ISO27701A.7.2.2voice-validated
ISO27701 A.7.2.2: A.7.2.2
ISO27701
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The organisation should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes. For each processing operation, the controller should be able to demonstrate which lawful basis applies (consent, contract, legal obligation, vital interests, public task, legitimate interests).
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1.0 confidence. Isolating systems processing PII limits lateral movement, ensuring PII access aligns with documented lawful bases. | 100% |
| M1032 | 1.0 confidence. Protecting access to PII systems with MFA ensures only authorized personnel, with a lawful basis, can access data. | 100% |
| M1035 | 1.0 confidence. Implementing strict least privilege access controls directly supports PII access only for lawful purposes, as per A.7.2.2. | 100% |
| M1037 | 0.9 confidence. Defining policies for account usage ensures PII access is tied to documented roles and lawful bases, preventing misuse. | 90% |
| M1040 | 1.0 confidence. DLP prevents unauthorized PII exfiltration, a critical measure for ensuring data is processed and retained lawfully. | 100% |
| M1042 | 0.9 confidence. Ensuring PII can be restored after an incident mitigates impact and supports data integrity requirements related to lawful processing. | 90% |
| M1047 | 1.0 confidence. Monitoring PII access and processing activities detects unauthorized actions, demonstrating compliance with lawful basis requirements. | 100% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1.0 confidence. Failure to define and enforce a lawful basis for PII processing directly leads to unauthorized exposure. | 100% |
| CWE-284 | 1.0 confidence. Unclear lawful basis for PII processing results in improperly configured access controls, allowing unauthorized access. | 100% |
| CWE-532 | 0.9 confidence. Logging PII without a clear lawful basis or proper redaction can lead to its unauthorized exposure. | 90% |
| CWE-798 | 0.9 confidence. Hard-coded credentials bypass access controls, undermining the principle of lawful and authorized access to PII. | 90% |
| CWE-306 | 0.9 confidence. Critical functions involving PII processing lacking authentication enable unauthorized operations, violating lawful basis. | 90% |
| CWE-20 | 0.8 confidence. Improper input validation can lead to data corruption or injection, affecting PII integrity and lawful processing. | 80% |
| CWE-502 | 0.8 confidence. Deserialization vulnerabilities can compromise systems holding PII, violating lawful processing principles through unauthorized access. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0175 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation