Security compliance Designing security programs Security compliance Designing security programs ISO 27701

How many controls are there in ISO 27701?

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

If you’re considering ISO 27701 certification, you probably want to understand exactly how many controls you’ll need to tackle to reach compliance. As a quick refresher, a control is a procedure or protocol that a company puts in place in order to mitigate a security risk. Knowing how many controls are within a framework is important because it helps you understand the general size and shape of its compliance requirements. There are 184 controls included in ISO 27701, but don’t be overwhelmed! Read on to learn how those controls break down into five easy-to-understand categories and how you can get started with the compliance process. 

The five categories of controls in ISO 27701 include different types of security management, risk management, and incident management. 

  1. Security management: These controls are related to creating and maintaining an efficient security management system.
  2. Information security controls: This includes the use of technical and organizational standards that safeguard information from unauthorized permits, usage, disclosure, or destruction. 
  3. Information security risk management: This category entails procedures for identifying, evaluating, and responding to data security risks.
  4. Information security incident management: These controls address how to manage incidents that endanger data security.
  5. Business continuity management: This category aims to ensure that an organization can continue to operate in the event of an incident.

Addressing the security gaps in these five categories is essential to creating an effective privacy information management system (PIMS) and achieving ISO 27701 compliance. It’s important to note that ISO 27701 certification will also require building on ISO 27001. Read on for a brief explanation of this relationship.    

ISO 27701 builds on ISO/IEC 27001 Annex A controls. 

So what’s the difference between ISO 27001 and ISO 27701? Simply put, ISO 27701 is a privacy add-on that only exists in tandem with ISO 27001. While ISO 27001 establishes a framework for a company’s information security management system (ISMS), ISO 27701 builds on this original security framework with added privacy controls to help manage personally identifiable information (PII). It is necessary to obtain ISO 27001 certification simultaneously with ISO 27701, or first receive the ISO 27001 certification. ISO 27001 has 114 controls related to security, and they are called Annex A controls. Annex A controls also must be addressed for ISO 27001 compliance. 

Read More: What is the ISO 27000 series?

ISO 27701 has 135 controls that amend or modify ISO 27001, and there are also 49 controls that outline new guidance regarding PII. These additional PII security controls are what make ISO 27701 a privacy framework. They cover processes guiding modification or withdrawal of consent for PII; accessing, correcting, or deleting PII; informing third parties of PII changes; providing a copy of processed PII; and more. 

Various elements of these controls are also applicable to General Data Protection Regulation (GDPR) compliance. Let’s take a closer look at the relationship between ISO 27701 controls and proving GDPR compliance. 

The ISO 27701 standard was designed to demonstrate GDPR compliance. Prior to this framework, companies could self-assess their compliance with GDPR, but there wasn’t an easy way to confirm the results. Now, ISO 27701 acts as an independently assessed certification of an organization’s GDPR compliance. This is true because of the strong overlap between ISO 27701 controls and GDPR requirements. Due to this relationship, it can be helpful to pursue ISO 27701 and GDPR compliance at the same time, saving companies both time and money. 

Getting started with ISO 27701 compliance

Strike Graph demystifies the ISO 27701 certification process. Our platform makes it easy to identify security gaps and walks you through every aspect of ISO 27701 to address any missing requirements. And, our preloaded ISO 27701-applicable controls can be quickly matched to each of your identified risks to ensure you pass your audit and get certified fast.

Photo by Towfiqu barbhuiya on Unsplash

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.