PIMS-FORM-06-4 Event-Based Privacy Risk Tool

Implementation Guidance

This Excel sheet must be removed from the final version of the document.

Design

Event-Based Privacy Risk Assessment and Treatment Tool

This spreadsheet has been designed using CertiKit's colour scheme. To choose a different table colour scheme, click in the table, select the Table Design menu tab and choose a different style. The same applies to the drop-down menu "slicers" at the top of the screen. Click in one slicer, then hold down the Shift key and click on the rest, one by one. This will select them all. Then click on the Slicer menu tab and choose a different style. You can also create your own table and slicer styles using your own colour scheme to reflect your organization's branding.

Purpose of this document

This document should be used to perform a event-based risk assessment, including assessing the expected effects of treatments.

Areas of the standard addressed

The following areas of the ISO/IEC 27701 standard are addressed:

6. Planning

6.1 Actions to address risks and opportunities

6.1.2 Privacy risk assessment

6.1.3 Privacy risk treatment

8. Operation

8.2 Privacy risk assessment

8.3 Privacy risk treatment

General guidance

The key objective of the risk assessment is to ensure that all of the serious risks that need treatment are identified so that something can be done about them. Remember that the standard requires you to assess the impact of a risk to both the PII principal and the organization. The risk score is based on the higher of these two impacts. Be careful not to make your risk assessment too large or complicated as much of the impact will be lost and it will be difficult to repeat at a later date. This tool is intended to be used to assess the effects of the proposed treatments also, so that the level of residual risk can be shown.

If you need to select more than one control for a specific risk simply list all of the controls in the same cell by copying and pasting them from the Reference Controls tab. Keep track of which risks each control is applied to on the Reference Controls tab. This will help with your Statement of Applicability.

Review frequency

It is a good idea to revisit this risk assessment on a regular basis and to ensure that new risks that occur are identified and assessed.

Toolkit version number

ISO/IEC 27701 Toolkit Version 2

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Assessment Details

Security Classification [Insert classification]

Risk Assessment Title [Short, descriptive title]

Risk Assessment Scope [Describe the scope of the risk assessment - for example, location, process, assets]

Context of Risk Assessment [Describe the general environment in which the analysis is carried out and internal and external factors affecting it]

Risk Acceptance Criteria [Set out the factors which will make a risk acceptable and therefore not require treatment]

Version [Start at Version 1]

Dated [Date the assessment was carried out]

Risk Assessors [Name and title of person(s) carrying out the risk assessment]

Risk Assessment Participants [Names and titles of people contributing to the risk assessment]

Approval [Name and title of approver]

Date Approved [Date the assessment was approved]

ISO/IEC 27701 Annex A Reference Controls

The following list of reference controls is used within the risk assessment worksheets.

ANNEX A REFERENCE

Annex A - Table A.1 - Control objectives and controls for PII controllers

A.1.2 Conditions for collection and processing

A.1.2.2 Identify and document purpose

A.1.2.3 Identify lawful basis

A.1.2.4 Determine when and how consent is to be obtained

A.1.2.5 Obtain and record consent

A.1.2.6 Privacy impact assessment

A.1.2.7 Contracts with PII processors

A.1.2.8 Joint PII controller

A.1.2.9 Records related to processing PII

A.1.3 Obligations to PII principals

A.1.3.2 Determining and fulfilling obligations to PII principals

A.1.3.3 Determining information for PII principals

A.1.3.4 Providing information to PII principals

A.1.3.5 Providing mechanism to modify or withdraw consent

A.1.3.6 Providing mechanism to object to PII processing

A.1.3.7 Access, correction and/or erasure

A.1.3.8 PII controllers' obligations to inform third parties

A.1.3.9 Providing copy of PII processed

A.1.3.10 Handling requests

A.1.3.11 Automated decision making

A.1.4 Privacy by design and privacy by default

A.1.4.2 Limit collection

A.1.4.3 Limit processing

A.1.4.4 Accuracy and quality

A.1.4.5 PII minimization objectives

A.1.4.6 PII de-identification and deletion at the end of processing

A.1.4.7 Temporary files

A.1.4.8 Retention

A.1.4.9 Disposal

A.1.4.10 PII transmission controls

A.1.5 PII sharing, transfer, and disclosure

A.1.5.2 Identify basis for PII transfer between jurisdictions

A.1.5.3 Countries and international organizations to which PII can be transferred

A.1.5.4 Records of transfer of PII

A.1.5.5 Records of PII disclosure to third parties

Annex A - Table A.2 - Control objectives and controls for PII

processors

A.2.2 Conditions for collection and processing

A.2.2.2 Customer agreement

A.2.2.3 Organization’s purposes

A.2.2.4 Marketing and advertising use

A.2.2.5 Infringing instruction

A.2.2.6 Customer obligations

A.2.2.7 Records related to processing PII

A.2.3 Obligations to PII principals

A.2.3.2 Comply with obligations to PII principals

A.2.4 Privacy by design and privacy by default

A.2.4.2 Temporary files

A.2.4.3 Return, transfer or disposal of PII

A.2.4.4 PII transmission controls

A.2.5 PII sharing, transfer, and disclosure

A.2.5.2 Basis for PII transfer between jurisdictions

A.2.5.3 Countries and international organizations to which PII can be transferred

A.2.5.4 Records of PII disclosure to third parties

A.2.5.5 Notification of PII disclosure requests

A.2.5.6 Legally binding PII disclosures

A.2.5.7 Disclosure of subcontractors used to process PII

A.2.5.8 Engagement of a subcontractor to process PII

A.2.5.9 Change of subcontractor to process PII

Annex A - Table A.3 - Control objectives and controls for PII controllers and PII processors

A.3 Security considerations for PII controllers and processors

A.3.3 Policies for information security

A.3.4 Information security roles and responsibilities

A.3.5 Classification of information

A.3.6 Labelling of information

A.3.7 Information transfer

A.3.8 Identity management

A.3.9 Access rights

A.3.10 Addressing information security within supplier agreements

A.3.11 Information security incident management planning and preparation

A.3.12 Response to information security incidents

A.3.13 Legal, statutory, regulatory and contractual requirements

[Review controls with no risks against them to assess if they should be applicable - have you omitted a risk that would use this control?]

RISK(S) USED IN

[e.g. RSK3, RSK14, RSK20]

A.3.14 Protection of records

A.3.15 Independent review of information security

A.3.16 Compliance with policies, rules and standards for information security

A.3.17 Information security awareness, education and training

A.3.18 Confidentiality or non-disclosure agreements

A.3.19 Clear desk and clear screen

A.3.20 Storage media

A.3.21 Secure disposal or re-use of equipment

A.3.22 User endpoint devices

A.3.23 Secure authentication

A.3.24 Information backup

A.3.25 Logging

A.3.26 Use of cryptography

A.3.27 Secure development life cycle

A.3.28 Application security requirements

A.3.29 Secure system architecture and engineering principles

A.3.30 Outsourced development

A.3.31 Test information

Likelihood

This table should be used to decide upon the most appropriate likelihood for a particular threat.

LIKELIHOOD DESCRIPTION SUMMARY

1 Improbable Has never happened before and there is no reason to think it is any more likely now

2 Unlikely There is a possibility that it could happen, but it probably won't

3 Likely On balance, the risk is more likely to happen than not

4 Very Likely It would be a surprise if the risk did not occur either based on past frequency or current circumstances

5 Almost certain Either already happens regularly or there is some reason to believe it is virtually imminent

Impact on PII Principals

This table should be used as guidance to help to decide upon the correct impact rating for a particular risk from the point of view of the PII Principal (based on guidance in ISO/IEC 27557 Annex C). Specific criteria may be defined in each area where this is helpful, for example economic loss may be defined in terms of amounts of money.

1 Negligible The PII principal is unlikely to notice or feel any inconvenience or effect.

2 Slight If the PII principal is affected at all, it is a minor inconvenience and causes little disruption.

3 Limited PII principals suffer significant inconveniences but they are surmountable with moderate effort.

4 Significant Impacts on PII principals are only overcome with real and serious difficulty.

5 Maximum PII principals suffer major and possibly irreversible impacts which may be very difficult or impossible to overcome.

[Define more specific criteria if required.]

IMPACT

Impact on Organization

This table should be used as guidance to help to decide upon the correct impact rating for a particular risk from the point of view of the organization (based on guidance in ISO/IEC 27557 Annex C).

Specific criteria may be defined in each area where this is helpful, for example noncompliance costs may be defined in terms of amounts of money.

1 Negligible The PII principal is unlikely to notice or feel any inconvenience or effect.

2 Slight If the PII principal is affected at all, it is a minor inconvenience and causes little disruption.

3 Limited PII principals suffer significant inconveniences but they are surmountable with moderate effort.

4 Significant Impacts on PII principals are only overcome with real and serious difficulty.

5 Maximum PII principals suffer major and possibly irreversible impacts which may be very difficult or impossible to overcome.

[Define more specific criteria if required.]

IMPACT

Turn static files into dynamic content formats.

Create a flipbook