ISO/IEC 27701 - International standard for privacy information management
Protection of privacy is increasingly a societal need in a world becoming more and more connected. New privacy regulations, such as the European Union General Data Protection Regulation (GDPR), introduced by governments require companies to respond. ISO standards, such as ISO/IEC 27701, will help your business meet requirements and manage privacy risks related to personally identifiable information (PII).
The need for trust and accountability for personal information is growing in the minds of customers, consumers and other stakeholders alike. But the risk is broader than regulatory compliance. Companies must have the right competence, processes and systems in place. With the number of complaints and fines related to privacy and data protection on the rise, there seems to be a growing need for guidance.
Building on the ISO/IEC 27001 requirements, ISO/IEC 27701 provides requirements and helps companies manage privacy risks related to personally identifiable information (PII). It can also help companies comply with GDPR as well as other data protection regulations. The two standards can be certified in combination.
What is ISO/IEC 27701?
ISO/IEC 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It builds on the requirements in ISO/IEC 27001, the information security management system (ISMS) standard, and the code of practice for information security controls in ISO/IEC 27002.
ISO/IEC 27701 provides the management system framework to protect personally identifiable information (PII). It covers how organizations should manage personal information and assists in demonstrating compliance with privacy regulations that may apply.
If you have implemented ISO/IEC 27001, ISO/IEC 27701 extends your security efforts to cover privacy management. This includes processing of PII to demonstrate compliance with data protection regulations such as GDPR.
For organizations without an existing information security management system compliant with ISO/IEC 27001, it is possible to implement the two standards (ISO/IEC 27001 and ISO/IEC 27701) in a single project.
Who should implement ISO/IEC 27701?
ISO/IEC 27701 provides guidance to any organization responsible for PII (personally identifiable information) processing within an information security management system. Organizations of all sizes and types, including public and private companies as well as governmental entities and other types of organization, can benefit. Providing a risk-based approach, it helps organizations address specific privacy risks faced as well as risks to personal data and privacy.
Why is ISO/IEC 27701 good for my business?
There are several benefits to a privacy information management systems (PIMS):
- Builds trust in your company’s ability to manage personal information, both for customers and employees.
- Supports in compliance with GDPR and other applicable privacy regulations.
- Clarifies the roles and responsibilities within your organization.
- Improves internal competence and processes to avoid breaches.
- Provides transparency on established controls for the management of privacy.
- Facilitates agreements with business partners where the processing of PII is mutually relevant.
- Integrates easily with the leading information security standard ISO/IEC 27001.
How can ISO/IEC 27701 be used to comply with GDPR?
Implementing a management system compliant with ISO/IEC 27701 and ISO/IEC 27001 will enable your company to meet the privacy and information security requirements set forth in GDPR as well as other data protection regulations. GDPR requires organizations to adopt appropriate technical and organizational measures (incl. policies, procedures and processes) to protect the personal data they process (According to article 5(2)).
ISO/IEC 27001, the international standard for an ISMS (information security management system), provides an excellent starting point for achieving the technical and operational requirements necessary to reduce the risk of a breach.
ISO/IEC 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system) based on the requirements, control objectives and controls in ISO 27001, and extended by a set of privacy-specific requirements, control objectives and controls. An annex cross-references GDPR and ISO/IEC 27701. However, the standard is not GDPR-specific.
Both standards help compliant companies meet and demonstrate compliance with GDPR’s privacy and information security requirements.
While ISO/IEC 27701 does not currently address the certification-mechanism outlined by GDPR in article 42, you can get accredited certification to ISO/IEC 27701 combined with ISO/IEC 27001 by an independent third party such as DNV.
How can I prepare for certification?
Whether you are looking to implement ISO/IEC 27701 as an extension to your current ISO/IEC 27001 compliant information security management system or just getting started, we can support you with:
- GAP-analysis to check your preparedness for certification
- Training courses for ISO/IEC 27001
- Certification of your management system to ISO/IEC 27001 and ISO/IEC 27701
In addition, we can support your needs for training related to the standards and GDPR (European Union General Data Protection Regulation).
To become certified, you must first implement an effective management system that complies with the requirements of the standards. It is important that you and your company are committed and set clear targets for implementation and assessment. Before certification, it is recommended that your company performs internal audits to identify potential gaps. One of the most important things to remember is that development, implementation and certification of a management system is a continuous journey, the certification audit representing one element of a continuous improvement process.