Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27701 – What’s New for 2023?

Early January 2023 saw the publication of a draft of a new version of the ISO/IEC 27701 Privacy Information Management standard (we’ll just call it “ISO27701”). This will now go through a ballot stage before a final draft and then a finished article is created. ISO27701 is a relatively new standard, having been published in 2019, so why is it being amended?

You may remember that ISO27701 is an extension to the popular ISO27001 and ISO27002 standards, which means that it relies heavily on these standards for its structure. And both of these standards were updated in 2022, so ISO27701 needed to change too.

ISO27701 - What's New in 2023 image with documents and heading

What were the changes to ISO27001?

As a reminder, an organization must be certified to ISO27001 in order to be certified to ISO27701; the latter is not a standalone standard for certification purposes. The ISO27001 standard consists of two main parts; a management system and the Annex A controls. The big changes in ISO27001 last year were in the Annex A controls which were completely revised and restructured, with relatively small changes to the management system text, mainly to bring it in line with the latest definition of Annex SL (the common wording for management system standards).

What are the implications for ISO27701?

In actual fact, if we’re looking purely at what’s needed for certification to the ISO27701 standard, then the changes aren’t that big. In order to understand why that’s the case, we need to look at the structure of the ISO27701 standard.

Unlike ISO27001, ISO27701 is a “Requirements and guidelines” standard. This means that it includes both the requirements needed for certification and some more general guidance that isn’t audited against. And in a nutshell, it’s mainly the guidance that has changed, not the requirements.

What has changed in the requirements?

With regard to the management system, there are some changes in headings to reflect equivalent changes in ISO27001, such as the addition of Clause 6.3 Planning of changes and the swapping round of the two subheadings in Clause 10 Improvement, but there are no additional requirements stated. There are a few slight wording changes (in fact I only spotted one), but that’s it.

As far as Annexes A and B (which state the additional PIMS-specific controls) go, there are no changes at all; the same number of controls, with the same wording.

So if your organization is already certified to ISO27701 and your focus is on complying with the requirements rather than the guidance, then there’s not a whole lot to do.

What about the guidance?

In the 2022 version of ISO27001 we’ve gone from 114 controls in 14 categories to 93 controls in 4 themes, and ISO27701 has been reorganised to reflect this change. Where the controls are equivalent, the guidance is largely the same, that is, it’s been copied across.  There are 11 new controls in Annex A of ISO27001 and whilst these are listed in the ISO27701 draft, none of them have any additional guidance given.

Other changes

References to previous versions of standards have been updated and several of the annexes which map to other standards and the GDPR have been revised to show the new control structure. A new annex showing correspondence with the 2019 version of ISO27701 has been added.

Conclusion

It made sense to update ISO27701 to match the new control structure used in the 2022 version of ISO27001. Remembering that this is only a draft and not a finished product, it is clear that this update is purely a restructuring exercise; there is nothing new in this proposed version. But many would argue that for such a recent standard (it was released in 2019) then this is no surprise.

Certainly for those who are already certified to ISO27701 and for those working towards it, there is very little to be concerned about, as the requirements against which you will be audited remain the same.

We will be keeping a close eye on this draft’s progress through ISO’s publishing process and we’ll let you know if anything changes before final publication.


View ISO27701 Toolkit

If you’re looking to implement and/or certify to the ISO27701 standard for a Privacy Information Management System, then our ISO27701 toolkit can assist. And with lifetime updates included in the purchase, you can buy with confidence knowing that you’ll have the latest documentation available.

View ISO27701 Toolkit

We’ve helped more than 4000 businesses with their compliance

Testimonials

Compared to competing toolkits, your ISO27001 document structure was very good. The provided "Introduction" of each was useful (I have moved those out of the core documents and into a more comprehensive manual) for the general audience vs security staff. The inclusion of references to 27017 and 27018 were appreciated. You provided more "ISMS-C" oriented artefacts than competitors.

Trusted By Design Inc.
Canada

View all Testimonials