As one of the first compliance software companies to offer the ISO 27701 framework after having offered ISO 27001 for a few years, we thought we’d dig into what really sets these two standards apart and what the certification process looks like for each.

In this post, we’ll take a look at:

• A brief rundown of ISO 27001
• A summary of the ISO 27701 framework
• The similarities and differences between the two

Let’s get to it!

ISO 27001: a recap

ISO 27001 is a framework for an organization’s Information Security Management System (ISMS), which is a management framework of policies and procedures to keep confidential and sensitive information secure. It establishes management processes to address information and data security risks through technologies, policies, procedures, systems, and processes.

Organizations that adopt the ISO 27001 framework may choose to become certified or simply maintain their ISMS in a compliant state. For companies that want the certification—or are required to have it—they must treat information security as a critical business process by ensuring their ISMSs meet all procedures and ISO 27001 Controls, conducting periodic risk assessment reviews, investing in training programs, and more.

ISO 27001 certification is valid for three years, after which the organization will need a surveillance audit and recertification.

ISO 27701: a quick run through

As we mentioned in a recent post, ISO 27701 is a privacy add-on to ISO 27001. Whereas ISO 27001 establishes a framework for an organization’s ISMS, ISO 27701 expands the ISMS and creates a Privacy Information Management System (PIMS). In short, this standard covers the methods an organization has for collecting, processing, storing, and destroying Personally Identifiable Information (PII) by showing you how to design, set up, manage, and continually improve a PIMS.

ISO 27701 was designed as the framework for demonstrating GDPR compliance. Prior to ISO 27701, companies could self-assess their adoption of GDPR to claim they were compliant, but there was no way of knowing for sure. ISO 27701 is an independently-assessed certification of a company’s GDPR program.

To obtain ISO 27701 certification, you need to implement an effective PIMS that complies with the standard’s requirements. First, you’ll need to complete an audit, which requires organizations to declare applicable laws and/or regulations in its criteria so that the standard can be mapped to the requirements of the CCPA / CPRA, GDPR, or other laws. Operational controls can then be implemented by privacy professionals and audited by internal or third-party auditors. If the audit results in comprehensive evidence of conformity, certification is granted.

How ISO 27001 and 27701 relate

The first certification for privacy, ISO 27701 is an amendment to and extension of ISO 27001. It extends the meaning of “information security” detailed in ISO 27001, extending the scope to include the “protection of privacy as potentially affected by the processing of PII.”

ISO 27701 represents the first way an organization can actually become certified by a third party in privacy controls, rather than simply compliant with standards and regulations. However, since ISO 27701 builds on ISO 27001, your organization will need to obtain ISO 27001 certification simultaneously with ISO 27701, or have prior ISO 27001 certification with an ANAB/UKAS accredited certification body.

Thankfully, because ISO 27701 only exists in tandem with ISO 27001, the standard doesn’t add significantly to the auditing process. This means if you already have ISO 27001 in place, you can simply integrate ISO 27701 into your existing ISO audit and assessment. And for those starting from scratch, ISO 27701 can be worked into the overall process of creating an ISMS, collecting the necessary evidence, and assigning responsibilities to key personnel.