Achieving regulatory compliance with ISO 27701

Creating an ISO 27701-based PIMS to achieve privacy regulation compliance

Our ISO 27701 solution is a pre-configured PIMS. It’ll make sure that your privacy work aligns with and meets the needs of each section of the standard. And because it’s regulation agnostic, you can map it onto any regulation or regulations you need to.

Your PIMS will follow ISO 27701 and help you achieve GDPR compliance by:

Responding to the big picture

You’ll start the PIMS development process by understanding the context your PIMS will work in. You’ll define whether your organisation’s a PII controller, PII processor or both. And you’ll make sure you’re aware of:

• Legal factors, like privacy legislation, regulations or judicial decisions
• Organisational factors, like its context, governance, policies and procedures
• Practical factors, like any administrative decisions and contractual requirements

Then you’ll make sure you understand and take into account the needs and expectations of anyone with an interest in how you process PII. That can be a long list, including everyone from your customers and suppliers to regulators and trade bodies.

Once you’ve worked through all that, you’ll be able to scope out your PIMS. If you’re extending your existing ISMS to also address PIMS requirements you might need to rethink your ISMS’ scope too. And if you’re implementing both at the same time, then you’ll make sure they’ll work together.

Getting your leadership on board

Your whole organisation needs to understand and comply with your PIMS. To achieve that, you’ll need to have your senior leadership fully on board. ISO 27701 points you back to ISO 27001 for guidance. If you’ve already created an ISO 27001 ISMS, it’ll be a familiar process.

• You’ll need to make sure your top management shows leadership of and commitment to your PIMS by: Setting clear privacy goals, making sure your PIMS achieves them, allocating resources to create and maintain it, integrating it with broader organisational processes and helping it continually improve

They’ll also set your broader privacy policies. They should:

• Support and contribute to your organisation’s broader strategy and purpose, set clear privacy objectives or describe how to create them and include a commitment to both meeting its privacy needs and continually improving your PIMS

And of course you’ll need to document them, and make sure anyone who needs to understand them can quickly and easily access them.

Finally, your top managers will need to appoint the people who’ll be responsible for and in charge of your PIMS. They’ll keep it in line with the standard and report back on its status, progress and achievements as and when needed.

Being carefully planned

Once you’ve understood the context you’re working in and have senior management completely behind you, you can start planning your PIMS. Here too ISO 27701 sends you back to ISO 27001 for guidance, but it adds in some privacy-specific refinements of its own.

You’ll need to:

• Assess the risks your PII faces, set out clear policies and controls for dealing with some or all of those risks and justify why you’ve chosen to ignore any of them
• Document your policies, controls and any decisions about them in an easy to access, read way, and make sure any updates are accurate and timely

Again, if you’ve already created an ISO 27001-based ISMS it’ll be a very familiar process. And if you’re developing a PIMS and an ISMS together you’ll probably be able to merge your workstreams.

Having all the support it needs

Here too ISO 27001 and ISO 27701 are very closely allied. ISO 27701 asks you to follow ISO 27001’s support guidance.

• You should make sure you’ve got all the resources you need to set up, implement, maintain and continually evolve your PIMS available when you need them
• The people working on your PIMS should have all the competencies their roles demand – if they don’t, you should set up training or education for them
• You’ll need to make sure that everyone affected by your PIMS understands why it’s so important, what it protects and how to comply with it
• You’ll have to fully document your PIMS (exactly what that means depends on your organisation’s size and type), and plan how you’ll update your documentation

Undergoing regular evaluation

An unexamined PIMS is not worth having. You’ll need to be clear how you’ll monitor, measure, analyse and evaluate your PIMS to make sure it’s achieving everything it should. The standard refers you to ISO 27001 for guidance on how to do that.

It specifies that you should carry out regular internal audits and management reviews. Both should happen at planned intervals, and follow rigorously documented processes. You’ll also need a clear plan for responding to non-conformities and taking corrective actions.

You’ll evaluate your ISO 27701-based PIMS and ISO 27001-based ISMS in very similar ways. As ever, if you already have an ISO 27001 ISMS you’ll find the whole process very familiar.

Constantly evolving and improving

You’ll follow ISO 27001-based processes for evolving and improving your PIMS. That means you’ll swiftly and effectively react to any non-conformities. And you’ll document both the non-conformities themselves and the actions you took to fix them.

You’ll also look to continuously improve your PIMS. That’s a very important point to remember. A PIMS isn’t a fire-and-forget set of documents that – once created – can be left mouldering on a hard drive somewhere.

It’s a dynamic protective system that will evolve with any changes to your organisation and the environment it works in. So you’ll need to make sure you’re taking continuous steps to boost the suitability, adequacy and effectiveness of your PIMS.