ISO27701A.7.5.1voice-validated
ISO27701 A.7.5.1: A.7.5.1
ISO27701
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The organisation should identify and document the relevant basis for transfers of PII between jurisdictions. Where applicable transfer mechanisms (adequacy decisions, SCCs, BCRs, derogations) must be documented and reviewed when source/destination jurisdictions change.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1566 | Attackers use phishing to gain initial access to employee accounts, enabling access to PII transfer documentation or systems. This directly compromises the integrity of transfer basis reviews. | 80% |
| T1078 | Compromised valid accounts provide attackers direct access to systems managing PII transfers and their documentation, bypassing security controls. This undermines the control's review requirements. | 90% |
| T1003 | Dumps credentials from systems involved in PII transfer processes, facilitating unauthorized access to sensitive data and transfer mechanisms. This bypasses authentication for transfer reviews. | 70% |
| T1082 | Attackers discover system configurations and network topology, identifying data transfer points and PII storage locations. This informs exploitation of PII transfer weaknesses. | 70% |
| T1005 | PII or documentation regarding transfer mechanisms (e.g., SCCs, BCRs) is collected from local endpoints. This directly compromises the confidentiality of transfer basis. | 80% |
| T1039 | Attackers collect PII or transfer documentation from network shares, exploiting inadequate access controls. This compromises the confidentiality of transfer basis. | 80% |
| T1041 | PII collected from transfer systems is exfiltrated via established command and control channels. This directly violates PII transfer security. | 90% |
| T1573 | Attackers use encrypted channels to exfiltrate PII, making detection difficult. This evades monitoring of PII transfers. | 80% |
| T1485 | Attackers destroy PII or documentation related to transfer mechanisms, disrupting operations and hindering compliance. This impacts the availability of transfer records. | 60% |
| T1486 | PII is encrypted by attackers to demand ransom, severely impacting data availability and compliance with transfer requirements. This directly affects PII availability. | 60% |
| T1027 | Attackers obfuscate exfiltrated PII or malicious tools to evade detection during transfer or storage. This hinders detection of unauthorized PII handling. | 70% |
| T1053 | Attackers establish persistence by creating scheduled tasks to automate PII collection or exfiltration from transfer systems. This maintains unauthorized access to PII. | 70% |
| T1068 | Exploiting vulnerabilities to gain higher privileges on systems handling PII transfers, enabling access to restricted data or configurations. This bypasses access controls for transfer mechanisms. | 70% |
| T1133 | Attackers gain initial access to systems involved in PII transfers by exploiting insecure external remote services. This compromises the perimeter protecting PII transfer data. | 70% |
| T1071 | Attackers use common application layer protocols for C2, blending in with normal network traffic during PII exfiltration. This makes detection of unauthorized PII transfers difficult. | 80% |
Defending mitigations · 5
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | Implementing MFA significantly reduces the risk of unauthorized access to systems managing PII transfers, even with compromised credentials. This strengthens access to transfer documentation. | 90% |
| M1047 | Regular auditing of access to PII transfer documentation and systems detects unauthorized activities and ensures compliance with review requirements. This verifies adherence to ISO27701 A.7.5.1. | 90% |
| M1031 | Isolating systems handling PII transfers limits lateral movement of attackers and contains potential breaches, reducing exfiltration risk. This protects PII transfer data. | 80% |
| M1028 | Secure configuration of operating systems hosting PII transfer documentation and tools reduces attack surfaces and vulnerabilities. This hardens systems involved in PII transfers. | 80% |
| M1026 | Strict control and monitoring of privileged accounts accessing PII transfer configurations prevents misuse and unauthorized changes. This secures critical transfer mechanisms. | 90% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | Failure to identify and document proper transfer bases directly leads to unauthorized exposure of PII during cross-jurisdictional transfers. This violates ISO27701 A.7.5.1. | 90% |
| CWE-732 | Inadequate access permissions on PII transfer documentation or the PII itself allows unauthorized access or modification. This compromises the integrity of transfer records. | 80% |
| CWE-319 | Transferring PII without encryption between jurisdictions, even with documented mechanisms, exposes it to interception. This undermines secure PII transfers. | 80% |
| CWE-287 | Weak or missing authentication for systems or processes involved in PII transfers allows unauthorized access to sensitive data and documentation. This compromises transfer mechanism integrity. | 80% |
| CWE-269 | Granting excessive privileges to users or systems handling PII transfer mechanisms increases the risk of unauthorized data access or manipulation. This weakens control over PII transfers. | 80% |
| CWE-532 | PII or details about transfer mechanisms inadvertently logged insecurely can lead to unauthorized disclosure. This exposes sensitive transfer information. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0173 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation