ISO27701A.8.2.1voice-validated
ISO27701 A.8.2.1: A.8.2.1
ISO27701
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
The organisation should ensure, where relevant, that a contract or other documented agreement with the customer addresses the protection of PII. The agreement should describe the roles, responsibilities, sub-processing rules, and termination/return-of-data procedures.
ATT&CK techniques this article tests · 0
| Technique | Why it maps | Confidence |
|---|
Defending mitigations · 0
| Mitigation | What it does | Confidence |
|---|
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-1004 | 1. Absence of contractual requirements for PII encryption leads to sensitive data being stored in unencrypted files, increasing breach risk. | 90% |
| CWE-1021 | 1. Weak or absent contractual clauses on authentication security can result in systems vulnerable to improper restriction of excessive authentication attempts. | 80% |
| CWE-1041 | 1. If contracts do not specify secure web practices for PII handling, information leakage via referer headers can occur due to a lack of referer policy. | 70% |
| CWE-1043 | 1. Without contractual data integrity requirements, systems may mishandle PII, leading to failure to handle incomplete or corrupt data. | 80% |
| CWE-1044 | 1. Inconsistent PII can arise from a lack of contractual data quality mandates, leading to a failure to handle inconsistent data. | 80% |
| CWE-1045 | 1. Unclear roles and responsibilities in PII protection contracts directly contribute to inadequate enforcement of authorization for data access. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0166 compute · voice-rubric self-validated