The systems used for processing personal data shall be structur...

The systems used for processing personal data shall be structured in order to meet the security requirements, standards of good practice and governance, general principles provided in this Law and other regulatory rules.

ISO 27701

5.2.3: Determining the scope of the information security management system

5.2.4: Information security management system

5.4.1.3: Information security risk treatment

6.4: Human resource security

6.11.2.5: Secure systems engineering principles

6.12: Supplier relationships

6.13.1.1: Responsibilities and procedures

6.15.1.3: Protection of records

6.15.2.1: Independent review of information security

7.2.6: Contracts with PII processors

7.3.1: Determining and fulfilling obligations to PII principals

8.3.1: Obligations to PII principals

8.5.5: Legally binding PII disclosures