What is ISO27701? A short guide

This guide provides an overview of the ISO27701 standard and what is involved when implementing a Privacy Information Management System (PIMS).

For additional help our free resources below are available, including a downloadable implementation guide, sample document and a host of blogs. We hope you find these resources useful for your ISO27701 compliance.

Free ISO27701 Resources Links:

• ISO27701 Implementation Guide
• ISO27701 Toolkit Sample Document
• ISO27701 Blogs

What is ISO27701?

In simple terms, ISO/IEC 27701:2019 is a data privacy extension to ISO 27001.

The ISO/IEC 27701 international standard for “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” was published by the ISO and IEC in 2019. It specifies the requirements that your Privacy Information Management System (PIMS) will need to meet for your organization to become certified to the standard.

It’s important to note that those certifying to ISO27701 must first be certified to ISO27001 for Information Security Management System (ISMS) as it adds a suite of privacy requirements to the ISMS. The requirements in ISO/IEC 27701 are amendments and additions to those of the ISO/IEC 27001 information security standard and its supporting guidance, ISO/IEC 27002.

What are the benefits of implementing ISO27701?

There are several benefits to implementing a Privacy Information Management System:

• It shows your customers, clients, and stakeholders that you’re processing PII (Personal Identifiable Information) correctly and in the most secure way.
• Developed by data protection regulators from around the world, you can ensure your organization is aligned to the most comprehensive privacy framework available and in turn, aligned to the requirements of the GDPR and other global privacy regulations.
• Globally recognised, you can have peace of mind knowing your organization’s privacy management is compliant around the world.
• By aligning to ISO27701, you reduce the risk of a privacy breach which could be damaging to your organization’s reputation and financial status.

How does ISO27701 integrate with ISO27001?

Organizations that have implemented ISO27001 for an Information Security Management System will be able to use ISO27701 to extend their privacy management security processes– including their processing of PII to demonstrate compliance to data protection laws, such as the GDPR.

If you’re not yet certified to ISO27001, you can implement ISO27001 and ISO27701 as a single project, and you can combine the certification audit. Going forward once certified to both you can combine the surveillance and recertification audits to save time and costs.

The contents of the ISO27701 standard

Like other ISO standards, ISO27701 is split into numbered sections, with sections 0-3 for context with no requirements to align to and sections 4-10, Annex A and Annex B requiring evidence of compliance to pass the certification audit.

• Section 0: Introduction
• Section 1: Scope
• Section 2: Normative references
• Section 3: Terms and definitions
• Section 4: General
• Section 5: PIMS-specific requirements related to ISO/IEC 27001
• Section 6: PIMS-specific guidance related to ISO/IEC 27002
• Section 7: Additional ISO/IEC 27002 guidance for PII controllers
• Section 8: Additional ISO/IEC 27002 guidance for PII processors
• Annex A: PIMS-specific reference control objectives and controls (PII Controllers)
• Annex B: PIMS-specific reference control objectives and controls (PII Processors)

The Certification Process

It’s important to note that ISO27701 isn’t a legal requirement and some organization choose to simply align to the standard as best practice principles, however for increased credibility and business opportunities many become certified to prove their compliance internally and externally.

Don’t forget to certify to ISO27701, you’ll need to either prepare for ISO27001 certification at the same time with a combined audit in the pipeline or already have a certified ISMS in place.

The certification process is as standard of other ISO audits. Stage one is basically a review of how ready you are for the main event, the stage two certification audit. You may pick up a few pointers for improvement (known as nonconformities) at Stage Two but, if these aren’t too serious, your organization effectively becomes certified and can advertise this.

Annual surveillance audits are required (you can do this combined with ISO27001 going forward) and a re-certification audit everything third year, so it’s important to stay up to date with any developments and ensure your organization is continually compliant.

Whether you’re already ISO27001 certified and looking to improve your data protection with the ISO27701 privacy extension or looking to embed both simultaneously, it can be daunting to start from a blank page. Written by a CISSP-qualified audit specialist with over 30 years’ experience, our ISO27701 toolkit will guide you through the process to achieve compliance with ease, with more than 75 template documents, guides, examples, and plans, it even comes with unlimited email support with our expert consultants. Available on its own or as an add-on to our ISO27001 toolkit for Information Security Management System, with CertiKit we can assure compliance is made easy.