u/Anas5667

Regarding ISO 27701 controls, I would like a simple clarification on when each control should be marked as Applicable and when it should be marked as Not Applicable (N/A).

Please note that I act as a PII Controller for employee data and client contract data. I also act as a PII Processor for my solution, which is hosted on a cloud infrastructure.

Please provide a simple and clear explanation of when each control should be applied and when it should be marked as “Not Applicable,” from the list below. Thank you.

A.1 - Control objectives and controls for PII controllers (Employees Data and )

A.1.2.4 Determine when and how consent is to be obtained
A.1.2.5 Obtain and record consent
A.1.2.7 Contracts with PII processors
A.1.2.8 Joint PII controller
A.1.3.5 Providing mechanism to modify or withdraw consent
A.1.3.11 Automated decision making

----

A.2 - Control objectives and controls for PII processors

A.2.2.4 Marketing and advertising use
A.2.2.5 Infringing instruction

Hello everyone,

I am currently in the process of building policies and starting to collect evidence manually, due to the high cost of GRC tools.

I would like to ask if there is any checklist or any guidance that can help in collecting evidence for the following TSC:

(Security, Confidentiality, and Availability).

Also, what is the expected frequency for providing these evidences over a 6-month period?

For context, we are ISO/IEC 27001 and ISO 22301 certified, and we already have SIEM and PAM in place. All our operations are running on cloud platforms (AWS and Azure).

Additionally, if some controls are managed through workflows in a ticketing system, is this considered sufficient evidence from an audit perspective?

Thank you in advance for your support.

Hello 👋🏻

When starting to draw a data flow diagram , what are the Key Points I should focus on ?

Thanx 😊