ISO/IEC 27701 is a privacy add-on to ISO 27001 that will help you manage Personally Identifiable Information (PII) within your organization. It can assist in privacy compliance with laws such as the California Consumer Privacy Act (CCPA) and European Union General Data Protection Regulation (GDPR).
Because it’s so new, very few organizations have adopted ISO 27701, meaning certification will help you get—and stay—ahead of the privacy compliance curve.
Certification won’t only help your organization better align and comply with GDPR, but will also allow you to use the standard to encompass other, applicable privacy and data protection regulations like CCPA and more.
Build trust in your company’s ability to manage personal information for employees, customers, suppliers and other interested parties by demonstrating a commitment to information security.
Protect and maintain the integrity of consumers’ and other interested parties’ personal information. Your organization will be able to conduct its activities with the confidence and knowledge that your systems can help manage data privacy risks.
With business partners where the processing of PII is mutually relevant. Certification will make it easier to demonstrate compliance, respond to security questionnaires, and assure organizations and individuals that their data is protected. This extra assurance for potential customers may also enable you to win more bids.
Certification will demonstrate that your organization is putting data protection at the heart of your business. Not only is it recognized internationally, but it is also accepted throughout industry supply chains and sets industry benchmarks for sourcing suppliers.
Learn everything you need to know about ISO 27701, including all the benefits of certification, the ins and outs of the framework, how it relates to ISO 27001, how your organization can become and stay certified, and more.
ISO/IEC 27701 will help you manage Personally Identifiable Information (PII) within your organization. This new standard, created for use by anyone responsible for PII in any sort of organization, was designed as the framework for demonstrating GDPR compliance. Prior to ISO 27701, companies could self-assess their adoption of GDPR to claim they were GDPR compliant, but there was no way of knowing for sure. ISO 27701 is an independently assessed certification of a company’s GDPR program. The standard shows you how to design, set up, manage, and continually improve a Privacy Information Management System (PIMS).
ISO 27701 provides personal data protection for companies who have enterprise customer data internationally, especially in the EU. This certification won’t only insure you’re GDPR and CCPA compliant, but because it’s so new, very few organizations have adopted it, meaning certification will help you get—and stay—ahead of the privacy compliance curve.
ISO/IEC 27701:2019 is one of the many standards published by the International Organization for Standardization (ISO). The organization has developed over 24,090 standards, ranging from environmental to information technology. ISO 27701 is part of the ISO 27000 family of standards, co-owned by ISO and the International Electrotechnical Commission (IEC). Its security techniques are an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management.
ISO 27001 is a framework for an organization’s Information Security Management System (ISMS). An ISMS establishes management processes by means of information security controls to address information and data security risks. Its focus on information security risk management and continuous improvement makes it the most widely recognized IT Security certification internationally. ISO 27701 expands the ISMS and creates a privacy information management system (PIMS).
An Information Security Management System (ISMS) is a management framework of policies and procedures to keep sensitive and confidential information secure. An ISMS establishes a systematic approach to security through policies, procedures, processes, technologies, and systems. This approach is designed to manage information risks such as cyberattacks, data leaks, insider threats, hacks, or theft. An ISMS:
A privacy information management system (PIMS) enables you to meet the highest standards of transparency and responsibility when processing personal information. Privacy information management systems, sometimes referred to as personal information management systems, cover the methods an organization has for collecting, processing, storing, and destroying personally identifiable information, or PII. PII is considered any data that can be used to specifically identify a person; it can include an individual’s name, address, birthday, phone number, email address, IP address, etc. A PIMS:
The ISO 27701 audit requires organizations to declare applicable laws and/or regulations in its criteria for the audit. This is so the standard can be mapped to the many requirements of CCPA, GDPR, or other laws. To obtain certification, you need to implement an effective PIMS complying with the requirements of the standard. Once mapped, the ISO 27701 operational controls are implemented by privacy professionals and audited by internal or third-party auditors. If this audit results in comprehensive evidence of conformity, certification is granted. The cost of an ISO 27701 certification will depend on various factors like the size and level of complexity of your organization, training, number of employees, sites, technologies to be implemented and updated, external expertise, and the certification audit itself.
The ISO 27701 certification is maintained through a program of annual surveillance audits and is valid for three years, at which point your organization will have to undergo a recertification audit. In the meantime, your organization will need to conduct periodic risk assessment reviews as risks and threats evolve, as well as perform internal audit management reviews, taking corrective actions on nonconformities.