ISO27701A.7.4.1voice-validated
ISO27701 A.7.4.1: A.7.4.1
ISO27701
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The organisation should limit the collection of PII to the minimum necessary for the identified purposes. Data minimisation must be enforced at the application layer (forms, APIs, integrations) and verified through periodic data-flow audits.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1005 | 1.0 confidence. This technique involves collecting PII from local systems. ISO27701 A.7.4.1 mandates limiting PII collection, directly reducing the volume available for this technique. | 100% |
| T1041 | 1.0 confidence. Adversaries exfiltrate collected PII via C2 channels. ISO27701 A.7.4.1's data minimization directly limits the amount of PII available for exfiltration, reducing breach impact. | 100% |
| T1071.001 | 0.9 confidence. Adversaries use standard protocols for C2 and data exfiltration. ISO27701 A.7.4.1's requirement to minimize PII reduces the overall data volume transmitted, making exfiltration less impactful. | 90% |
| T1083 | 0.8 confidence. Adversaries discover files containing PII. ISO27701 A.7.4.1 mandates minimizing PII, which reduces the number of sensitive files and directories an attacker can discover. | 80% |
| T1119 | 0.9 confidence. Adversaries automate PII collection. ISO27701 A.7.4.1's data minimization directly limits the volume of PII available for automated scripts, reducing the attack's overall yield. | 90% |
| T1530 | 0.9 confidence. Adversaries collect PII from cloud storage. ISO27701 A.7.4.1 requires minimizing PII, thereby reducing the amount of sensitive data stored and accessible in cloud environments. | 90% |
| T1567 | 1.0 confidence. Adversaries exfiltrate PII via web services. ISO27701 A.7.4.1 directly limits the volume of PII collected, significantly reducing the data available for this exfiltration technique. | 100% |
| T1566 | 0.7 confidence. Adversaries use phishing to collect PII. ISO27701 A.7.4.1's principle of minimal PII collection reduces the value of PII obtained through successful phishing attempts. | 70% |
| T1190 | 0.8 confidence. Exploiting applications that collect excessive PII leads to larger breaches. ISO27701 A.7.4.1's data minimization reduces the potential impact of such exploits by limiting accessible PII. | 80% |
| T1003 | 0.6 confidence. If PII includes credentials, this technique is more potent. ISO27701 A.7.4.1 encourages minimizing all PII, including credentials, reducing their presence in general data stores. | 60% |
| T1025 | 0.7 confidence. Adversaries collect PII from removable media. ISO27701 A.7.4.1's data minimization reduces the amount of PII stored on such media, limiting potential data loss. | 70% |
| T1039 | 0.8 confidence. Adversaries collect PII from network shares. ISO27701 A.7.4.1's data minimization reduces the amount of PII stored on shared drives, limiting the scope of data breaches. | 80% |
| T1486 | 0.9 confidence. Adversaries encrypt PII for ransom. ISO27701 A.7.4.1's data minimization reduces the total volume of PII, thereby lessening the potential impact and leverage of ransomware attacks. | 90% |
| T1082 | 0.7 confidence. Adversaries discover systems holding PII. ISO27701 A.7.4.1's data minimization reduces the overall PII footprint across systems, making fewer systems high-value targets. | 70% |
| T1068 | 0.7 confidence. Gaining higher privileges often aims to access more PII. ISO27701 A.7.4.1's data minimization reduces the value of such elevated access by limiting available PII. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1041 | 1.0 confidence. This mitigation directly implements ISO27701 A.7.4.1 by limiting PII collection to the minimum necessary, reducing the attack surface. | 100% |
| M1035 | 0.9 confidence. This mitigation restricts access to PII, complementing ISO27701 A.7.4.1's requirement to minimize data by controlling who can interact with the reduced dataset. | 90% |
| M1047 | 1.0 confidence. This mitigation supports ISO27701 A.7.4.1's mandate for 'periodic data-flow audits' to verify data minimization enforcement at the application layer. | 100% |
| M1031 | 0.8 confidence. This mitigation isolates systems containing PII. While not directly minimizing data, it limits the scope of access, supporting ISO27701 A.7.4.1's intent to protect PII. | 80% |
| M1026 | 0.8 confidence. This mitigation limits access to PII by privileged accounts. ISO27701 A.7.4.1's data minimization reduces the amount of PII these accounts can access, even if compromised. | 80% |
| M1028 | 0.7 confidence. This mitigation secures underlying systems storing PII. ISO27701 A.7.4.1's data minimization reduces the sensitive data footprint on these systems, enhancing overall security. | 70% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1.0 confidence. This weakness directly results from failing to implement ISO27701 A.7.4.1, as excessive PII collection increases exposure risk. | 100% |
| CWE-359 | 1.0 confidence. This weakness occurs when more PII than necessary is collected, directly violating ISO27701 A.7.4.1's data minimization principle. | 100% |
| CWE-532 | 0.9 confidence. If ISO27701 A.7.4.1 is not followed, excessive PII might be collected and inadvertently included in log files, creating this weakness. | 90% |
| CWE-668 | 0.8 confidence. This weakness arises when PII is exposed to an unintended scope due to a lack of data minimization, contrary to ISO27701 A.7.4.1. | 80% |
| CWE-922 | 0.9 confidence. If ISO27701 A.7.4.1 is not enforced, excessive PII is stored, increasing the likelihood and impact of insecure storage. | 90% |
| CWE-20 | 0.7 confidence. This weakness can lead to the collection of unintended or excessive PII through application forms or APIs, directly undermining ISO27701 A.7.4.1. | 70% |
| CWE-212 | 0.8 confidence. If PII is collected beyond necessity (violating ISO27701 A.7.4.1), it might not be properly removed before being used or shared, leading to this weakness. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0196 compute · voice-rubric self-validated