After a long wait the new version of the ISO/IEC 27701 Privacy standard finally dropped last week. CertiKit had a rummage down the back of the sofa for some Swiss Francs and headed over to the ISO website to purchase a copy. Here are our first impressions.
ISO27701 Has a New Layout
Its clear from the outset that the layout of the new version has changed markedly from its 2019 predecessor. The previous version was quite hard to navigate, with a muddy mix of requirements, guidance and controls quite unlike the majority of ISO standards. This was due to the nature of the previous standard as a bolt on to its big brother ISO27001. Quite frankly, it was a bit of a mess.
That’s all gone, and the new version is very recognisable as a management system standard with the usual Annex SL/High Level Structure set of clauses. This is because you no longer need to be certified to ISO27001 to gain ISO27701 certification. Hooray!
After the Scope and Normative references clauses there follows three pages of seemingly pointless definitions (why they don’t have a single source of these is beyond me) before we get to Clause 4 Context where, in addition to the usual text, there are some requirements to do with the role of the organization as a PII controller or processor. Clause 4 is relatively lengthy, with no less than six notes relating to interested parties.
The majority of the rest of the management system requirements will be familiar to anyone who has worked with any of the other such standards, particularly ISO27001, covering areas such as leadership, policy, roles, objectives, internal audit and management review.
What About Risk?
Clause 6 Planning delves into the topic of risk assessment and treatment with a requirement to assess privacy risks both to the organization and to the PII principal. When we get to risk treatment it gets a bit more interesting. Like ISO27001 there is an Annex A which has a set of thirty-one privacy controls for PII controllers and eighteen for PII processors. These are the same (as far as I can tell so far) as the ones in the 2019 version of the standard. A slight bugbear is the fact that the numbered lists of controls start from 2 rather than 1. This is apparently because they refer to the numbering of the guidance in Annex B which has a “General” section at its start. Why they couldn’t have found a way to start at 1 I don’t know.
However, in addition there is a set of twenty-nine controls for PII controllers and processors which are very much information security-focussed. In fact they are a subset of the Annex A reference controls from ISO27001. The approach that has been taken to making ISO27701 a standalone standard is obviously to cherry-pick the “best” controls from ISO27001 and renumber them.
But that’s not the whole story. In Clause 6 Planning there is also a list of fifteen areas that an information security programme should address. Although the list looks fairly similar to the twenty-nine controls in Annex A, there are a few areas, such as physical and environmental security, that don’t seem to match up. This may mean that you will need a few more controls from ISO27001 than the ones listed at the back of ISO27701, to fully meet the requirements.
Like ISO27001, there is a requirement for a statement of applicability showing which of the controls in Annex A are applicable.
What Else is Included?
Beyond Annex A there is Annex B which has 30 pages of implementation guidance for the controls in Annex A. As always this is guidance and so not requirements – a nonconformity can’t be raised at audit if you haven’t followed it exactly.
Annexes C, D and E then have mappings to ISO29100, the GDPR and ISO27018/ISO29151 respectively, with Annex F showing how the 2025 version of ISO27701 relates to the 2019 version and back again. The standard finishes with the usual bibliography on page 64.
Overall Thoughts
It’s great that an organization can now be certified to ISO27701 without including ISO27001 and I feel this will help to make ISO27701 a lot more popular, especially given the growing list of privacy legislation around the world.
The standard is much easier to follow now, and it’s much clearer where the requirements are. The inclusion of the guidance at the end makes the standard longer and therefore more expensive and there still seems to be a lack of consistency amongst ISO standards in terms of what they include. Obviously ISO27001 has no guidance (with it being separated out into ISO27002) and I don’t know why they didn’t do the same here.
The choice of ISO27001 controls to include in ISO27701 seems slightly random, more for the ones they missed out than the ones they included; for example “Access Control” is not in there.
The biggest puzzle is probably why it took nearly three years to bring ISO27701 into line with ISO27001 when the management system is the same as other standards, the privacy controls haven’t changed and the information security controls are copied from ISO27001 Annex A.
Anyway, it’s arrived, and here at CertiKit we are working hard to update our ISO27701 toolkit to reflect the new version which will be available free of charge to all customers that have our lifetime updates guarantee. We’ll be in touch when it’s ready.
