ISO 27701 – The Standard for Privacy Information Management

What is ISO 27701?

In the wake of the EU’s General Data Protection Regulation (GDPR), South Africa’s POPIA, Brazil’s LGPD, the Australia Privacy Principles, many similar privacy laws and regulations being drafted around the world; there has been a growing need for a code of conduct, or standard, to demonstrate privacy data compliance and certification. ISO 27701 seeks to provide a truly international approach to privacy protection as a component of information security.

ISO 27701 was developed to provide a standard for data privacy controls, which, when coupled with an ISMS, allows an organisation to demonstrate effective privacy data management. It establishes the parameters for a PIMS in terms of privacy protection and processing personally identifiable information (PII).

ISO 27701 is an impressive way of demonstrating to consumers, external organisations and internal stakeholders, that mechanisms are in place to keep data safe and to comply with GDPR and other privacy laws.

The ISO 27701 standard, a PIMS (Privacy Information Management System) standard, lays out a detailed set of operational checklists that can be adapted to a variety of regulations, including GDPR. Companies document their policies, procedures, protocols and activities in line with the standard’s operational checklists, with records then audited by internal and third-party auditors, resulting in detailed proof of compliance with the standard. ISO 27701 helps companies to maintain an effective privacy and information security system and reduce privacy risks.

What are the building blocks of the standard?

ISO 27701 is an extension of ISO/IEC 27001, which is one of the most widely used international standards for information security management. If your organisation is already acquainted with ISO/IEC 27001, integrating the new privacy controls of PIMS may be relatively straightforward. ISO 27701 is also based on other standards, like ISO 27002 and ISO 29100. ISO 27701 adds a data privacy layer to previous information security standards. If you are ticking the boxes for other standards you may be ticking some of the boxes for ISO 27701 already.

Important points to remember about ISO 27001 and PIMS:

• PIMS provides new controller- and processor-specific controls that help organisations overcome the challenges of privacy and security by establishing a point of convergence between what could be two different functions.
• Security is important for privacy. ISO 22701 PIMS relies on ISO 27001 for security management. IS0 27701 certification is only available as an add-on to ISO 27001 certification and cannot be obtained as a standalone certificate.

ISO 27701 compliance challenges

Under the guidelines of the GDPR, organisations are expected to keep all personally identifiable information safe from theft, loss, and damage.

Changes to UK law since May 2018 now mean that organisations must put in place an HR data-hand handling policy, with the capability to show that non-relevant personal data is being deleted appropriately. ISO 27701 helps organisations address these three important compliance challenges:

Too many regulatory requirements to juggle

Using ISO 27701 as a unified system of data privacy operational control removes the need to focus on multiple regulations. As an international standard, ISO 27701 is designed to meet the requirements of data protection and GDPR, and to be flexible enough to be adapted to specific industry requirements. This enables companies to work within a single framework in meeting multiple regulatory requirements.

Too costly to audit regulation-by-regulation

Internal and external auditors use ISO 27701 to determine regulatory compliance in one single audit cycle. This saves the organisation money compared to following a disjointed regulation-by-regulation audit process.

Promises of compliance without proof is potentially risky

It is not enough for companies to follow best practice data privacy processes; they must also be able to prove compliance with laws and regulations. That means having a robust, integrated process for documentation. Businesses with complex processes may have multiple types of data controller and data processor, cloud providers and partner vendors. Inability to prove compliance with laws or regulations in any part of the supply chain could expose the business to financial and reputational risk.

Benefits of ISO 27701

Demonstrate next-level data protection with ISO 27701

The ISO 27701 standard is one of the ways to show that you are complying with all appropriate data protection, confidentiality and privacy security requirements.

Build trust when managing personal information

When it comes to handling personal information, you need to have a way of ensuring that your organisation is doing everything possible to ensure that information is handled correctly and in compliance with the law. ISO 27701 gives you the standard necessary to build trust when managing data. Suppliers, consumers and partners can have confidence in your policies, procedures and protocols when you work to an international standard like ISO 27701.

Integrates with the leading information security standards

ISO 27701 integrates with the leading information security standards. This enables seamless development and updating of policies and procedures across differing standards, and the sure knowledge that you won’t compromise your compliance with other standards by adopting ISO 27701 standards.

Supports compliance with other privacy regulations

ISO 27701 is the ‘industry standard’ to comply with new data protection legislation. Even though ISO 27701 aligns with the principles of GDPR, it also allows organisations to document compliance with other privacy laws, regulations, standards, and requirements.

Flexible enough to accommodate jurisdictional specifics

The ISO 27701 standard was developed to provide standards for working with personally identifiable information so you can meet different privacy laws. If your company operates outside the EU and you want to follow the equivalent territory specific guidelines equivalent to GDPR, you can bring those jurisdictional specifics into ISO 27701.

Provides transparency between stakeholders

ISO 27701 sets the standard for how privacy data is managed. The standard makes processes transparent for all stakeholders, engendering trust and mutual respect.

Facilitates effective business agreements

When companies are committed to working to the same high privacy data standards there it is easier to make agreements and to work together. ISO 27701 engenders trust and ensures that all stakeholders are on the same page when considering system integration and shared business processes.

ISO 27701 vs ISO 27001 – what are the differences?

ISO 27701 and ISO 27001 are two standards that are often used interchangeably by non-information security professionals when referring to information security.

Both ISO 27001 and ISO 27701 standards are IT security management standards. The difference between the two standards is that ISO 27001 focuses on the gap between risk management and security controls whereas ISO 27701 is a standard geared towards meeting privacy regulations and laws like GDPR and the Data Protection Act. ISO 27701 is focused on privacy data risks.

How do ISO 27001 and ISO 27701 integrate with each other?

ISO 27701 is an extension of ISO 27001. It’s one of the risk management standards, but it ensures that the business complies with GDPR and other relevant PII regulations. Before you can benefit from ISO 27701’s security benefits, you must first implement ISO 27001.

How Does ISO 27701 Relate To GDPR?

Organisations must secure and ensure the integrity of all sensitive data they process under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA). However, neither the GDPR nor the DPA provide clarification on the actions companies must take to ensure data privacy. This is where ISO 27701 comes in. ISO 27701 provides the requirements and guidelines for a best-practice process for running a privacy information management system (PIMS) with effective data security and privacy capabilities.

How do ISO 27001 and GDPR integrate with each other?

ISO 27001 is the international best practice standard for an information security management system (ISMS) adopted by many countries around the world. More than 35 countries have signed up to implement GDPR. ISO 27701 can help with compliance with GDPR.

Getting started with ISO 27701

If you own a business that processes personal data, then you need to understand how the new ISO 27701 standard applies to you. Understanding the basics of ISO 27701 can be a challenge. This is especially true if you’re used to working to different standards.

Implementing ISO 27701

As with most official standards, ISO 27701 can be a little tricky to get your head around. ISMS.online helps you by providing a cloud-based solution to document compliance with the requirements of ISO 27701.
Implementing ISO 27701 will give you a solid framework for compliance with laws and regulations, from the GDPR regulations to HIPAA level protection.

Demonstrating Good Practice

Implementing ISO 27701 is about demonstrating ‘good practice’ for personal information management. ISO 27701 has become an integral part of the data management framework for businesses in many sectors. This important standard is a shift from the ISO 27001 information security technical and asset emphasis to a more risk-based business focus.

Plan, Do, Check, Act

Plan, Do, Check, Act (PDCA) is a continuous improvement cycle that many progressive companies use, and is a vital element in the implementation of ISO 27701. Others may use different names for the phases — but the key idea is the same: Plan what should be done; do the best job you can on implementation and execution of that task; check the results against your plan; and when the necessary plan changes act to improve performance.

Requirements of ISO 27701

The requirements to achieve ISO/IEC 27701 compliance include:

• Design, build and implement a Personal Information System for your organisation.
• Follow the ISO 27701 guidelines when designing and implementing the PIMS.
• The PIMs should define strict systems and tactical controls for managing personally identifiable information, including how this information is obtained, used, shared and deleted.
• Define strict user roles and strong passwords for all stakeholders processing and controlling privacy data.

ISO 27701 certification requires that you have ISO 27001 certification. Your Personal Information Management System builds upon your Information Security Management System (ISMS). You can get certified to ISO 27701 at the same time as doing ISO 27001. Doing both concurrently is normally easier, less resource intensive and cheaper than doing them in series.

Structure

ISO 27701 is divided into clauses, just like other ISO standards, with Clauses 5–8 detailing the additional requirements and updates that must be added to ISO 27001:

• Clause 5 outlines the PIMS requirements for ISO/IEC 27001 compliance.
• Clause 6 outlines the PIMS guidance for ISO/IEC 27002.
• Clause 7 outlines PIMS guidance for PII Controllers.
• Clause 8 of the PIMS provides guidance for PII Processors.

The following Annexes are also included in the standard:

• PIMS-specific reference control goals and controls are mentioned in Annex A. (PII Controllers)
• PIMS-specific reference management goals and controls are mentioned in Annex B. (PII Processors)
• Mapping of Annex C to ISO/IEC 29100
• Mapping to the General Data Protection Regulation (GDPR) in Annex D (GDPR).
• Annex E to ISO/IEC 27018 and ISO/IEC 29151 Mapping
• Appendix F What is the relationship between ISO/IEC 27701 and ISO/IEC 27001 and ISO/IEC 27002?

It’s important, however, that you learn all of the policies, procedures, and controls in place and that they’re followed consistently throughout your organisation.

ISO 27701 Implementation

Implementing ISO/IEC 27701 is a robust way to start a privacy information management system within any company. Many companies choose to pursue ISO 27701 alongside ISO 27001. This can reduce cost and the overall time and effort involved in achieving both standards.

Here at ISMS.online, we provide cloud-based solutions that your organisation can use to document compliance with ISO 27001 and then ISO 27701. We take the uncertainty and guesswork out of the process by providing a framework for compliance with ISO standards.

Who should implement ISO 27701?

ISO 27701 offers an international standard for any organisation handling privacy data. Any company that holds personally identifiable information, irrespective of size and type, may benefit from ISO 27701 implementation. ISO 27701 helps to mitigate the financial and regulatory risks associated with privacy data breaches. ISO 27701 is for private, public companies and even government agencies that need to take a risk-based approach to holding and processing personal information.

What roles are involved in implementing ISO 27701?

Given the scope and the scale of the ISO 27701 standard, it comes as no surprise that different roles are involved in implementing the standard. These roles typically include:

• The Lead Implementer/ Project Manager
• Chief Privacy Officer / Data Protection Officer
• Privacy Manager/Data Protection Manager
• Internal Auditor
• External Auditor
• Privacy Analyst- for taking functional requirements and converting to technical implementation
• Database and Software Professionals

Compliance vs certification

ISO 27701 compliance and certification can be confusing, as at face value they appear to mean the same thing.

ISO 27701 compliance means that your organisation has put in place the controls needed to satisfy the requirements of ISO 27701; a set of best practices for privacy information management. Compliance with standards is important.

An ISO 27701 certificate is the document that confirms a particular organisation has gone through the processes and documented everything necessary to become ISO 27701 compliant.

Certification means you have demonstrated compliance.

Is ISO 27701 certification right for me?

If your company deals with personally identifiable information, you may need to look into ISO 27701 certification. ISO 27701 certification will make you stand out compared to companies that are not certified.

Additionally, in the event of a data breach, the Information Commissioner’s Office (ICO) in the United Kingdom has stated that organisations that implement certification or have a comprehensive system in place to handle their data security may be seen more favourably by regulators.

ISO 27701 Certification process

The process of implementing ISO 27701 is relatively easy for organisations that already have ISO 27001 certifications.

The ISO 27701 certification can be obtained in three steps:

You must first engage a qualified certification body that will conduct an audit of your organisation.

After you’ve agreed on a proposal, an assessor will give your organisation a detailed audit. The assessor must make a compulsory visit during the initial certification audit. They’ll look to see if you’ve put in place a completely functional personal information management system.

Once the assessor has completed the audit, the certification body will decide whether your organisation has met the criteria. If the outcome is positive, they will give you a certificate stating that your company complies with the standard’s specifications. The certification is valid for the next three years, or until your ISO 27001 certificate expires, whichever comes first.

If your company does not have ISO 27001 certification yet, you’ll need to have it first, or to pursue ISO 27001 and ISO 27701 certifications at the same time.

Maintaining ISO 27701 certification

Maintaining ISO 27701 certification need not be a daunting prospect, as long as the initial ISO 27701 implementation was completed correctly. However, to keep your ISO 27701 valid, you must perform periodic surveillance audits in combination with your ISO 27001 audit, and then a complete reassessment before certification renewal.

The best way to maintain ISO 27701 certification is to manage your systems in such a way that you are able to keep doing continuous improvements. Continual improvement is the ongoing effort taken by your organisation to improve how it handles personally identifiable information, identifying emerging risks to compliance, and taking systemic actions to remedy them.

The simplest way to ISO 27701

ISMS.online makes personal information management easy through a great cloud-based solution to support ISO 27701 compliance in your organisation. On top of this we have information security experts and resources available to guide you through the ISO 27701 accreditation process.

Frameworks for ISO 27701

It can be hard to know where to start with ISO 27701, especially if you’ve never had to do anything like this before. This is where ISMS.online comes in. Our ISO 27701 solutions provide frameworks that allow your organisation to demonstrate compliance with ISO 27701. Our Information Security experts can work with you to ensure that you develop a logical implementation process that aligns with the online documentation framework.

Supply chain management tools

At ISMS.online we can incorporate supply chain information security management into your ISMS. Quick and practical performance metrics can also be used to monitor the progress of your suppliers and other third-party partnerships. Use ISMS.online Clusters to get the whole supply chain together in one location for clarity, insight, and control.

Highly efficient project oversight and collaboration

Our ISMS.online solutions make it easy for organisations to achieve project oversight, ensuring that the data controller and processor policies and procedures are in line with the ISO standard. Our online system also ensures that system implementers have a single place for reference and collaboration. Our Assured Results Method (ARM) enables you to be confident that you are ticking all the boxes you need to comply with the standard.

Help and support engaging your people

ISO 27701 is not just a framework for organisations to adopt; it means adapting the way people understand, interface and interact with data. At ISMS.online, we have designed our system so that you and your staff can take advantage of our easy-to-use interface for documenting your ISO journey. We also provide video resources and access to information security professionals to help you integrate standards into your company.