ISO27701A.7.3.6voice-validated
ISO27701 A.7.3.6: A.7.3.6
ISO27701
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The organisation should implement policies, procedures and mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII. These mechanisms should be tested and validated against the SLAs the organisation commits to in its privacy notice.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 5
| Mitigation | What it does | Confidence |
|---|---|---|
| M1030 | 1. Network segmentation isolates PII processing systems, limiting unauthorized access and lateral movement. 2. This directly supports PII protection by containing potential breaches. | 90% |
| M1035 | 1. Limiting access to resources over the network restricts network access to PII data and management interfaces. 2. This enforces access control policies, preventing unauthorized PII operations. | 90% |
| M1047 | 1. Auditing monitors and logs PII access, modification, and erasure attempts. 2. This enables detection of policy violations and accountability, critical for validating mechanisms. | 95% |
| M1028 | 1. Operating system configuration secures underlying systems hosting PII management applications. 2. This reduces the attack surface for privilege escalation and unauthorized PII access. | 80% |
| M1017 | 1. User account management ensures proper creation, modification, and deletion of PII principal accounts and system accounts. 2. This enforces access rights, preventing unauthorized PII operations. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-284 | 1. Improper access control to PII or its management mechanisms directly violates the control's intent. 2. This allows unauthorized actors to access, correct, or erase PII. | 95% |
| CWE-287 | 1. Improper authentication for PII management systems allows unauthorized actors to impersonate PII principals or administrators. 2. This undermines the integrity of PII operations. | 90% |
| CWE-200 | 1. Exposure of sensitive information to an unauthorized actor is a direct consequence of flawed PII access mechanisms. 2. This results in breaches of PII confidentiality. | 95% |
| CWE-732 | 1. Incorrect permission assignment for critical resources, such as PII data stores, leads to unauthorized modification or erasure. 2. This compromises data integrity and availability. | 90% |
| CWE-269 | 1. Improper privilege management allows users to perform PII operations beyond their authorized scope. 2. This undermines the principle of least privilege for PII handling. | 85% |
| CWE-306 | 1. Missing authentication for critical functions, like PII erasure or correction, allows unverified actions. 2. This exposes PII to unauthorized and irreversible changes. | 85% |
| CWE-1114 | 1. Improper input validation on PII access/correction requests can lead to data manipulation or injection attacks. 2. This compromises the accuracy and integrity of PII. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0193 compute · voice-rubric self-validated · 2 hallucination(s) dropped at validation