# ISO 27701 Security Controls Overlay

> Create the privacy overlay for the 93 ISO 27002:2022 security controls. For each control in the SoA, document what additional privacy-specific implementation is needed per ISO 27701 Clause 6. Covers all four control themes (Organizational, People, Physical, Technological) with privacy augmentation guidance and evidence mapping.



Tags: ISO 27701, Privacy, Controls, ISO 27002, PIMS, Compliance


## Example Prompts

- Create a privacy overlay for our ISO 27002 controls
- Document privacy augmentations for our SoA controls
- Map ISO 27701 Clause 6 requirements to our existing controls

URL: https://rakenne.app/skills/iso27701-security-controls-overlay/index.md

Try this skill: https://rakenne.app/a/?skill=iso27701-security-controls-overlay



## Overview

Create the privacy overlay for the 93 ISO 27002:2022 security controls. For each control in the Statement of Applicability (SoA), this skill documents what additional privacy-specific implementation is needed per ISO 27701 Clause 6. The core pattern is: **base security control + privacy augmentation = PIMS control**. The overlay covers all four control themes (Organizational, People, Physical, Technological) with privacy augmentation guidance and evidence mapping, focusing on the 16 most privacy-relevant controls while ensuring systematic coverage of all themes.

### What It Covers

- **Organizational Controls (A.5.x)** — Privacy augmentations for policies, acceptable use, information classification, transfer safeguards, legal requirements, and PII protection
- **People Controls (A.6.x)** — Privacy-aware screening, privacy training and awareness, NDA obligations covering PII confidentiality
- **Physical Controls (A.7.x)** — Clear desk rules for physical PII, storage media sanitization procedures for PII
- **Technological Controls (A.8.x)** — Privileged access for PII, purpose-based access restriction, PII deletion and erasure, data masking and pseudonymization, DLP for PII exfiltration, PII encryption, and privacy by design in the SDLC
- **Evidence Mapping** — For each augmented control, references to supporting policies, procedures, system configurations, and audit artifacts

## Example Conversation

> **You:** We need to create the privacy controls overlay for MedSecure Health Technologies. We already have an ISO 27001 SoA with all 93 controls implemented. Now we need to add the ISO 27701 privacy augmentations. We're both a controller and processor, so Clause 6 applies to us.
>
> **Agent:** I've loaded your SoA and PIMS scope. Since MedSecure acts as both controller and processor, all Clause 6 augmentations are relevant. Let me work through each control theme and highlight where your existing security controls need privacy enhancements.
>
> Starting with **Organizational Controls**. Your A.5.1 (Policies for information security) is currently implemented with a general information security policy. The privacy augmentation is:
>
> - The policy must explicitly address PII protection, data subject rights, and the organization's privacy commitments
> - Must reference the PIMS scope and applicable privacy regulations (HIPAA, GDPR, LGPD, CCPA)
> - Must define PII handling rules distinct from general information handling
>
> For **A.5.12 (Classification of information)**, you currently classify data as Public/Internal/Confidential/Restricted. The privacy overlay adds:
>
> - A PII sensitivity dimension: PII must be classified by sensitivity level (standard PII, sensitive/special category PII like health data, and critical identifiers like SSN/CPF)
> - Health data from patient processing must be classified as the highest sensitivity level
>
> Moving to **Technological Controls** — this is where the heaviest privacy augmentation happens. Let me highlight **A.8.11 (Data masking)**:
>
> - Your current implementation uses data masking for test environments
> - Privacy augmentation: Implement PII pseudonymization for all non-production environments. Patient health data must be fully anonymized for any analytics use. Employee SSN/CPF must be masked (show last 4 digits only) in all UI displays.
>
> I've now documented all four themes. Let me validate coverage.
>
> `check_controls_overlay_coverage` on `output/Privacy-Controls-Overlay.md`:
>
> ```
> Control themes addressed: 4/4 (Organizational, People, Physical, Technological)
> Distinct control numbers referenced: 24
> Key privacy controls covered: 16/16 (100%)
> Key privacy controls with augmentation: 16/16
>   [OK] A.5.1 — Policies for information security
>   [OK] A.5.10 — Acceptable use of information and other associated assets
>   [OK] A.5.12 — Classification of information
>   [OK] A.5.14 — Information transfer
>   [OK] A.5.31 — Legal, statutory, regulatory and contractual requirements
>   [OK] A.5.34 — Privacy and protection of PII
>   [OK] A.6.1 — Screening
>   [OK] A.6.3 — Information security awareness, education and training
>   [OK] A.7.7 — Clear desk and clear screen
>   [OK] A.8.2 — Privileged access rights
>   [OK] A.8.3 — Information access restriction
>   [OK] A.8.10 — Information deletion
>   [OK] A.8.11 — Data masking
>   [OK] A.8.12 — Data leakage prevention
>   [OK] A.8.24 — Use of cryptography
>   [OK] A.8.25 — Secure development life cycle
> RESULT: PASS
> ```
>
> Full coverage across all themes with privacy augmentation documented for all 16 key controls. The overlay is ready for audit review.

## Sample Output Excerpt

Below is a representative excerpt from the Privacy Controls Overlay showing controls across two themes with the base implementation and privacy augmentation columns.

---

# Privacy Controls Overlay — MedSecure Health Technologies

**Overlay approach:** Base security control + Privacy augmentation = PIMS control
**Organization role:** PII Controller and PII Processor
**Applicable standard:** ISO 27701:2019 Clause 6 mapped to ISO 27002:2022

## Organizational Controls

| Control # | Control Name | Base Implementation (SoA) | Privacy Augmentation (ISO 27701 Clause 6) | Evidence |
|---|---|---|---|---|
| A.5.1 | Policies for information security | Information Security Policy v3.2 approved by CISO. Covers access control, incident response, acceptable use. | Policy updated to explicitly address: PII protection principles, data subject rights (access, erasure, portability), privacy roles (DPO responsibilities), and references HIPAA, GDPR, LGPD, CCPA requirements. Separate PII Handling Procedure published. | ISP v3.2 Section 8 "Privacy"; PII Handling Procedure v1.0 |
| A.5.12 | Classification of information | Three-tier classification: Public, Internal, Confidential. Classification guide distributed to all staff. | Added PII sensitivity dimension: Standard PII (contact info), Sensitive PII (health data, biometrics), Critical Identifiers (SSN, CPF). Patient health records classified as Sensitive PII. Classification guide updated with PII examples and handling rules per sensitivity level. | Data Classification Guide v2.0; PII Classification Matrix |
| A.5.14 | Information transfer | TLS 1.3 for all data in transit. SFTP for batch transfers. Email encryption available. | Added PII transfer safeguards: cross-border transfer assessment required before any new PII transfer. SCCs in place for US-EU transfers. Transfer log maintained for all PII transfers to third parties. Prohibition on transferring patient data via email. | Cross-border Transfer Register; SCC agreements with sub-processors |
| A.5.34 | Privacy and protection of PII | Basic privacy notice on website. Cookie consent banner. | Full PIMS implementation: DPO appointed, privacy impact assessments integrated into project lifecycle, data subject request process with 30-day SLA, breach notification procedure (72h for GDPR, 60 days for HIPAA), annual privacy training for all staff. | DPO appointment letter; DPIA procedure; DSR process doc; Breach notification runbook |

## Technological Controls

| Control # | Control Name | Base Implementation (SoA) | Privacy Augmentation (ISO 27701 Clause 6) | Evidence |
|---|---|---|---|---|
| A.8.10 | Information deletion | Annual review of data retention. Automated backup expiry after 90 days. | PII-specific deletion: patient data deleted within 30 days of contract termination (automated). Employee data retained 7 years then securely deleted. Data subject erasure requests processed within 30 days with verification of deletion across all systems including backups. Deletion certificates issued. | Retention schedule; Automated deletion job configs; DSR erasure log |
| A.8.11 | Data masking | Test environments use synthetic data. Production data masked in staging. | PII pseudonymization: patient health data fully anonymized for analytics (k-anonymity, k>=5). Employee SSN/CPF masked to last 4 digits in all UI displays. Non-production environments use synthetic patient data only — no real PII permitted outside production. | Anonymization procedure; Data masking configuration; Synthetic data generation scripts |
| A.8.12 | Data leakage prevention | DLP rules on email gateway. Endpoint DLP on laptops. | PII-specific DLP rules: alerts on bulk PII extraction (>100 records), monitoring for patient health data in unauthorized channels, blocking of PII in chat/messaging tools, quarterly DLP rule review with DPO input. | DLP rule set (PII-specific); Quarterly review minutes |
| A.8.25 | Secure development life cycle | SDLC with security reviews at design and pre-release. SAST/DAST in CI pipeline. | Privacy by design integrated into SDLC: privacy impact assessment required for features handling PII, data minimization review at design phase, consent flow review for new data collection points, privacy test cases in QA. | SDLC privacy checklist; PIA template; Sample PIA for recent release |

<!-- /excerpt -->

## Extension Tools

### `check_controls_overlay_coverage`

Validates the overlay document for completeness across all four control themes and checks that the 16 key privacy-relevant controls are addressed with actual privacy augmentation content.

| Check | Severity | What It Validates |
|---|---|---|
| Control themes (4 total) | ERROR per missing theme | All four themes are addressed: Organizational (A.5.x), People (A.6.x), Physical (A.7.x), Technological (A.8.x) |
| Control number references | WARNING if < 10, ERROR if 0 | Specific ISO 27002:2022 control numbers (A.x.x format) are referenced in the document |
| A.5.1 Policies | ERROR if missing | Privacy augmentation for information security policies |
| A.5.10 Acceptable use | ERROR if missing | PII handling rules in acceptable use policy |
| A.5.12 Classification | ERROR if missing | PII sensitivity levels in information classification |
| A.5.14 Information transfer | ERROR if missing | PII transfer safeguards and cross-border transfer controls |
| A.5.31 Legal requirements | ERROR if missing | Privacy legislation referenced in legal compliance |
| A.5.34 Privacy and PII protection | ERROR if missing | Full PIMS implementation requirements |
| A.6.1 Screening | ERROR if missing | PII access consideration in background checks |
| A.6.3 Awareness and training | ERROR if missing | Privacy awareness and data subject rights training |
| A.7.7 Clear desk | ERROR if missing | Physical PII handling in clear desk procedures |
| A.8.2 Privileged access | ERROR if missing | PII access restricted to authorized purposes |
| A.8.3 Access restriction | ERROR if missing | Purpose-based PII access enforcement |
| A.8.10 Information deletion | ERROR if missing | PII retention schedules and erasure requests |
| A.8.11 Data masking | ERROR if missing | PII pseudonymization and anonymization |
| A.8.12 Data leakage prevention | ERROR if missing | PII exfiltration monitoring |
| A.8.24 Cryptography | ERROR if missing | PII encryption requirements |
| A.8.25 Secure development | ERROR if missing | Privacy by design in SDLC |
| Augmentation pattern | WARNING if missing | Document follows the "Base + Privacy augmentation = PIMS control" pattern |
| Evidence references | WARNING if missing | Implementation evidence is referenced for augmented controls |

The tool checks not just that a control number is mentioned, but that privacy-specific keywords (PII, personal data, privacy, consent, erasure, pseudonymization, etc.) appear in the surrounding text, confirming genuine augmentation content.

## Getting Started

To create the privacy controls overlay, prepare the following:

1. **Complete the Statement of Applicability (SoA)** — This skill builds on top of your existing ISO 27001 SoA. You need the baseline implementation status for all 93 Annex A controls. If you have completed the ISO 27001 SoA skill, the agent loads it automatically.

2. **Complete the PIMS Scope** — The agent references the PIMS scope to understand your organization role (controller/processor/both) and which privacy regulations apply. This determines which Clause 6 augmentations are relevant.

3. **Gather existing privacy documentation** — Collect any privacy policies, data handling procedures, DPO appointment letters, DPIA templates, and data subject request procedures you already have. These may already satisfy some augmentation requirements.

4. **Know your PII systems** — Understand which systems process PII and what security controls are already in place (encryption, access controls, DLP, masking). The privacy augmentation builds on these existing controls rather than replacing them.

5. **Understand the overlay concept** — This is not about replacing your security controls. It is about documenting what additional privacy-specific measures each control needs. A control might be fully implemented for security but still need privacy augmentation (e.g., your DLP rules work but do not specifically monitor for PII exfiltration).

The skill produces `output/Privacy-Controls-Overlay.md` with a section for each control theme and detailed augmentation guidance for each privacy-relevant control.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)