Stay ahead of the competition with ISO 27701.

ISO/IEC 27701:2019 is one of the many standards published by the International Organization for Standardization (ISO). The organization has developed over 24,090 standards, ranging from environmental to information technology. ISO 27701 is part of the ISO 27000 family of standards, co-owned by ISO and the International Electrotechnical Commission (IEC). Its security techniques are an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management.

The new ISO 27701 standard, created for use by anyone responsible for PII in any sort of organization, was designed as the framework for demonstrating GDPR compliance. Prior to ISO 27701, companies could self-assess their adoption of GDPR to claim they were GDPR compliant, but there was no way of knowing for sure. ISO 27701 is an independently assessed certification of a company’s GDPR program. The standard shows you how to design, set up, manage, and continually improve a privacy information management system (PIMS).

ISO 27701 is a privacy add-on to ISO 27001. ISO 27001 is a framework for an organization’s information security management system (ISMS). An ISMS establishes management processes by means of information security controls to address information and data security risks. Its focus on information security risk management and continuous improvement makes it the most widely recognized IT Security certification internationally.

ISO 27701 expands the ISMS and creates a privacy information management system (PIMS).

An information security management system (ISMS) is a management framework of policies and procedures to keep sensitive and confidential information secure. An ISMS establishes a systematic approach to security through policies, procedures, processes, technologies, and systems. This approach is designed to manage information risks such as cyberattacks, data leaks, insider threats, hacks, or theft.

ISMSs accomplish a number of goals:

• Enable organizations to secure information in all its forms and increase their resilience to attacks
• Enable employees and partners to readily understand risks and embrace security controls in their working practices
• Help businesses respond to evolving security threats to the integrity, confidentiality, and availability of the data they handle
• Improve businesses’ cybersecurity cultures through an integrated approach that covers technology, people, and processes

A privacy information management system (PIMS) enables you to meet the highest standards of transparency and responsibility when processing personal information. Privacy information management systems, sometimes referred to as personal information management systems, cover the methods an organization has for collecting, processing, storing, and destroying personally identifiable information (PII. PII is considered any data that can be used to specifically identify a person; it can include an individual’s name, address, birthday, phone number, email address, IP address, etc.

PIMSs have a number of benefits:

• Provide new controller- and processor-specific controls
• Establish a point of convergence between what could be two different functions
• Help organizations overcome the challenges of privacy and security

Since ISO 27701 builds on ISO 27001, you will need to obtain ISO 27001 certification simultaneously with ISO 27701, or have prior ISO 27001 certification with an ANAB/UKAS accredited certification body.

The ISO 27701 audit requires organizations to declare applicable laws and/or regulations in its criteria for the audit. This is so the standard can be mapped to the many requirements of CCPA, GDPR, or other laws. To obtain certification, you need to implement an effective PIMS complying with the requirements of the standard. Once mapped, the ISO 27701 operational controls are implemented by privacy professionals and audited by internal or third-party auditors. If this audit results in comprehensive evidence of conformity, certification is granted.

The ISO 27701 certification is maintained through a program of annual surveillance audits and is valid for three years, at which point your organization will have to undergo a recertification audit. In the meantime, your organization will need to conduct periodic risk assessment reviews as risks and threats evolve, as well as perform internal audit management reviews, taking corrective actions on nonconformities.