ISO27701A.7.2.1voice-validated
ISO27701 A.7.2.1: A.7.2.1
ISO27701
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The organisation should identify and document the specific purposes for which the PII will be processed. The legal basis for the processing should be documented, along with the categories of PII processed and the categories of data subjects.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 0
| Mitigation | What it does | Confidence |
|---|
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Exposure of sensitive information occurs if PII processing is not properly identified and protected. 2. A.7.2.1 mandates documenting PII purposes and categories to prevent such exposure. 3. Failure to document leads to unknown PII locations and inadequate protection. | 90% |
| CWE-284 | 1. Improper access control allows unauthorized access to PII or its documentation. 2. Documenting PII categories and data subjects (A.7.2.1) is essential for implementing correct access controls. 3. Weak access controls are a direct threat to PII confidentiality. | 80% |
| CWE-306 | 1. Missing authentication for critical functions can expose PII processing details or the PII itself. 2. Identifying PII processing (A.7.2.1) helps determine which functions are critical and require authentication. 3. Lack of authentication enables easy access for attackers. | 70% |
| CWE-522 | 1. Insufficiently protected credentials lead to unauthorized access to PII. 2. The control indirectly highlights the need to protect credentials for systems handling documented PII. 3. Weak credential protection undermines all other security measures. | 70% |
| CWE-532 | 1. Inclusion of sensitive information in log files can inadvertently expose PII or processing details. 2. Documenting PII categories (A.7.2.1) helps identify what should not be logged or must be masked. 3. Uncontrolled logging creates a new attack surface. | 60% |
| CWE-668 | 1. Exposure of resources to the wrong sphere can make PII or its documentation accessible to unauthorized parties. 2. Understanding PII processing (A.7.2.1) informs proper network and system segregation. 3. Misconfigured resource exposure leads to unintended data leakage. | 60% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0200 compute · voice-rubric self-validated