Understanding ISO 27701: Privacy Information Management System (PIMS)

What’s the history of ISO/IEC 27701?

ISO 27001 is the most popular security standard in the world, but it has some gaps. In particular, it doesn’t tell you how to set up Personally Identifiable Information (PII) security measures. The EU’s General Data Protection Regulation (GDPR) brought ISO 27001’s lack of clear PII guidance into focus. GDPR asks for PII security measures, but it doesn’t give any implementation guidance or requirements.

So work began on the standard that would become ISO 27701. The new PII management standard was first developed as ISO/IEC 27522. Technical work on ISO 27522 ended in 2019, leading to the publication of the new standard on 6th August 2019. It’s an extension to ISO/IEC 27001. Before publication, ISO/IEC 27522 became ISO/IEC 27701. That’s because any standard describing how to create a management system should end with 01.

Introducing privacy information management

Most organisations need to hold and process information about some or all of their:

• Customers
• Employees
• Suppliers
• Other stakeholders

Those people rely on data-gathering organisations to keep that information private. The risk of and potential damage from a privacy information, or Personally Identifiable Information (PII), breach is increasing fast. Issues can include:

• Fines of up to €20 million (under the EU’s GDPR regulations)
• Substantial brand and reputational damage
• Personal privacy issues for any compromised individuals

So, more and more organisations are creating privacy information management systems (or PIMS). An effective, ISO 27701 compliant or certified PIMS has many potential benefits. It can:

• Ease the compliance burden by making privacy information security easy to manage and possibly meeting several regulatory needs at once
• Boost management, regulator and other stakeholder confidence by creating transparent, easy-to-demonstrate security measures
• Quickly, easily meet and even exceed the privacy needs of your customers and other commercial partners
• Set clear conditions for sharing and monetising the valuable data your organisation’s built up
• Send a strong, brand-building signal that your organisation takes security very seriously indeed

To increase security, you can pseudonymise or anonymise your PII. The GDPR definitions of those two ways of managing your personal data are:

• To pseudonymise personal data you need to process it “in such a way that the data can no longer be attributed to a specific data subject without the use of additional information” (GDPR Article 3)
• To anonymise personal data you need to make sure that you process it “in such a way that the data subject is not or no longer identifiable” (GDPR Recital 26) under any circumstances

Pseudonymised data can still be subject to PII regulations and requirements. Most regulatory regimes probably won’t apply to anonymised data.

The difference between pseudonymised and anonymised data can be quite subtle and complex. It can vary in different jurisdictions. You’ll need to check carefully to make sure you’re applying all relevant regulations to your PII.

Oh, and if you hold information on someone who has (very sadly) died, then it probably won’t be PII. Information about the deceased isn’t generally classed as personal. Details of companies, public authorities or other organisations probably aren’t PII either.

What’s a PIMS?

A PIMS is a Personal Information Management System. It combines:

• clearly-defined and widely-understood policies and procedures
• effective privacy management technology
• well-trained people

to protect the Personally Identifiable Information (PII) your organisation holds and uses. An effective PIMS will reassure your organisation’s:

• employees
• customers
• contacts
• other stakeholders
• that you’re managing their personal information in a secure and responsible way.

Your PIMS will help you store and share PII, both internally and externally. The right PIMS will also make it easy for people to update and correct any data you hold on them.

Getting ISO 27701 certified

Who can implement ISO 27701?

To implement ISO 27701, your organisation needs to:

1.   Process and / or manage Personally Identifiable Information (PII)

2.   Have an ISO 27001-certified information security management system (ISMS)

It doesn’t matter what type or size of organisation you are. ISO 27701’s requirements flex to cover all all types and sizes of organizations. That includes (but isn’t limited to):

1.   Public and private companies

2.   Government entities

3.   Not-for-profit organizations

What do you need to get ISO/IEC 27701:2019 certified?

ISO/IEC 27701:2019 is so new that it doesn’t have any accredited certification bodies. So, at time of writing, you can’t actually get ISO 27701 certified.<.p>

We recommend achieving ISO 27001 compliance, so you’re ready when certification becomes possible. It looks like you’ll be able to get ISO 27701 certified from mid-2021 onwards.

To achieve ISO/IEC 27701:2019 compliance, you need to design, build and implement a Personal Information Management System (PIMS) for your organisation.

Your new PIMS should follow:

1.   The ISO 27701 standard in all relevant ways

2.   Any national or international regulations that apply to your organisation

ISO 27701 assumes you’ve already achieved ISO 27001 compliance or certification. That means creating an information security management system (ISMS). You can set up your ISMS ahead of or alongside your ISO 27701 implementation.

How ISO 27701 relates to other standards

How does ISO 27701 relate to ISO 27001?

ISO 27701 fills in some Personally Identifiable Information gaps in ISO 27001. So you can implement it either alongside or after ISO 27001.

Which other standards does ISO 27701 map onto?

As well as ISO 27001, ISO 27701 maps onto:

• The privacy framework and principles defined in ISO/IEC 29100
• ISO/IEC 27018
• ISO/IEC 29151
• GDPR

Bear in mind that you’ll also need to follow any local regulations if you map ISO 27701 onto any other standard.

How does ISO 27701 relate to GDPR?

ISO 27701 is separate from GDPR. But if you’re ISO 27701 compliant or certified, your Personal Information Management System will be GDPR compliant.

How does ISO 27701 relate to ISO 27552?

ISO 27701 was first developed as ISO/IEC 27522. The standard’s name changed to ISO 27701 before its 2019 launch. ISO 27522 became ISO 27701 because any standard that tells you how to set up a management system must end with 01.

What’s the ISO 27000 family of standards?

The ISO 27000 family of standards focuses on information security. Each ISO 27000 standard has a different infosec emphasis and requirements. Organisations of any size or type can use them.

Key family members include:

• ISO 27000 introduces the family and explains basic terms and definitions
• ISO 27001 tells you how to create an Information Security Management System
• ISO 27017 and 27018 show you how to protect sensitive data held in the cloud
• ISO 27031 focuses on maintaining business continuity when challenges or crises hit
• ISO 27701 shows you how to create a Personal Information Management System

Key details of ISO 27701 annexes

What does Annex D cover?

Annex D of the ISO 27701 standard tells you how to map its controls on to the EU’s General Data Protection Regulation (GDPR).

What does Annex F cover?

Annex F of the ISO 27701 standard explains how to extend ISO IEC 27001 and ISO/IEC 27002 to protect Personally Identifiable Information (PII).

How ISMS.online can make implementing ISO 27701 easy

To make things simple for you, ISMS.online has built a cloud-based platform. This platform adheres to the ISO standards’ criteria and also satisfies the requirements of ISO 27701. This enables you to create and demonstrate compliance with the ISO 27701 standard, therefore simplifying certification.

Our cloud-based platform allows you to access all your ISMS resources in one place. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27701 implementation so that you can demonstrate your dedication to information security governance best practices. Call ISMS.online on +44 (0)1273 041140 to find out more about how we can help you get certified to ISO 27701.