Learn more about implementing the Privacy Information Management System (PIMS) with our overview guide to ISO27701.
What is ISO27701?
In simple terms, ISO/IEC 27701:2019 is a data privacy extension to ISO 27001.
The ISO/IEC 27701 international standard for “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” was published by the ISO and IEC in 2019. It specifies the requirements that your Privacy Information Management System (PIMS) will need to meet for your organisation to become certified to the standard.
It’s important to note that those certifying to ISO27701 must first be certified to ISO27001 for Information Security Management System (ISMS) as it adds a suite of privacy requirements to the ISMS. The requirements in ISO/IEC 27701 are amendments and additions to those of the ISO/IEC 27001 information security standard and its supporting guidance, ISO/IEC 27002.
What are the benefits of implementing ISO27701?
There are several benefits to implementing a Privacy Information Management System:
It shows your customers, clients, and stakeholders that you’re processing PII (Personal Identifiable Information) correctly and in the most secure way.
Developed by data protection regulators from around the world, you can ensure your organisation is aligned to the most comprehensive privacy framework available and in turn, aligned to the requirements of the GDPR and other global privacy regulations.
Globally recognised, you can have peace of mind knowing your organisation’s privacy management is compliant around the world.
By aligning to ISO27701, you reduce the risk of a privacy breach which could be damaging to your organisation’s reputation and financial status.
How does ISO27701 integrate with ISO27001?
Organisations that have implemented ISO27001 for an Information Security Management System will be able to use ISO27701 to extend their privacy management security processes– including their processing of PII to demonstrate compliance to data protection laws, such as the GDPR.
If you’re not yet certified to ISO27001, you can implement ISO27001 and ISO27701 as a single project, and you can combine the certification audit. Going forward once certified to both you can combine the surveillance and recertification audits to save time and costs.
The contents of the ISO27701 standard
Like other ISO standards, ISO27701 is split into numbered sections, with sections 0-3 for context with no requirements to align to and sections 4-10, Annex A and Annex B requiring evidence of compliance to pass the certification audit.
Section 0: Introduction
Section 1: Scope
Section 2: Normative references
Section 3: Terms and definitions
Section 4: General
Section 5: PIMS-specific requirements related to ISO/IEC 27001
Section 6: PIMS-specific guidance related to ISO/IEC 27002
Section 7: Additional ISO/IEC 27002 guidance for PII controllers
Section 8: Additional ISO/IEC 27002 guidance for PII processors
Annex A: PIMS-specific reference control objectives and controls (PII Controllers)
Annex B: PIMS-specific reference control objectives and controls (PII Processors)
The ISO27701 Certification Process
It’s important to note that ISO27701 isn’t a legal requirement and some organisation choose to simply align to the standard as best practice principles, however for increased credibility and business opportunities many become certified to prove their compliance internally and externally.
Don’t forget to certify to ISO27701, you’ll need to either prepare for ISO27001 certification at the same time with a combined audit in the pipeline or already have a certified ISMS in place.
The certification process is as standard of other ISO audits. Stage one is basically a review of how ready you are for the main event, the stage two certification audit. You may pick up a few pointers for improvement (known as nonconformities) at Stage Two but, if these aren’t too serious, your organisation effectively becomes certified and can advertise this.
Annual surveillance audits are required (you can do this combined with ISO27001 going forward) and a re-certification audit everything third year, so it’s important to stay up to date with any developments and ensure your organisation is continually compliant.
How can CertiKit help?
Whether you’re already ISO27001 certified and looking to improve your data protection with the ISO27701 privacy extension or looking to embed both simultaneously, it can be daunting to start from a blank page.
Written by a CISSP-qualified audit specialist with over 30 years’ experience, our ISO27701 toolkit will guide you through the process to achieve compliance with ease, with a comprehensive set of templates and guides and expert support included. Available on its own or as an add-on to our ISO27001 toolkit for Information Security Management System, with CertiKit we can assure compliance is made easy.
