Get your free guide to achieving ISO 27001
ISO 27701 shows you how to build a Privacy Information Management System (PIMS) to comply with any privacy regulation, including the EU’s GDPR and South Africa’s POPIA. Our simplified, secure, sustainable platform helps you follow the standard’s structured approach.
ISO 27701 and BS 10012 can both help you comply with GDPR and other privacy regulations by creating a PIMS. But there are important differences between them.
ISO 27701 could be a better option if:
The rest of this page explains how to achieve ISO 27701.
BS 10012 could be a better option if:
To find out how to achieve it, visit our Achieve BS 10012 page.
Achieve your first ISO 27001Download your free guide to fast and sustainable certification
×
Your ultimate guide to first-time ISO 27001 successWe just need a few details so that we can email you your guide to achieving ISO 27001 first-time
Download your free guide now and if you have any questions at all then Book a Demo or Contact Us. We’ll be happy to help. |
Download our free guide to fast and sustainable certification
Our ISO 27701 solution is a pre-configured PIMS. It’ll make sure that your privacy work aligns with and meets the needs of each section of the standard. And because it’s regulation agnostic, you can map it onto any regulation or regulations you need to.
Your PIMS will follow ISO 27701 and help you achieve GDPR compliance by:
You’ll start the PIMS development process by understanding the context your PIMS will work in. You’ll define whether your organisation’s a PII controller, PII processor or both. And you’ll make sure you’re aware of:
Then you’ll make sure you understand and take into account the needs and expectations of anyone with an interest in how you process PII. That can be a long list, including everyone from your customers and suppliers to regulators and trade bodies.
Once you’ve worked through all that, you’ll be able to scope out your PIMS. If you’re extending your existing ISMS to also address PIMS requirements you might need to rethink your ISMS’ scope too. And if you’re implementing both at the same time, then you’ll make sure they’ll work together.
Your whole organisation needs to understand and comply with your PIMS. To achieve that, you’ll need to have your senior leadership fully on board. ISO 27701 points you back to ISO 27001 for guidance. If you’ve already created an ISO 27001 ISMS, it’ll be a familiar process.
They’ll also set your broader privacy policies. They should:
And of course you’ll need to document them, and make sure anyone who needs to understand them can quickly and easily access them.
Finally, your top managers will need to appoint the people who’ll be responsible for and in charge of your PIMS. They’ll keep it in line with the standard and report back on its status, progress and achievements as and when needed.
Once you’ve understood the context you’re working in and have senior management completely behind you, you can start planning your PIMS. Here too ISO 27701 sends you back to ISO 27001 for guidance, but it adds in some privacy-specific refinements of its own.
You’ll need to:
Again, if you’ve already created an ISO 27001-based ISMS it’ll be a very familiar process. And if you’re developing a PIMS and an ISMS together you’ll probably be able to merge your workstreams.
A tailored hands-on session based on your needs and goals
Here too ISO 27001 and ISO 27701 are very closely allied. ISO 27701 asks you to follow ISO 27001’s support guidance.
An unexamined PIMS is not worth having. You’ll need to be clear how you’ll monitor, measure, analyse and evaluate your PIMS to make sure it’s achieving everything it should. The standard refers you to ISO 27001 for guidance on how to do that.
It specifies that you should carry out regular internal audits and management reviews. Both should happen at planned intervals, and follow rigorously documented processes. You’ll also need a clear plan for responding to non-conformities and taking corrective actions.
You’ll evaluate your ISO 27701-based PIMS and ISO 27001-based ISMS in very similar ways. As ever, if you already have an ISO 27001 ISMS you’ll find the whole process very familiar.
You’ll follow ISO 27001-based processes for evolving and improving your PIMS. That means you’ll swiftly and effectively react to any non-conformities. And you’ll document both the non-conformities themselves and the actions you took to fix them.
You’ll also look to continuously improve your PIMS. That’s a very important point to remember. A PIMS isn’t a fire-and-forget set of documents that – once created – can be left mouldering on a hard drive somewhere.
It’s a dynamic protective system that will evolve with any changes to your organisation and the environment it works in. So you’ll need to make sure you’re taking continuous steps to boost the suitability, adequacy and effectiveness of your PIMS.
I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
100% of our users achieve ISO 27001 certification first time