Please note: This sample shows only a section of the complete Gap Assessment tool. ISO/IEC 27701 Gap Assessment Tool PIMS-FORM-00-3 Terms used PIMS: Privacy Information Management System ISMS: Information Security Management System
Privacy Information management: Requirements AREA/SECTION
SUB-SECTION
ISO/IEC 27701 REQUIREMENTS
REQS MET? ACTION NEEDED TO MEET REQ
05. PIMS-specific requirements related to ISO/IEC 27001 5.1 General
Has the term "information security" been extended to read "information security and privacy" in all relevant documentation? Totals:
5.2 Context of the organization
Yes
1
5.2.1 Understanding the organization and Has the organization defined whether it is its context a PII controller and/or processor? Have additional external and internal factors relevant to the PIMS been identified? 5.2.2 Understanding the needs and Has the list of interested parties been expectations of interested parties updated to include those relevant to the PIMS? 5.2.3 Determining the scope of the Is the processing of PII now included in information security management system the scope of the PIMS?
Yes
5.2.4 Information security management system
Yes
Is a PIMS in place, in addition to an ISMS?
Totals:
Yes
Yes
Yes
5
5.3 Leadership (no requirements) 5.4 Planning
5.4.1 Actions to address risks and opportunities
Has the risk assessment process been extended to cover risks associated with the processing of PII? Have the controls from Annex A of ISO/IEC 27001 been updated to relate to PII also? Has the Statement of Applicability been extended to cover the additional controls from ISO/IEC 27701 Annex A and B? Totals:
5.5 Support (no requirements) 5.6 Operation (no requirements) 5.7 Performance evaluation (no requirements) 5.8 Improvement (no requirements)
Yes
Yes Yes
3
ACTION OWNER
ISO/IEC 27701 Gap Assessment dashboard To refresh chart data, click on “Refresh All” on the Data ribbon.
Gap assessment results AREA OF STANDARD
REQS IN SECTION NO OF REQS MET PERCENTAGE CONFORMANT
5.1 General 5.2 Context of the organization 5.3 Leadership (no requirements) 5.4 Planning 5.5 Support (no requirements) 5.6 Operation (no requirements) 5.7 Performance evaluation (no requirements) 5.8 Improvement (no requirements) 7.2 Conditions for collection and processing 7.3 Obligations to PII principals 7.4 Privacy by design and privacy by default 7.5 PII sharing, transfer, and disclosure 8.2 Conditions for collection and processing 8.3 Obligations to PII principals 8.4 Privacy by design and privacy by default 8.5 PII sharing, transfer, and disclosure Total
1 5
1 5
100% 100%
3
3
100%
Percentage level of conformity to the ISO/IEC 27701 standard radar chart
8.5 PII sharing, transfer, and disclosure 8.4 Privacy by design and privacy by default 8.3 Obligations to PII principals
8 10 9 4 6 1 3 8 58
8 10 9 4 6 1 3 8 58
100% 100% 100% 100% 100% 100% 100% 100% 100%
8.2 Conditions for collection and processing
5.1 General 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
5.2 Context of the organization 5.3 Leadership (no requirements)
5.4 Planning
5.5 Support (no requirements)
7.5 PII sharing, transfer, and disclosure
5.6 Operation (no requirements)
7.4 Privacy by design and privacy by default
5.7 Performance evaluation (no requirements)
7.3 Obligations to PII principals
5.8 Improvement (no requirements)
7.2 Conditions for collection and processing
Level of conformity to the ISO/IEC 27701 standard NO OF REQS MET
Percentage level of conformity to the ISO/IEC 27701 standard REQS IN SECTION 100%
1
5.1 General
100%
100%
100%
100% 5
5.2 Context of the organization
90%
5.3 Leadership (no requirements)
80% 3
5.4 Planning
70% 60%
5.5 Support (no requirements)
50%
5.6 Operation (no requirements)
40%
5.7 Performance evaluation (no requirements)
30% 5.8 Improvement (no requirements)
20%
8
7.2 Conditions for collection and processing
10%
10
7.3 Obligations to PII principals 9
7.4 Privacy by design and privacy by default 4
7.5 PII sharing, transfer, and disclosure
6
8.2 Conditions for collection and processing 1
8.3 Obligations to PII principals
3
8.4 Privacy by design and privacy by default
8
8.5 PII sharing, transfer, and disclosure 0
1
2
3
4
5
6
7
8
9
10
0%
0%
0%
0%
0%
0%
100%
100%
100%
100%
100%
100%
100%