audit diaries v3 blog

How We Approached our ISO 27701 Audit And Succeeded First-Time

At the end of 2022, we went through the process of simultaneously attaining certification for ISO 27701, the data privacy standard, and re-certification for ISO 27001, the information security standard. The latter certificate we’ve held successfully for over ten years. And we’re now delighted to share we successfully achieved both certifications with no non-conformities. 

Why did we look to deliver and achieve two of the most challenging standards out there at the same time? We hear you ask! We decided to put our money where our mouth is and use our new platform offering, SPoT. We designed SPoT to make light work of implementing ISO 27001 and ISO 27701 through the seamless combination of an Information Security Management System (ISMS) and Privacy Information Management System (PIMS) into a ‘Single Point of Truth’, or SPoT for short. You can find out more about SPoT in our earlier blog

During the project delivery and audit, our team kept diaries about their experiences and thoughts on establishing the PIMS and re-certifying our ISMS, so we decided to share those experiences with you. We hope you find it helpful and insightful, and if you have questions, please get in touch; we love to chat about all things compliance. 

What is ISO 27701 

Before we get into the lived experiences of building, preparing and auditing an ISMS and PIMS, it’s best to set the scene and break down exactly what ISO 27701 is. 

ISO 27701 is a privacy extension to the ISO 27001 standard, an internationally recognised framework for information security management. The ISO 27701 standard provides guidelines and requirements for implementing and maintaining a Privacy Information Management System (PIMS) within an existing Information Security Management System (ISMS) framework.

Why Should Organisations Look to Implement ISO 27701? 

Though it is relatively new to the scene – it was introduced in August 2019 – it has enjoyed a rapid rise in popularity worldwide, with many organisations choosing to implement the standard in place of geographically regional regulations like GDPR and POPIA that can be largely accommodated within the ISO 27701 controls.  

More simply, the growth rate of digital transformation has resulted in more sensitive information being stored and shared online than ever before. As that volume of data proliferates, it becomes both a lucrative target for cybercriminals and a key concern for consumers and businesses to ensure it’s kept safe. In the same breath, the growth of global regulations, such as GDPR, CCPA and HIPAA, means organisations also have a legal responsibility to protect their customers’ private data. Collectively, there is an evident movement towards a compliance landscape where you can no longer have information security without data privacy.

The benefits of adopting ISO 27701 also extend beyond helping organisations meet regulatory and compliance requirements. These include demonstrating accountability and transparency to stakeholders, improving customer trust and loyalty, reducing the risk of privacy breaches and associated costs, and increasing competitiveness in the global marketplace. 

How We Prepared Effectively For Our ISO 27701 Audit 

Preparation, as with any project, is critical. The majority of what you do as an organisation during this phase will influence the success of your final certification audit. Sam Peters, our DPO, knew this, having spent over ten years preparing for and executing audits for ISO 27001. However, going for a new standard, ISO 27701, and re-certification for ISO 27001 simultaneously was new ground for him and the organisation, the auditor and the certification body. Sam freely admits, ‘this one was nerve-wracking’. 

  • Every Journey Starts With A First Step

The first step for Sam was to agree on a timeline for the project and the budget. For us, it was a 6-month timeline and a tight turnaround, but this also ensured that our leadership team, who instigated the project, were fully involved from the beginning embedding the importance of data privacy compliance right from the very top of the business. It also considered that the organisation still needed to deliver ‘business as usual’ during the project. Establishing an ISMS and PIMS does not need to be a full-time job, especially with the right technology platform supporting your people and processes on the journey. 

  • The Discovery Phase

The next step for us was to bring the new controls for ISO 27701 into our existing ISMS. We weren’t starting from scratch because we were using our product with all the off-the-shelf content within it. It was straightforward to tailor that content to our specific organisation’s needs. One of the significant benefits of working with the ISMS.online platform is that the tools within it get you ahead of the game straight out of the box. 

We then began detailed conversations with all the relevant teams within our business, from HR, Finance, and Marketing to Sales and Sucess, to understand the data we held, how it was moving through the company, and the systems used. Because we already had an ISMS, we had an asset inventory which was a very useful tool to start those conversations with each team. We were also already GDPR compliant, so we had completed a piece of activity to create a record of processing activity (ROPA) which again helped us when talking to all the teams within the business and clarified for us that under ISO 27701, our ROPA would need more detail than we currently had, giving us a clear workstream to focus on straight away. 

The internal conversations helped us identify almost immediately areas where we could make improvements and streamline and simplify processes, such as where we stored data and the systems we used to access and use that data. This also really drove home for us the additional benefits of using frameworks such as ISO 27701, as the process resulted in streamlining workflows, improving our operational efficiency even further. 

  • The Acronym Bit

The updated ROPA from this piece of work enabled us to move on to the data privacy impact assessments (DPIA), where we enacted these against the processes we had put in place. This resulted in some beneficial learnings about how we did these as an organisation, as these are not something people will frequently do. We realised having a templated approach to these so that anyone required to do one could pick up the template and deliver an actionable and valuable DPIA with limited experience was essential to success. This would also democratise who could undertake them and reduce the workload for our broader infosec team members. 

For Sam, this process also drove home the importance of thinking about privacy within a piece of work or project as early as possible. It is far easier to plan with privacy in mind than to come back afterwards and try to change or fix something when information might already be in one system or you might have signed a contract with a supplier. 

The idea of privacy by design is integral for any organisation looking to embed a culture of privacy and compliance with the growing raft of privacy legislation. It is now part of the ISO 27001 and 27701 controls.

  • Power to the People

The work up to this point led us naturally into staff training. The ISO 27701 framework, as with the ISO 27001 framework, is more than just ensuring technical protections. It aims to embed a culture of privacy and security within an organisation. And indeed, if you are going to do the work to create a PIMS, it would be missing a considerable trick not to ensure your employees understand their role in delivering effective data privacy. You are also likely to fail an audit if the auditor calls upon a staff member to participate and they can’t confidently answer questions on the processes you’re putting in place with your PIMS. 

For Sam, making data privacy relevant to staff and their roles was integral to success. It was essential to empower staff to see how they are responsible and impacted by data privacy. Contextualising the organisation’s policies and procedures for managing privacy information and maintaining confidentiality and privacy within specific roles was a piece of work that, whilst time-consuming, improved understanding and execution across the business. This activity then extended to external education, updating our privacy policy and creating specific privacy policies for staff and potential candidates during recruitment. 

  • Tell Us What You Really Think

The penultimate step we took pre-audit was to conduct an internal audit of our PIMS. This process was essential to ensure the PIMS functioned as intended, met the ISO 27701 standard’s requirements and identified areas for further improvements before the certification audit. Our DPO, Sam, asked that the internal auditor be particularly tough on us, and he certainly was. This was an invaluable opportunity to iron out any issues so we could confidently approach the certification audit, knowing that our PIMS met the rigorous requirements and would deliver what the auditor would be looking for. 

Finally, in preparation for the audit, we thought through exactly how we would present our PIMS to the auditor and how we would bring other people from within the business into the audit as needed, ensuring that critical members were available as well as briefing the broader company on what they might expect to be asked to do, ensuring they felt informed and prepared should they be called upon.

What To Expect During An ISO 27701 Audit 

During the audit, the auditor will want to review some key areas of your PIMS, such as:

  1. Your organisation’s policies, procedures, and processes for managing personal data
  2.  Evaluate your privacy risks and appropriate controls to assess if your controls are effective in mitigating the identified risks.
  3. Assess your privacy incident management. Is your ability to detect, report, investigate, and respond to privacy incidents sufficient
  4. Examine your third-party privacy management to ensure adequate controls are in place to manage third-party risks
  5. Check your privacy training program adequately educates your staff on privacy matters
  6. Review your organisation’s performance metrics to confirm if they are meeting the privacy objectives.

 

As well as these consistent areas for review, there are other points to consider, such as how you work with the auditor. They are there to identify compliance, and you are there to show them how you meet those requirements. Therefore leading the conversation and guiding them through the key areas will be helpful to the auditor and allow them to identify the additional routes and activities they want to review. It should be a collaborative process. 

Why ISO 27701 Should Never Be A Tick-Box Process 

Part of the ISMS.online ethos is that simple, sustainable information security and data privacy are achieved through people, processes and technology. A technology-only approach will never be successful. 

Compliance alone does not guarantee effective privacy management. A technology-only approach focuses on meeting the standard’s minimum requirements rather than effectively managing data privacy risks in the long term. Your people and processes, alongside a robust technology setup, will set you ahead of the pack and significantly improve your data privacy effectiveness versus those relying on tech for a fast but temporary solution. 

What could be called a tick-box approach will often:

  • Involve a superficial risk assessment, which may overlook significant privacy risks
  • Ignore key stakeholders’ privacy concerns 
  • Deliver generic privacy training not tailored to the organisation’s specific needs
  • Execute limited monitoring and review of privacy controls, which may result in undetected privacy incidents

All of these open organisations up to potentially damaging breaches, financial penalties and reputational damage. 

ISO 27701 Roadmap – Download Now

We’ve created a practical one-page roadmap, broken down into five key focus areas, for approaching and achieving ISO 27701 in your business. There’s no form to fill in. Download the PDF today for a simple kick-starter on your journey to more effective data privacy. 

Download Now

Unlocking Our ISO 27701 Compliance Advantage First Time

Achieving certification against ISO 27701 and re-certification against ISO 27001 for the first time, with no non-conformities, was a significant moment for us here at ISMS.online. Not only had we achieved an industry first, but we had been successful using our brand-new platform offering, SPoT. 

But it wasn’t all about us in this process. It was about our ‘why’. Why do we do what we do? Simple, secure and sustainable security should be possible for all. That’s why. So, what better way to show anyone out there wanting to achieve more effective data privacy and information security that it’s possible than through action? We’ve lived the process and want to share those experiences, learnings and tools with others.

We could go into the many ways SPoT provided us with all the materials and tools we needed to be successful, from its 81% head start, the ‘Assured Results Method’, the catalogue of documentation that can be adopted, adapted or added to or our virtual coach always-on support, but instead we invite you to see for yourself and realise the benefits first-hand -request a call with one of our experts today.

Speak To An Expert

Explore ISMS.online's platform with a self-guided tour - Start Now