 information security controls
- The information security controls with additional implementation guidance in ISO/IEC 27701:2019 Clause 6 are extracted to the table
- Minor editorial changes to two controls| - Table A. 3 is a list of non-exclusive information security controls for PII controllers and PII processors |
| :--- |
| - Total 29 information security controls |
| - The information security controls with additional implementation guidance in ISO/IEC 27701:2019 Clause 6 are extracted to the table |
| - Minor editorial changes to two controls |
ISO/IEC FDIS 27701 ISO/IEC 27701:2019 REMARK
Clause 7 Support Clause 5.5 Support /
Clause 7.1 Resources Clause 5.5.1 Resources /
Clause 7.2 Competence Clause 5.5.2 Competence /
Clause 7.3 Awareness Clause 5.5.3 Awareness /
Clause 7.4 Communication Clause 5.5.4 Communication /
Clause 7.5 Documented information Clause 5.5.5 Documented information /
Clause 7.5.1 General Clause 5.5.5.1 General /
Clause 7.5.2 Creating and updating documented information Clause 5.5.5.2 Creating and updating /
Clause 7.5.3 Control of documented information Clause 5.5.5.3 Control of documented information /
Clause 8 Operation Clause 5.6 Operation /
Clause 8.1 Operational planning and control Clause 5.6.1 Operational planning and control /
Clause 8.2 Privacy risk assessment Clause 5.6.2 Information security risk assessment /
Clause 8.3 Privacy risk treatment Clause 5.6.3 Information security risk treatment /
Clause 9 Performance Clause 5.7 Performance evaluation /
Clause 9.1 Monitoring, measurement, analysis and evaluation Clause 5.7.1 Monitoring, measurement, analysis and evaluation "- Excluded two points that are commonly seen in other management system standards:
- Who shall monitor and measure
- Who shall analyse and evaluate these results"
Clause 9.2 Internal audit Clause 5.7.2 Internal audit /
Clause 9.2.1 General /
Clause 9.2.2 Internal audit programme /
Clause 9.3 Management review Clause 5.7.3 Management review /
Clause 9.3.1 General /
Clause 9.3.2 Management review inputs "- Excluded three points that are commonly seen in other management system standards:
- Fulfilment of objectives
- Feedback from interested parties
- Results of risk assessment and status of risk treatment plan"
Clause 9.3.3 Management review results /
Clause 10 Improvement Clause 5.8 Improvement /
Clause 10.1 Continual improvement Clause 5.8.2 Continual improvement /
Clause 10.2 Nonconformity and corrective action Clause 5.8.1 Nonconformity and corrective action /
Annex A (normative) PIMS reference control objectives and controls for PII Controllers and PII Processors / / /
Table A. 1 Control objectives and controls for PII controllers Annex A (normative) PIMS-specific reference control objectives and controls (PII Controllers) "- The controls and control objectives remain unchanged with minor editorial changes to two controls
- Total 31 controls for PII controllers"
Table A. 2 Control objectives and controls for|PII processors Annex B (normative) PIMS-specific reference control objectives and controls (Pll Processors) "- The controls and control objectives remain unchanged with:
- Minor editorial changes to several controls
- Renamed control "Obligations to PII principals" to "Comply with obligations to PII principals"
- Total 18 controls for PII processors"
Table A. 3 Control objectives and controls for PII controllers and PII processors Clause 6 PIMS-specific guidance related to ISO/IEC 27002 "- Table A. 3 is a list of non-exclusive information security controls for PII controllers and PII processors
- Total 29 information security controls
- The information security controls with additional implementation guidance in ISO/IEC 27701:2019 Clause 6 are extracted to the table
- Minor editorial changes to two controls"| ISO/IEC FDIS 27701 | | ISO/IEC 27701:2019 | | REMARK |
| :--- | :--- | :--- | :--- | :--- |
| Clause 7 | Support | Clause 5.5 | Support | / |
| Clause 7.1 | Resources | Clause 5.5.1 | Resources | / |
| Clause 7.2 | Competence | Clause 5.5.2 | Competence | / |
| Clause 7.3 | Awareness | Clause 5.5.3 | Awareness | / |
| Clause 7.4 | Communication | Clause 5.5.4 | Communication | / |
| Clause 7.5 | Documented information | Clause 5.5.5 | Documented information | / |
| Clause 7.5.1 | General | Clause 5.5.5.1 | General | / |
| Clause 7.5.2 | Creating and updating documented information | Clause 5.5.5.2 | Creating and updating | / |
| Clause 7.5.3 | Control of documented information | Clause 5.5.5.3 | Control of documented information | / |
| Clause 8 | Operation | Clause 5.6 | Operation | / |
| Clause 8.1 | Operational planning and control | Clause 5.6.1 | Operational planning and control | / |
| Clause 8.2 | Privacy risk assessment | Clause 5.6.2 | Information security risk assessment | / |
| Clause 8.3 | Privacy risk treatment | Clause 5.6.3 | Information security risk treatment | / |
| Clause 9 | Performance | Clause 5.7 | Performance evaluation | / |
| Clause 9.1 | Monitoring, measurement, analysis and evaluation | Clause 5.7.1 | Monitoring, measurement, analysis and evaluation | - Excluded two points that are commonly seen in other management system standards: <br> - Who shall monitor and measure <br> - Who shall analyse and evaluate these results |
| Clause 9.2 | Internal audit | Clause 5.7.2 | Internal audit | / |
| Clause 9.2.1 | General | | | / |
| Clause 9.2.2 | Internal audit programme | | | / |
| Clause 9.3 | Management review | Clause 5.7.3 | Management review | / |
| Clause 9.3.1 | General | | | / |
| Clause 9.3.2 | Management review inputs | | | - Excluded three points that are commonly seen in other management system standards: <br> - Fulfilment of objectives <br> - Feedback from interested parties <br> - Results of risk assessment and status of risk treatment plan |
| Clause 9.3.3 | Management review results | | | / |
| Clause 10 | Improvement | Clause 5.8 | Improvement | / |
| Clause 10.1 | Continual improvement | Clause 5.8.2 | Continual improvement | / |
| Clause 10.2 | Nonconformity and corrective action | Clause 5.8.1 | Nonconformity and corrective action | / |
| Annex A (normative) | PIMS reference control objectives and controls for PII Controllers and PII Processors | / | / | / |
| Table A. 1 | Control objectives and controls for PII controllers | Annex A (normative) | PIMS-specific reference control objectives and controls (PII Controllers) | - The controls and control objectives remain unchanged with minor editorial changes to two controls <br> - Total 31 controls for PII controllers |
| Table A. 2 | Control objectives and controls for\|PII processors | Annex B (normative) | PIMS-specific reference control objectives and controls (Pll Processors) | - The controls and control objectives remain unchanged with: <br> - Minor editorial changes to several controls <br> - Renamed control "Obligations to PII principals" to "Comply with obligations to PII principals" <br> - Total 18 controls for PII processors |
| Table A. 3 | Control objectives and controls for PII controllers and PII processors | Clause 6 | PIMS-specific guidance related to ISO/IEC 27002 | - Table A. 3 is a list of non-exclusive information security controls for PII controllers and PII processors <br> - Total 29 information security controls <br> - The information security controls with additional implementation guidance in ISO/IEC 27701:2019 Clause 6 are extracted to the table <br> - Minor editorial changes to two controls |
ISO/IEC FDIS 27701
ISO/IEC 27701:2019
REMARK
Annex B (normative) 附錄 B(規範性)
Implementation guidance for PII Controllers and PII processors PII 控制者與 PII 處理者的實施指導
/
/
/
B. 2
Implementation guidance for PII controllers and PII processors PII 控制者與 PII 處理者的實施指導
Clause 8 第 8 條款
PIMS-specific guidance related to ISO/IEC 27002 與 ISO/IEC 27002 相關的 PIMS 專屬指導
- The implementation - 實施
Annex C (informative) 附錄 C(資訊性)
Mapping to ISO/IEC 29100 對應 ISO/IEC 29100
Annex C (informative) 附錄 C(資訊性)
Mapping to ISO/IEC 29100 對應 ISO/IEC 29100
/
Annex D (informative) 附錄 D(資訊性)
Mapping to the General Data Protection Regulation 與一般資料保護規則的對應
Annex D (informative) 附錄 D(資訊性)
Mapping to the General Data Protection Regulation 與一般資料保護規則的對應
/
Annex E (informative) 附錄 E(參考資料)
Mapping to ISO/IEC 27018 and ISO/IEC 29151 對應 ISO/IEC 27018 與 ISO/IEC 29151
Annex E (informative) 附錄 E(參考資料)
Mapping to ISO/IEC 27018 and ISO/IEC 29151 對應 ISO/IEC 27018 與 ISO/IEC 29151
/
Annex F (informative) 附錄 F(參考用)
Correspondence with ISO/IEC 27701:2019 與 ISO/IEC 27701:2019 的對應關係
/
/
New Annex 新增附錄
/
/
Annex F (informative) 附錄 F(參考用)
How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002 如何將 ISO/IEC 27701 應用於 ISO/IEC 27001 及 ISO/IEC 27002
Removed 已移除
ISO/IEC FDIS 27701 ISO/IEC 27701:2019 REMARK
Annex B (normative) Implementation guidance for PII Controllers and PII processors / / /
B. 2 Implementation guidance for PII controllers and PII processors Clause 8 PIMS-specific guidance related to ISO/IEC 27002 - The implementation
Annex C (informative) Mapping to ISO/IEC 29100 Annex C (informative) Mapping to ISO/IEC 29100 /
Annex D (informative) Mapping to the General Data Protection Regulation Annex D (informative) Mapping to the General Data Protection Regulation /
Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151 Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151 /
Annex F (informative) Correspondence with ISO/IEC 27701:2019 / / New Annex
/ / Annex F (informative) How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002 Removed| ISO/IEC FDIS 27701 | | ISO/IEC 27701:2019 | | REMARK |
| :--- | :--- | :--- | :--- | :--- |
| Annex B (normative) | Implementation guidance for PII Controllers and PII processors | / | / | / |
| B. 2 | Implementation guidance for PII controllers and PII processors | Clause 8 | PIMS-specific guidance related to ISO/IEC 27002 | - The implementation |
| Annex C (informative) | Mapping to ISO/IEC 29100 | Annex C (informative) | Mapping to ISO/IEC 29100 | / |
| Annex D (informative) | Mapping to the General Data Protection Regulation | Annex D (informative) | Mapping to the General Data Protection Regulation | / |
| Annex E (informative) | Mapping to ISO/IEC 27018 and ISO/IEC 29151 | Annex E (informative) | Mapping to ISO/IEC 27018 and ISO/IEC 29151 | / |
| Annex F (informative) | Correspondence with ISO/IEC 27701:2019 | / | / | New Annex |
| / | / | Annex F (informative) | How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002 | Removed |
TABLE 2 表 2
Mapping the controls and implementation guidance for PII controllers to ISO/IEC 27701:2019 將 PII 控制者的控制措施及實施指導對應至 ISO/IEC 27701:2019
ISO/IEC FDIS 27701
ISO/IEC 27701:2019
CONTROL
IMPLEMENTATION GUIDANCE 實施指導
CONTROL
IMPLEMENTATION GUIDANCE 實施指導
Conditions for collection and processing 收集與處理的條件
B.1.2
A.7.2
Conditions for collection and processing 收集與處理的條件
Clause 7.2 第 7.2 條款
A.1.2.2
Identify and document purpose 識別並記錄目的
B.1.2.2
A.7.2.1
Identify and document purpose 識別並記錄目的
Clause 7.2.1 條款 7.2.1
A.1.2.3
Identify lawful basis 識別合法依據
B.1.2.3
A.7.2.2
Identify lawful basis 識別合法依據
Clause 7.2.2 條款 7.2.2
A.1.2.4
Determine when and how consent is to be obtained 確定何時以及如何取得同意
B.1.2.4
A.7.2.3
Determine when and how consent is to be obtained 確定何時以及如何取得同意
Clause 7.2.3 條款 7.2.3
A.1.2.5
Obtain and record consent 取得並記錄同意
B.1.2.5
A.7.2.4
Obtain and record consent 取得並記錄同意
Clause 7.2.4 條款 7.2.4
A.1.2.6
Privacy impact assessment 隱私影響評估
B.1.2.6
A.7.2.5
Privacy impact assessment 隱私影響評估
Clause 7.2.5 條款 7.2.5
A.1.2.7
Contracts with PII processors 與個人可識別資訊處理者的合約
B.1.2.7
A.7.2.6
Contracts with PII processors 與個人可識別資訊處理者的合約
Clause 7.2.6 條款 7.2.6
A.1.2.8
Joint PII controller 共同個人識別資訊控制者
B.1.2.8
A.7.2.7
Joint PII controller 共同個人識別資訊控制者
Clause 7.2.7 條款 7.2.7
A.1.2.9
Records related to processing PII 與處理個人可識別資訊相關的紀錄
B.1.2.9
A.7.2.8
Records related to processing PII 與處理個人可識別資訊相關的紀錄
Clause 7.2.8 條款 7.2.8
Obligations to PII principals 對個人可識別資訊主體的義務
B.1.3
A.7.3
Obligations to PII principals 對個人可識別資訊(PII)主體的義務
Clause 7.3 第 7.3 條款
A.1.3.2
Determining and fulfilling obligations to PII principals 確定並履行對個人可識別資訊(PII)主體的義務
B.1.3.2
A.7.3.1
Determining and fulfilling obligations to PII Principals 確定並履行對個人可識別資訊(PII)主體的義務
Clause 7.3.1 條款 7.3.1
A.1.3.3
Determining information for PII principals 確定個人可識別資訊(PII)主體的資訊
B.1.3.3
A.7.3.2
Determining information for PII principals 確定個人可識別資訊(PII)主體的資訊
Clause 7.3.2 條款 7.3.2
A.1.3.4
Providing information to PII principals 向個人識別資訊(PII)主體提供資訊
B.1.3.4
A.7.3.3
Providing information to PII principals 向個人識別資訊(PII)主體提供資訊
Clause 7.3.3 條款 7.3.3
A.1.3.5
Providing mechanism to modify or withdraw consent 提供修改或撤回同意的機制
B.1.3.5
A.7.3.4
Providing mechanism to modify or withdraw consent 提供修改或撤回同意的機制
Clause 7.3.4 條款 7.3.4
A.1.3.6
Providing mechanism to object to PII processing 提供反對個人可識別資訊(PII)處理的機制
B.1.3.6
A.7.3.5
Providing mechanism to object to PII processing 提供反對個人可識別資訊(PII)處理的機制
Clause 7.3.5 條款 7.3.5
A.1.3.7
Access, correction or erasure 存取、更正或刪除
B.1.3.7
A.7.3.6
Access, correction and/or erasure 存取、更正及/或刪除
Clause 7.3.6 條款 7.3.6
A.1.3.8
PII controllers' obligations to inform third parties PII 控制者通知第三方的義務
B.1.3.8
A.7.3.7
PII controllers' obligations to inform third parties PII 控制者通知第三方的義務
Clause 7.3.7 條款 7.3.7
A.1.3.9
Providing copy of PII processed 提供處理過的 PII 副本
B.1.3.9
A.7.3.8
Providing copy of PII processed 提供處理的個人可識別資訊(PII)副本
Clause 7.3.8 條款 7.3.8
A.1.3.10
Handling requests 處理請求
B.1.3.10
A.7.3.9
Handling requests 處理請求
Clause 7.3.9 條款 7.3.9
A.1.3.11
Automated decision making 自動化決策
B.1.3.11
A.7.3.10
Automated decision making 自動化決策
Clause 7.3.10 條款 7.3.10
Privacy by design and by privacy default 隱私設計與預設隱私
B.1.4
A.7.4
Privacy by design and privacy by default 隱私設計與預設隱私
Clause 7.4 第 7.4 條款
A.1.4.2
Limit collection 限制收集
B.1.4.2
A.7.4.1
Limit collection 限制收集
Clause 7.4.1 條款 7.4.1
A.1.4.3
Limit processing 限制處理
B.1.4.3
A.7.4.2
Limit processing 限制處理
Clause 7.4.2 條款 7.4.2
A.1.4.4
Accuracy and quality 準確性與品質
B.1.4.4
A.7.4.3
Accuracy and quality 準確性與品質
Clause 7.4.3 條款 7.4.3
A.1.4.5
PII minimization objectives PII 最小化目標
B.1.4.5
A.7.4.4
PII minimization objectives PII 最小化目標
Clause 7.4.4 條款 7.4.4
ISO/IEC FDIS 27701 ISO/IEC 27701:2019
CONTROL IMPLEMENTATION GUIDANCE CONTROL IMPLEMENTATION GUIDANCE
Conditions for collection and processing B.1.2 A.7.2 Conditions for collection and processing Clause 7.2
A.1.2.2 Identify and document purpose B.1.2.2 A.7.2.1 Identify and document purpose Clause 7.2.1
A.1.2.3 Identify lawful basis B.1.2.3 A.7.2.2 Identify lawful basis Clause 7.2.2
A.1.2.4 Determine when and how consent is to be obtained B.1.2.4 A.7.2.3 Determine when and how consent is to be obtained Clause 7.2.3
A.1.2.5 Obtain and record consent B.1.2.5 A.7.2.4 Obtain and record consent Clause 7.2.4
A.1.2.6 Privacy impact assessment B.1.2.6 A.7.2.5 Privacy impact assessment Clause 7.2.5
A.1.2.7 Contracts with PII processors B.1.2.7 A.7.2.6 Contracts with PII processors Clause 7.2.6
A.1.2.8 Joint PII controller B.1.2.8 A.7.2.7 Joint PII controller Clause 7.2.7
A.1.2.9 Records related to processing PII B.1.2.9 A.7.2.8 Records related to processing PII Clause 7.2.8
Obligations to PII principals B.1.3 A.7.3 Obligations to PII principals Clause 7.3
A.1.3.2 Determining and fulfilling obligations to PII principals B.1.3.2 A.7.3.1 Determining and fulfilling obligations to PII Principals Clause 7.3.1
A.1.3.3 Determining information for PII principals B.1.3.3 A.7.3.2 Determining information for PII principals Clause 7.3.2
A.1.3.4 Providing information to PII principals B.1.3.4 A.7.3.3 Providing information to PII principals Clause 7.3.3
A.1.3.5 Providing mechanism to modify or withdraw consent B.1.3.5 A.7.3.4 Providing mechanism to modify or withdraw consent Clause 7.3.4
A.1.3.6 Providing mechanism to object to PII processing B.1.3.6 A.7.3.5 Providing mechanism to object to PII processing Clause 7.3.5
A.1.3.7 Access, correction or erasure B.1.3.7 A.7.3.6 Access, correction and/or erasure Clause 7.3.6
A.1.3.8 PII controllers' obligations to inform third parties B.1.3.8 A.7.3.7 PII controllers' obligations to inform third parties Clause 7.3.7
A.1.3.9 Providing copy of PII processed B.1.3.9 A.7.3.8 Providing copy of PII processed Clause 7.3.8
A.1.3.10 Handling requests B.1.3.10 A.7.3.9 Handling requests Clause 7.3.9
A.1.3.11 Automated decision making B.1.3.11 A.7.3.10 Automated decision making Clause 7.3.10
Privacy by design and by privacy default B.1.4 A.7.4 Privacy by design and privacy by default Clause 7.4
A.1.4.2 Limit collection B.1.4.2 A.7.4.1 Limit collection Clause 7.4.1
A.1.4.3 Limit processing B.1.4.3 A.7.4.2 Limit processing Clause 7.4.2
A.1.4.4 Accuracy and quality B.1.4.4 A.7.4.3 Accuracy and quality Clause 7.4.3
A.1.4.5 PII minimization objectives B.1.4.5 A.7.4.4 PII minimization objectives Clause 7.4.4| ISO/IEC FDIS 27701 | | | ISO/IEC 27701:2019 | | |
| :--- | :--- | :--- | :--- | :--- | :--- |
| CONTROL | | IMPLEMENTATION GUIDANCE | CONTROL | | IMPLEMENTATION GUIDANCE |
| | Conditions for collection and processing | B.1.2 | A.7.2 | Conditions for collection and processing | Clause 7.2 |
| A.1.2.2 | Identify and document purpose | B.1.2.2 | A.7.2.1 | Identify and document purpose | Clause 7.2.1 |
| A.1.2.3 | Identify lawful basis | B.1.2.3 | A.7.2.2 | Identify lawful basis | Clause 7.2.2 |
| A.1.2.4 | Determine when and how consent is to be obtained | B.1.2.4 | A.7.2.3 | Determine when and how consent is to be obtained | Clause 7.2.3 |
| A.1.2.5 | Obtain and record consent | B.1.2.5 | A.7.2.4 | Obtain and record consent | Clause 7.2.4 |
| A.1.2.6 | Privacy impact assessment | B.1.2.6 | A.7.2.5 | Privacy impact assessment | Clause 7.2.5 |
| A.1.2.7 | Contracts with PII processors | B.1.2.7 | A.7.2.6 | Contracts with PII processors | Clause 7.2.6 |
| A.1.2.8 | Joint PII controller | B.1.2.8 | A.7.2.7 | Joint PII controller | Clause 7.2.7 |
| A.1.2.9 | Records related to processing PII | B.1.2.9 | A.7.2.8 | Records related to processing PII | Clause 7.2.8 |
| | Obligations to PII principals | B.1.3 | A.7.3 | Obligations to PII principals | Clause 7.3 |
| A.1.3.2 | Determining and fulfilling obligations to PII principals | B.1.3.2 | A.7.3.1 | Determining and fulfilling obligations to PII Principals | Clause 7.3.1 |
| A.1.3.3 | Determining information for PII principals | B.1.3.3 | A.7.3.2 | Determining information for PII principals | Clause 7.3.2 |
| A.1.3.4 | Providing information to PII principals | B.1.3.4 | A.7.3.3 | Providing information to PII principals | Clause 7.3.3 |
| A.1.3.5 | Providing mechanism to modify or withdraw consent | B.1.3.5 | A.7.3.4 | Providing mechanism to modify or withdraw consent | Clause 7.3.4 |
| A.1.3.6 | Providing mechanism to object to PII processing | B.1.3.6 | A.7.3.5 | Providing mechanism to object to PII processing | Clause 7.3.5 |
| A.1.3.7 | Access, correction or erasure | B.1.3.7 | A.7.3.6 | Access, correction and/or erasure | Clause 7.3.6 |
| A.1.3.8 | PII controllers' obligations to inform third parties | B.1.3.8 | A.7.3.7 | PII controllers' obligations to inform third parties | Clause 7.3.7 |
| A.1.3.9 | Providing copy of PII processed | B.1.3.9 | A.7.3.8 | Providing copy of PII processed | Clause 7.3.8 |
| A.1.3.10 | Handling requests | B.1.3.10 | A.7.3.9 | Handling requests | Clause 7.3.9 |
| A.1.3.11 | Automated decision making | B.1.3.11 | A.7.3.10 | Automated decision making | Clause 7.3.10 |
| | Privacy by design and by privacy default | B.1.4 | A.7.4 | Privacy by design and privacy by default | Clause 7.4 |
| A.1.4.2 | Limit collection | B.1.4.2 | A.7.4.1 | Limit collection | Clause 7.4.1 |
| A.1.4.3 | Limit processing | B.1.4.3 | A.7.4.2 | Limit processing | Clause 7.4.2 |
| A.1.4.4 | Accuracy and quality | B.1.4.4 | A.7.4.3 | Accuracy and quality | Clause 7.4.3 |
| A.1.4.5 | PII minimization objectives | B.1.4.5 | A.7.4.4 | PII minimization objectives | Clause 7.4.4 |
ISO/IEC FDIS 27701
ISO/IEC 27701:2019
CONTROL
IMPLEMENTATION GUIDANCE 實施指引
CONTROL
IMPLEMENTATION GUIDANCE 實施指引
A.1.4.6
PII de-identification and deletion at the end of processing 處理結束時的個人可識別資訊(PII)去識別化與刪除
B.1.4.6
A.7.4.5
PII de-identification and deletion at the end of processing PII 去識別化及處理結束時的刪除
Clause 7.4.5 條款 7.4.5
A.1.4.7
Temporary files 暫存檔案
B.1.4.7
A.7.4.6
Temporary files 暫存檔案
Clause 7.4.6 條款 7.4.6
A.1.4.8
Retention 保留
B.1.4.8
A.7.4.7
Retention 保留
Clause 7.4.7 條款 7.4.7
A.1.4.9
Disposal 處置
B.1.4.9
A.7.4.8
Disposal 處置
Clause 7.4.8 條款 7.4.8
A.1.4.10
PII transmission controls 個人可識別資訊傳輸控制
B.1.4.10
A.7.4.9
PII transmission controls PII 傳輸控制
Clause 7.4.9 條款 7.4.9
PII sharing, transfer and disclosure PII 共享、轉移與揭露
B.1.5
A.7.5
PII sharing, transfer and disclosure PII 共享、轉移與揭露
Clause 7.5 條款 7.5
A.1.5.2
Identify basis for PII transfer between jurisdictions 識別跨司法管轄區個人可識別資訊(PII)轉移的依據
B.1.5.2
A.7.5.1
Identify basis for PII transfer between jurisdictions 識別跨司法管轄區個人可識別資訊(PII)轉移的依據
Clause 7.5.1 條款 7.5.1
A.1.5.3
Countries and international organizations to which PII can be transferred 可轉移個人可識別資訊(PII)之國家及國際組織
B.1.5.3
A.7.5.2
Countries and international organizations to which PII can be transferred 可轉移個人可識別資訊(PII)之國家及國際組織
Clause 7.5.2 條款 7.5.2
A.1.5.4
Records of transfer of PII 個人可識別資訊(PII)轉移紀錄
B.1.5.4
A.7.5.3
Records of transfer of PII 個人可識別資訊(PII)轉移紀錄
Clause 7.5.3 條款 7.5.3
A.1.5.5
Records of PII disclosures to third parties 向第三方揭露個人可識別資訊(PII)的紀錄
B.1.5.5
A.7.5.4
Records of PII disclosures to third parties 向第三方揭露個人可識別資訊(PII)的紀錄
Clause 7.5.4 條款 7.5.4
ISO/IEC FDIS 27701 ISO/IEC 27701:2019
CONTROL IMPLEMENTATION GUIDANCE CONTROL IMPLEMENTATION GUIDANCE
A.1.4.6 PII de-identification and deletion at the end of processing B.1.4.6 A.7.4.5 PII de-identification and deletion at the end of processing Clause 7.4.5
A.1.4.7 Temporary files B.1.4.7 A.7.4.6 Temporary files Clause 7.4.6
A.1.4.8 Retention B.1.4.8 A.7.4.7 Retention Clause 7.4.7
A.1.4.9 Disposal B.1.4.9 A.7.4.8 Disposal Clause 7.4.8
A.1.4.10 PII transmission controls B.1.4.10 A.7.4.9 PII transmission controls Clause 7.4.9
PII sharing, transfer and disclosure B.1.5 A.7.5 PII sharing, transfer and disclosure Clause 7.5
A.1.5.2 Identify basis for PII transfer between jurisdictions B.1.5.2 A.7.5.1 Identify basis for PII transfer between jurisdictions Clause 7.5.1
A.1.5.3 Countries and international organizations to which PII can be transferred B.1.5.3 A.7.5.2 Countries and international organizations to which PII can be transferred Clause 7.5.2
A.1.5.4 Records of transfer of PII B.1.5.4 A.7.5.3 Records of transfer of PII Clause 7.5.3
A.1.5.5 Records of PII disclosures to third parties B.1.5.5 A.7.5.4 Records of PII disclosures to third parties Clause 7.5.4| ISO/IEC FDIS 27701 | | | ISO/IEC 27701:2019 | | |
| :--- | :--- | :--- | :--- | :--- | :--- |
| CONTROL | | IMPLEMENTATION GUIDANCE | CONTROL | | IMPLEMENTATION GUIDANCE |
| A.1.4.6 | PII de-identification and deletion at the end of processing | B.1.4.6 | A.7.4.5 | PII de-identification and deletion at the end of processing | Clause 7.4.5 |
| A.1.4.7 | Temporary files | B.1.4.7 | A.7.4.6 | Temporary files | Clause 7.4.6 |
| A.1.4.8 | Retention | B.1.4.8 | A.7.4.7 | Retention | Clause 7.4.7 |
| A.1.4.9 | Disposal | B.1.4.9 | A.7.4.8 | Disposal | Clause 7.4.8 |
| A.1.4.10 | PII transmission controls | B.1.4.10 | A.7.4.9 | PII transmission controls | Clause 7.4.9 |
| | PII sharing, transfer and disclosure | B.1.5 | A.7.5 | PII sharing, transfer and disclosure | Clause 7.5 |
| A.1.5.2 | Identify basis for PII transfer between jurisdictions | B.1.5.2 | A.7.5.1 | Identify basis for PII transfer between jurisdictions | Clause 7.5.1 |
| A.1.5.3 | Countries and international organizations to which PII can be transferred | B.1.5.3 | A.7.5.2 | Countries and international organizations to which PII can be transferred | Clause 7.5.2 |
| A.1.5.4 | Records of transfer of PII | B.1.5.4 | A.7.5.3 | Records of transfer of PII | Clause 7.5.3 |
| A.1.5.5 | Records of PII disclosures to third parties | B.1.5.5 | A.7.5.4 | Records of PII disclosures to third parties | Clause 7.5.4 |
Mapping the controls and implementation guidance for PII processors to ISO/IEC 27701:2019. 將 PII 處理者的控制措施及實施指導對應至 ISO/IEC 27701:2019。
ISO/IEC FDIS 27701
ISO/IEC 27701:2019
CONTROL
IMPLEMENTATION GUIDANCE 實施指導
CONTROL
IMPLEMENTATION GUIDANCE 實施指導
Conditions for collection and processing 收集與處理的條件
B.2.2
B.8.2
Conditions for collection and processing 收集與處理的條件
Clause 8.2 條款 8.2
A.2.2.2
Customer agreement 客戶協議
B.2.2.2
B.8.2.1
Customer agreement 客戶協議
Clause 8.2.1 條款 8.2.1
A.2.2.3
Organization's purposes 組織的目的
B.2.2.3
B.8.2.2
Organization's purposes 組織的目的
Clause 8.2.2 條款 8.2.2
A.2.2.4
Marketing and advertising use 行銷與廣告使用
B.2.2.4
B.8.2.3
Marketing and advertising use 行銷與廣告使用
Clause 8.2.3 條款 8.2.3
A.2.2.5
Infringing instruction 侵權指示
B.2.2.5
B.8.2.4
Infringing instruction 侵權指示
Clause 8.2.4 條款 8.2.4
A.2.2.6
Customer obligations 客戶義務
B.2.2.6
B.8.2.5
Customer obligations 客戶義務
Clause 8.2.5 條款 8.2.5
A.2.2.7
Records related to processing PII 與處理個人可識別資訊(PII)相關的紀錄
B.2.2.7
B.8.2.6
Records related to processing PII 與處理個人可識別資訊(PII)相關的紀錄
Clause 8.2.6 條款 8.2.6
Obligations to PII principals 對個人可識別資訊主體的義務
B.2.3
B.8.3
Obligations to PII principals 對個人可識別資訊(PII)主體的義務
Clause 8.3 第 8.3 條款
A.2.3.2
Comply with obligations to PII principals 遵守對個人可識別資訊(PII)主體的義務
B.2.3.2
B.8.3.1
Comply with obligations to PII principals 遵守對個人可識別資訊(PII)主體的義務
Clause 8.3.1 條款 8.3.1
Privacy by design and privacy by default 以隱私為設計核心與預設隱私
B.2.4
B.8.4
Privacy by design and privacy by default 以隱私為設計核心與預設隱私
Clause 8.4 條款 8.4
A.2.4.2
Temporary files 暫存檔案
B.2.4.2
B.8.4.1
Temporary files 暫存檔案
Clause 8.4.1 條款 8.4.1
A.2.4.3
Return, transfer or disposal of PII PII 的歸還、轉移或處置
B.2.4.3
B.8.4.2
Return, transfer or disposal of PII PII 的返回、轉移或處置
Clause 8.4.2 條款 8.4.2
A.2.4.4
PII transmission controls PII 傳輸控制
B.2.4.4
B.8.4.3
PII transmission controls PII 傳輸控制
Clause 8.4.3 條款 8.4.3
PII sharing, transfer and disclosure 個人可識別資訊(PII)的共享、轉移與揭露
B.2.5
B.8.5
PII sharing, transfer and disclosure 個人可識別資訊(PII)的共享、轉移與揭露
Clause 8.5 條款 8.5
A.2.5.2
Basis for PII transfer between jurisdictions 跨司法管轄區個人可識別資訊(PII)轉移的依據
B.2.5.2
B.8.5.1
Basis for PII transfer between jurisdictions 跨司法管轄區個人可識別資訊(PII)轉移的依據
Clause 8.5.1 條款 8.5.1
A.2.5.3
Countries and international organizations to which PII can be transferred 可轉移個人可識別資訊(PII)之國家及國際組織
B.2.5.3
B.8.5.2
Countries and international organizations to which PII can be transferred 可轉移個人可識別資訊(PII)之國家及國際組織
Clause 8.5.2 條款 8.5.2
A.2.5.4
Records of PII disclosures to third parties 向第三方揭露個人可識別資訊(PII)的紀錄
B.2.5.4
B.8.5.3
Records of PII disclosures to third parties 向第三方揭露個人可識別資訊(PII)的紀錄
Clause 8.5.3 條款 8.5.3
A.2.5.5
Notification of PII disclosure requests 個人可識別資訊(PII)揭露請求的通知
B.2.5.5
B.8.5.4
Notification of PII disclosure requests 個人可識別資訊(PII)揭露請求的通知
Disclosure of subcontractors used to process PII 揭露用於處理個人可識別資訊(PII)的分包商
B.2.5.7
B.8.5.6
Disclosure of subcontractors used to process PII 揭露用於處理個人可識別資訊(PII)的分包商
Clause 8.5.6 條款 8.5.6
A.2.5.8
Engagement of a subcontractor to process PII 聘用分包商處理個人可識別資訊(PII)
B.2.5.8
B.8.5.7
Engagement of a subcontractor to process PII 聘用分包商處理個人可識別資訊(PII)
Clause 8.5.7 條款 8.5.7
A.2.5.9
Change of subcontractor to process PII 更換處理個人可識別資訊(PII)的分包商
B.2.5.9
B.8.5.8
Change of subcontractor to process PII 更換處理個人可識別資訊(PII)的分包商
Clause 8.5.8 條款 8.5.8
ISO/IEC FDIS 27701 ISO/IEC 27701:2019
CONTROL IMPLEMENTATION GUIDANCE CONTROL IMPLEMENTATION GUIDANCE
Conditions for collection and processing B.2.2 B.8.2 Conditions for collection and processing Clause 8.2
A.2.2.2 Customer agreement B.2.2.2 B.8.2.1 Customer agreement Clause 8.2.1
A.2.2.3 Organization's purposes B.2.2.3 B.8.2.2 Organization's purposes Clause 8.2.2
A.2.2.4 Marketing and advertising use B.2.2.4 B.8.2.3 Marketing and advertising use Clause 8.2.3
A.2.2.5 Infringing instruction B.2.2.5 B.8.2.4 Infringing instruction Clause 8.2.4
A.2.2.6 Customer obligations B.2.2.6 B.8.2.5 Customer obligations Clause 8.2.5
A.2.2.7 Records related to processing PII B.2.2.7 B.8.2.6 Records related to processing PII Clause 8.2.6
Obligations to PII principals B.2.3 B.8.3 Obligations to PII principals Clause 8.3
A.2.3.2 Comply with obligations to PII principals B.2.3.2 B.8.3.1 Comply with obligations to PII principals Clause 8.3.1
Privacy by design and privacy by default B.2.4 B.8.4 Privacy by design and privacy by default Clause 8.4
A.2.4.2 Temporary files B.2.4.2 B.8.4.1 Temporary files Clause 8.4.1
A.2.4.3 Return, transfer or disposal of PII B.2.4.3 B.8.4.2 Return, transfer or disposal of PII Clause 8.4.2
A.2.4.4 PII transmission controls B.2.4.4 B.8.4.3 PII transmission controls Clause 8.4.3
PII sharing, transfer and disclosure B.2.5 B.8.5 PII sharing, transfer and disclosure Clause 8.5
A.2.5.2 Basis for PII transfer between jurisdictions B.2.5.2 B.8.5.1 Basis for PII transfer between jurisdictions Clause 8.5.1
A.2.5.3 Countries and international organizations to which PII can be transferred B.2.5.3 B.8.5.2 Countries and international organizations to which PII can be transferred Clause 8.5.2
A.2.5.4 Records of PII disclosures to third parties B.2.5.4 B.8.5.3 Records of PII disclosures to third parties Clause 8.5.3
A.2.5.5 Notification of PII disclosure requests B.2.5.5 B.8.5.4 Notification of PII disclosure requests Clause 8.5.4
A.2.5.6 Legally binding PII disclosures B.2.5.6 B.8.5.5 Legally binding PII disclosures Clause 8.5.5
A.2.5.7 Disclosure of subcontractors used to process PII B.2.5.7 B.8.5.6 Disclosure of subcontractors used to process PII Clause 8.5.6
A.2.5.8 Engagement of a subcontractor to process PII B.2.5.8 B.8.5.7 Engagement of a subcontractor to process PII Clause 8.5.7
A.2.5.9 Change of subcontractor to process PII B.2.5.9 B.8.5.8 Change of subcontractor to process PII Clause 8.5.8| ISO/IEC FDIS 27701 | | | ISO/IEC 27701:2019 | | |
| :--- | :--- | :--- | :--- | :--- | :--- |
| CONTROL | | IMPLEMENTATION GUIDANCE | CONTROL | | IMPLEMENTATION GUIDANCE |
| | Conditions for collection and processing | B.2.2 | B.8.2 | Conditions for collection and processing | Clause 8.2 |
| A.2.2.2 | Customer agreement | B.2.2.2 | B.8.2.1 | Customer agreement | Clause 8.2.1 |
| A.2.2.3 | Organization's purposes | B.2.2.3 | B.8.2.2 | Organization's purposes | Clause 8.2.2 |
| A.2.2.4 | Marketing and advertising use | B.2.2.4 | B.8.2.3 | Marketing and advertising use | Clause 8.2.3 |
| A.2.2.5 | Infringing instruction | B.2.2.5 | B.8.2.4 | Infringing instruction | Clause 8.2.4 |
| A.2.2.6 | Customer obligations | B.2.2.6 | B.8.2.5 | Customer obligations | Clause 8.2.5 |
| A.2.2.7 | Records related to processing PII | B.2.2.7 | B.8.2.6 | Records related to processing PII | Clause 8.2.6 |
| | Obligations to PII principals | B.2.3 | B.8.3 | Obligations to PII principals | Clause 8.3 |
| A.2.3.2 | Comply with obligations to PII principals | B.2.3.2 | B.8.3.1 | Comply with obligations to PII principals | Clause 8.3.1 |
| | Privacy by design and privacy by default | B.2.4 | B.8.4 | Privacy by design and privacy by default | Clause 8.4 |
| A.2.4.2 | Temporary files | B.2.4.2 | B.8.4.1 | Temporary files | Clause 8.4.1 |
| A.2.4.3 | Return, transfer or disposal of PII | B.2.4.3 | B.8.4.2 | Return, transfer or disposal of PII | Clause 8.4.2 |
| A.2.4.4 | PII transmission controls | B.2.4.4 | B.8.4.3 | PII transmission controls | Clause 8.4.3 |
| | PII sharing, transfer and disclosure | B.2.5 | B.8.5 | PII sharing, transfer and disclosure | Clause 8.5 |
| A.2.5.2 | Basis for PII transfer between jurisdictions | B.2.5.2 | B.8.5.1 | Basis for PII transfer between jurisdictions | Clause 8.5.1 |
| A.2.5.3 | Countries and international organizations to which PII can be transferred | B.2.5.3 | B.8.5.2 | Countries and international organizations to which PII can be transferred | Clause 8.5.2 |
| A.2.5.4 | Records of PII disclosures to third parties | B.2.5.4 | B.8.5.3 | Records of PII disclosures to third parties | Clause 8.5.3 |
| A.2.5.5 | Notification of PII disclosure requests | B.2.5.5 | B.8.5.4 | Notification of PII disclosure requests | Clause 8.5.4 |
| A.2.5.6 | Legally binding PII disclosures | B.2.5.6 | B.8.5.5 | Legally binding PII disclosures | Clause 8.5.5 |
| A.2.5.7 | Disclosure of subcontractors used to process PII | B.2.5.7 | B.8.5.6 | Disclosure of subcontractors used to process PII | Clause 8.5.6 |
| A.2.5.8 | Engagement of a subcontractor to process PII | B.2.5.8 | B.8.5.7 | Engagement of a subcontractor to process PII | Clause 8.5.7 |
| A.2.5.9 | Change of subcontractor to process PII | B.2.5.9 | B.8.5.8 | Change of subcontractor to process PII | Clause 8.5.8 |
Mapping the controls and implementation guidance for PII controllers and PII processors to ISO/IEC 27701:2019 and ISO/IEC 27002:2022. 將 PII 控制者和 PII 處理者的控制措施及實施指導對應至 ISO/IEC 27701:2019 及 ISO/IEC 27002:2022。
ISO/IEC FDIS 27701
ISO/IEC 27701:2019
ISO/IEC 27002:2022
A.3.3
Policies for information security 資訊安全政策
Clause 6.2.1.1 條款 6.2.1.1
Conditions for collection & processing 收集與處理的條件
Clause 5.1 條款 5.1
Policies for information security 資訊安全政策
Clause 6.2.1.2 條款 6.2.1.2
Identify and document purpose 識別並記錄目的
A.3.4
Information security roles and responsibilities 資訊安全角色與責任
Clause 6.3.1.1 條款 6.3.1.1
Information security roles and responsibilities 資訊安全角色與職責
Clause 5.2 條款 5.2
Information security roles and responsibilities 資訊安全角色與職責
A.3.5
Classification of information 資訊分類
Clause 6.5.2.1 條款 6.5.2.1
Classification of information 資訊分類
Clause 5.12 條款 5.12
Classification of information 資訊分類
A.3.6
Labelling of information 資訊標籤
Clause 6.5.2.1 條款 6.5.2.1
Labelling of information 資訊標籤
Clause 5.13 條款 5.13
Labelling of information 資訊標示
A.3.7
Information transfer 資訊傳輸
Clause 6.10.2.1 條款 6.10.2.1
Information transfer policies and procedures 資訊傳輸政策與程序
Clause 5.14 條款 5.14
Information transfer 資訊傳輸
Clause 6.10.2.2 條款 6.10.2.2
Agreements for information transfer 資訊傳輸協議
Clause 6.10.2.3 條款 6.10.2.3
Electronic messaging 電子訊息傳遞
A.3.8
Identity management 身分管理
Clause 6.6.2.1 條款 6.6.2.1
User registration and de-registration 使用者註冊與取消註冊
Clause 5.16 條款 5.16
Identity management 身分管理
A.3.9
Access rights 存取權限
Clause 6.6.2.2 條款 6.6.2.2
User access provisioning 使用者存取配置
Clause 5.18 條款 5.18
Access rights 存取權限
Clause 6.6.2.5 條款 6.6.2.5
Review of user access rights 使用者存取權限的審查
Clause 6.6.2.6 條款 6.6.2.6
Removal or adjustment of access rights 移除或調整存取權限
A.3.10
Addressing information security within supplier agreements 在供應商協議中處理資訊安全
Clause 6.12.1.1 條款 6.12.1.1
Information security policy for supplier relationships 供應商關係的資訊安全政策
Clause 5.20 條款 5.20
Addressing information security within supplier agreements 在供應商協議中處理資訊安全
Clause 6.12.1.2 條款 6.12.1.2
Addressing security within supplier agreements 在供應商協議中處理安全性
A.3.11
Information security incident management planning and preparation 資訊安全事件管理的規劃與準備
Clause 6.13.1.4 條款 6.13.1.4
Assessment of and decisions on information security events 資訊安全事件的評估與決策
Clause 5.24 條款 5.24
Information security incident management planning and preparation 資訊安全事件管理的規劃與準備
A.3.12
Response to information security incidents 對資訊安全事件的回應
Clause 6.13.1.5 條款 6.13.1.5
Response to information security incidents 對資訊安全事件的回應
Clause 5.26 條款 5.26
Response to information security incidents 對資訊安全事件的回應
A.3.13
Legal, statutory, regulatory and contractual requirements 法律、法定、監管及合約要求
Clause 6.15.1.1 條款 6.15.1.1
Identification of applicable legislation and contractual requirements 適用法規及契約要求之識別
Clause 5.31 條款 5.31
Legal, statutory, regulatory and contractual requirements 法律、法定、監管及契約要求
Clause 6.15.1.5 條款 6.15.1.5
Regulation of cryptographic controls 加密控制的規範
A.3.14
Protection of records 紀錄的保護
Clause 6.15.1.3 條款 6.15.1.3
Protection of records 紀錄的保護
Clause 5.33 條款 5.33
Protection of records 紀錄的保護
A.3.15
Independent review of information security 資訊安全的獨立審查
Clause 6.15.2.1 條款 6.15.2.1
Independent review of information security 資訊安全的獨立審查
Clause 5.35 條款 5.35
Independent review of information security 資訊安全的獨立審查
A.3.16
Compliance with policies, rules and standards for information security 遵守資訊安全的政策、規則與標準
Clause 6.15.2.2 條款 6.15.2.2
Compliance with security policies and standards 遵守安全政策與標準
Clause 5.36 條款 5.36
Compliance with policies, rules and standards for information security 遵守資訊安全的政策、規則與標準
A.3.17
Information security awareness, education and training 資訊安全意識、教育與訓練
Clause 6.4.2.2 條款 6.4.2.2
Information security awareness, education and training 資訊安全意識、教育與訓練
Clause 6.3 條款 6.3
Information security awareness, education and training 資訊安全意識、教育與訓練
A.3.18
Confidentiality or non-disclosure agreements 保密或不揭露協議
Clause 6.10.2.4 條款 6.10.2.4
Confidentiality or non-disclosure agreements 保密或不揭露協議
Clause 6.6 條款 6.6
Confidentiality or non-disclosure agreements 保密或不揭露協議
A.3.19
Clear desk and clear screen 清潔桌面與清潔螢幕
Clause 6.8.2.9 條款 6.8.2.9
Clear desk and clear screen policy 清潔桌面與清潔螢幕政策
Clause 7.7 第 7.7 條款
Clear desk and clear screen 清潔桌面與清潔螢幕
A.3.20
Storage media 儲存媒介
Clause 6.5.3.1 條款 6.5.3.1
Management of removable media 可移除媒體的管理
Clause 7.10 條款 7.10
Storage media 儲存媒體
Clause 6.5.3.2 條款 6.5.3.2
Disposal of media 媒體處置
Clause 6.5.3.3 條款 6.5.3.3
Physical media transfer 實體媒體轉移
Clause 6.8.2.5 條款 6.8.2.5
Removal of assets 資產移除
A.3.21
Secure disposal or re-use of equipment 設備的安全處置或再利用
Clause 6.8.2.7 條款 6.8.2.7
Secure disposal or re-use of equipment 設備的安全處置或再利用
Clause 7.14 第 7.14 條款
Secure disposal or re-use of equipment 設備的安全處置或再利用
A.3.22
User endpoint devices 使用者端點設備
Clause 6.3.2.1 條款 6.3.2.1
Mobile device policy 行動裝置政策
Clause 8.1 條款 8.1
User endpoint devices 使用者端點裝置
Clause 6.8.2.8 條款 6.8.2.8
Unattended user equipment 無人看管的使用者設備
A.3.23
Secure authentication 安全驗證
Clause 6.6.4.2 條款 6.6.4.2
Secure log-on procedures 安全登入程序
Clause 8.5 第 8.5 條款
Secure authentication 安全驗證
A.3.24
Information backup 資訊備份
Clause 6.9.3.1 條款 6.9.3.1
Information backup 資訊備份
Clause 8.13 條款 8.13
Information backup 資訊備份
A.3.25
Logging 記錄
Clause 6.9.4.1 條款 6.9.4.1
Event logging 事件記錄
Clause 8.15 條款 8.15
Logging 記錄
Clause 6.9.4.2 條款 6.9.4.2
Protection of log information 日誌資訊的保護
Clause 6.9.4.3 條款 6.9.4.3
Administrator and operator logs 管理員與操作員日誌
ISO/IEC FDIS 27701 ISO/IEC 27701:2019 ISO/IEC 27002:2022
A.3.3 Policies for information security Clause 6.2.1.1 Conditions for collection & processing Clause 5.1 Policies for information security
Clause 6.2.1.2 Identify and document purpose
A.3.4 Information security roles and responsibilities Clause 6.3.1.1 Information security roles and responsibilities Clause 5.2 Information security roles and responsibilities
A.3.5 Classification of information Clause 6.5.2.1 Classification of information Clause 5.12 Classification of information
A.3.6 Labelling of information Clause 6.5.2.1 Labelling of information Clause 5.13 Labelling of information
A.3.7 Information transfer Clause 6.10.2.1 Information transfer policies and procedures Clause 5.14 Information transfer
Clause 6.10.2.2 Agreements for information transfer
Clause 6.10.2.3 Electronic messaging
A.3.8 Identity management Clause 6.6.2.1 User registration and de-registration Clause 5.16 Identity management
A.3.9 Access rights Clause 6.6.2.2 User access provisioning Clause 5.18 Access rights
Clause 6.6.2.5 Review of user access rights
Clause 6.6.2.6 Removal or adjustment of access rights
A.3.10 Addressing information security within supplier agreements Clause 6.12.1.1 Information security policy for supplier relationships Clause 5.20 Addressing information security within supplier agreements
Clause 6.12.1.2 Addressing security within supplier agreements
A.3.11 Information security incident management planning and preparation Clause 6.13.1.4 Assessment of and decisions on information security events Clause 5.24 Information security incident management planning and preparation
A.3.12 Response to information security incidents Clause 6.13.1.5 Response to information security incidents Clause 5.26 Response to information security incidents
A.3.13 Legal, statutory, regulatory and contractual requirements Clause 6.15.1.1 Identification of applicable legislation and contractual requirements Clause 5.31 Legal, statutory, regulatory and contractual requirements
Clause 6.15.1.5 Regulation of cryptographic controls
A.3.14 Protection of records Clause 6.15.1.3 Protection of records Clause 5.33 Protection of records
A.3.15 Independent review of information security Clause 6.15.2.1 Independent review of information security Clause 5.35 Independent review of information security
A.3.16 Compliance with policies, rules and standards for information security Clause 6.15.2.2 Compliance with security policies and standards Clause 5.36 Compliance with policies, rules and standards for information security
A.3.17 Information security awareness, education and training Clause 6.4.2.2 Information security awareness, education and training Clause 6.3 Information security awareness, education and training
A.3.18 Confidentiality or non-disclosure agreements Clause 6.10.2.4 Confidentiality or non-disclosure agreements Clause 6.6 Confidentiality or non-disclosure agreements
A.3.19 Clear desk and clear screen Clause 6.8.2.9 Clear desk and clear screen policy Clause 7.7 Clear desk and clear screen
A.3.20 Storage media Clause 6.5.3.1 Management of removable media Clause 7.10 Storage media
Clause 6.5.3.2 Disposal of media
Clause 6.5.3.3 Physical media transfer
Clause 6.8.2.5 Removal of assets
A.3.21 Secure disposal or re-use of equipment Clause 6.8.2.7 Secure disposal or re-use of equipment Clause 7.14 Secure disposal or re-use of equipment
A.3.22 User endpoint devices Clause 6.3.2.1 Mobile device policy Clause 8.1 User endpoint devices
Clause 6.8.2.8 Unattended user equipment
A.3.23 Secure authentication Clause 6.6.4.2 Secure log-on procedures Clause 8.5 Secure authentication
A.3.24 Information backup Clause 6.9.3.1 Information backup Clause 8.13 Information backup
A.3.25 Logging Clause 6.9.4.1 Event logging Clause 8.15 Logging
Clause 6.9.4.2 Protection of log information
Clause 6.9.4.3 Administrator and operator logs | ISO/IEC FDIS 27701 | | ISO/IEC 27701:2019 | | ISO/IEC 27002:2022 | |
| :--- | :--- | :--- | :--- | :--- | :--- |
| A.3.3 | Policies for information security | Clause 6.2.1.1 | Conditions for collection & processing | Clause 5.1 | Policies for information security |
| | | Clause 6.2.1.2 | Identify and document purpose | | |
| A.3.4 | Information security roles and responsibilities | Clause 6.3.1.1 | Information security roles and responsibilities | Clause 5.2 | Information security roles and responsibilities |
| A.3.5 | Classification of information | Clause 6.5.2.1 | Classification of information | Clause 5.12 | Classification of information |
| A.3.6 | Labelling of information | Clause 6.5.2.1 | Labelling of information | Clause 5.13 | Labelling of information |
| A.3.7 | Information transfer | Clause 6.10.2.1 | Information transfer policies and procedures | Clause 5.14 | Information transfer |
| | | Clause 6.10.2.2 | Agreements for information transfer | | |
| | | Clause 6.10.2.3 | Electronic messaging | | |
| A.3.8 | Identity management | Clause 6.6.2.1 | User registration and de-registration | Clause 5.16 | Identity management |
| A.3.9 | Access rights | Clause 6.6.2.2 | User access provisioning | Clause 5.18 | Access rights |
| | | Clause 6.6.2.5 | Review of user access rights | | |
| | | Clause 6.6.2.6 | Removal or adjustment of access rights | | |
| A.3.10 | Addressing information security within supplier agreements | Clause 6.12.1.1 | Information security policy for supplier relationships | Clause 5.20 | Addressing information security within supplier agreements |
| | | Clause 6.12.1.2 | Addressing security within supplier agreements | | |
| A.3.11 | Information security incident management planning and preparation | Clause 6.13.1.4 | Assessment of and decisions on information security events | Clause 5.24 | Information security incident management planning and preparation |
| A.3.12 | Response to information security incidents | Clause 6.13.1.5 | Response to information security incidents | Clause 5.26 | Response to information security incidents |
| A.3.13 | Legal, statutory, regulatory and contractual requirements | Clause 6.15.1.1 | Identification of applicable legislation and contractual requirements | Clause 5.31 | Legal, statutory, regulatory and contractual requirements |
| | | Clause 6.15.1.5 | Regulation of cryptographic controls | | |
| A.3.14 | Protection of records | Clause 6.15.1.3 | Protection of records | Clause 5.33 | Protection of records |
| A.3.15 | Independent review of information security | Clause 6.15.2.1 | Independent review of information security | Clause 5.35 | Independent review of information security |
| A.3.16 | Compliance with policies, rules and standards for information security | Clause 6.15.2.2 | Compliance with security policies and standards | Clause 5.36 | Compliance with policies, rules and standards for information security |
| A.3.17 | Information security awareness, education and training | Clause 6.4.2.2 | Information security awareness, education and training | Clause 6.3 | Information security awareness, education and training |
| A.3.18 | Confidentiality or non-disclosure agreements | Clause 6.10.2.4 | Confidentiality or non-disclosure agreements | Clause 6.6 | Confidentiality or non-disclosure agreements |
| A.3.19 | Clear desk and clear screen | Clause 6.8.2.9 | Clear desk and clear screen policy | Clause 7.7 | Clear desk and clear screen |
| A.3.20 | Storage media | Clause 6.5.3.1 | Management of removable media | Clause 7.10 | Storage media |
| | | Clause 6.5.3.2 | Disposal of media | | |
| | | Clause 6.5.3.3 | Physical media transfer | | |
| | | Clause 6.8.2.5 | Removal of assets | | |
| A.3.21 | Secure disposal or re-use of equipment | Clause 6.8.2.7 | Secure disposal or re-use of equipment | Clause 7.14 | Secure disposal or re-use of equipment |
| A.3.22 | User endpoint devices | Clause 6.3.2.1 | Mobile device policy | Clause 8.1 | User endpoint devices |
| | | Clause 6.8.2.8 | Unattended user equipment | | |
| A.3.23 | Secure authentication | Clause 6.6.4.2 | Secure log-on procedures | Clause 8.5 | Secure authentication |
| A.3.24 | Information backup | Clause 6.9.3.1 | Information backup | Clause 8.13 | Information backup |
| A.3.25 | Logging | Clause 6.9.4.1 | Event logging | Clause 8.15 | Logging |
| | | Clause 6.9.4.2 | Protection of log information | | |
| | | Clause 6.9.4.3 | Administrator and operator logs | | |
ISO/IEC FDIS 27701
ISO/IEC 27701:2019
ISO/IEC 27002:2022
A.3.26
Use of cryptography 加密技術的使用
Clause 6.7.1.1 條款 6.7.1.1
Policy on the use of cryptographic controls 加密控制使用政策
Clause 8.24 條款 8.24
Use of cryptography 加密技術的使用
Clause 6.7.1.2 條款 6.7.1.2
Key management 金鑰管理
A.3.27
Secure development life cycle 安全開發生命週期
Clause 6.11.2.1 條款 6.11.2.1
Secure development policy 安全開發政策
Clause 8.25 條款 8.25
Secure development life cycle 安全開發生命週期
A.3.28
Application security requirements 應用程式安全需求
Clause 6.11.1.2 條款 6.11.1.2
Securing application services on public networks 在公共網路上保護應用程式服務
