In simple terms, ISO/IEC 27701:2019 is a data privacy extension to ISO 27001.
The ISO/IEC 27701 international standard for “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” was published by the ISO and IEC in 2019. It specifies the requirements that your Privacy Information Management System (PIMS) will need to meet for your organization to become certified to the standard.
It’s important to note that those certifying to ISO27701 must first be certified to ISO27001 for Information Security Management System (ISMS) as it adds a suite of privacy requirements to the ISMS. The requirements in ISO/IEC 27701 are amendments and additions to those of the ISO/IEC 27001 information security standard and its supporting guidance, ISO/IEC 27002.
There are several benefits to implementing a Privacy Information Management System:
Organizations that have implemented ISO27001 for an Information Security Management System will be able to use ISO27701 to extend their privacy management security processes– including their processing of PII to demonstrate compliance to data protection laws, such as the GDPR.
If you’re not yet certified to ISO27001, you can implement ISO27001 and ISO27701 as a single project, and you can combine the certification audit. Going forward once certified to both you can combine the surveillance and recertification audits to save time and costs.
Like other ISO standards, ISO27701 is split into numbered sections, with sections 0-3 for context with no requirements to align to and sections 4-10, Annex A and Annex B requiring evidence of compliance to pass the certification audit.
It’s important to note that ISO27701 isn’t a legal requirement and some organization choose to simply align to the standard as best practice principles, however for increased credibility and business opportunities many become certified to prove their compliance internally and externally.
Don’t forget to certify to ISO27701, you’ll need to either prepare for ISO27001 certification at the same time with a combined audit in the pipeline or already have a certified ISMS in place.
The certification process is as standard of other ISO audits. Stage one is basically a review of how ready you are for the main event, the stage two certification audit. You may pick up a few pointers for improvement (known as nonconformities) at Stage Two but, if these aren’t too serious, your organization effectively becomes certified and can advertise this.
Annual surveillance audits are required (you can do this combined with ISO27001 going forward) and a re-certification audit everything third year, so it’s important to stay up to date with any developments and ensure your organization is continually compliant.
Whether you’re already ISO27001 certified and looking to improve your data protection with the ISO27701 privacy extension or looking to embed both simultaneously, it can be daunting to start from a blank page. Written by a CISSP-qualified audit specialist with over 30 years’ experience, our ISO27701 toolkit will guide you through the process to achieve compliance with ease, with more than 75 template documents, guides, examples, and plans, it even comes with unlimited email support with our expert consultants. Available on its own or as an add-on to our ISO27001 toolkit for Information Security Management System, with CertiKit we can assure compliance is made easy.
Download our 33-page implementation guide for more details on the standard and how a CertiKit toolkit can assist your compliance.