Understanding ISO 27701: Privacy Information Management System (PIMS)

Book a demo

data,center,programmer,using,digital,laptop,computer,,maintenance,it,specialist.

What’s ISO 27701?

ISO 27701 is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. We’re going to explain what that means.

ISO/IEC 27701 will help you manage Personally Identifiable Information (PII) within your organisation. It’s a new standard, designed for use by anyone responsible for PII in any sort of organisation.

The standard shows you how to design, set up, manage and continually improve a Privacy Information Management System (PIMS). It gives you a lot of flexibility in how you create and run your PIMS. ISO 27701’s flexibility will help you follow any relevant local PII regulations too.

ISO 27701 builds on ISO/IEC 27001. That means you can either:

  • Achieve ISO 27001 compliance or certification before you go for ISO
  • Implement ISO 27001 and 27701 together as a single project

ISO 27701 came into being on the 6th August 2019. Because the standard is so new, very few organisations have adopted it. If you choose to go for ISO 27701 certification, you’ll find yourself ahead of the infosec pack.

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

What’s the history of ISO/IEC 27701?

ISO 27001 is the most popular security standard in the world, but it has some gaps. In particular, it doesn’t tell you how to set up Personally Identifiable Information (PII) security measures. The EU’s General Data Protection Regulation (GDPR) brought ISO 27001’s lack of clear PII guidance into focus. GDPR asks for PII security measures, but it doesn’t give any implementation guidance or requirements.

So work began on the standard that would become ISO 27701. The new PII management standard was first developed as ISO/IEC 27522. Technical work on ISO 27522 ended in 2019, leading to the publication of the new standard on 6th August 2019. It’s an extension to ISO/IEC 27001. Before publication, ISO/IEC 27522 became ISO/IEC 27701. That’s because any standard describing how to create a management system should end with 01.

interior,of,contemporary,multi floor,business,center,with,large,windows,and

What’s personally identifiable information?

Personally identifiable information (PII) is information that gives away someone’s identity. PII reveals identities either on its own or in combination with other data. Some categories of PII are very sensitive. For example, you can only hold and process data about criminal convictions and offences in very limited circumstances.

What are the benefits of ISO 27701?

Almost every organisation holds detailed Personally Identifiable Information (PII) about individual people. If PII leaks, it can be very damaging. An ISO/IEC 27701 compliant Privacy Information Management System (PIMS) will protect your PII.

It’ll help you avoid the negative outcomes of PII breaches, which can include:

  • Fines of up to €20 million (under the EU’s GDPR regulations)
  • Substantial brand and reputational damage
  • Personal privacy issues for any compromised individuals

Achieving ISO 22701 certification can also have many positive impacts, including:

  • Making it easy to prove that you’re serious about information security
  • Speeding up your sales process and opening up new marketplaces
  • Strengthening relationships with existing customers and stakeholders
business,marketing,team,discussion,corporate,concept

See who we’ve already helped

Introducing privacy information management

Most organisations need to hold and process information about some or all of their:

  • Customers
  • Employees
  • Suppliers
  • Other stakeholders

Those people rely on data-gathering organisations to keep that information private. The risk of and potential damage from a privacy information, or Personally Identifiable Information (PII), breach is increasing fast. Issues can include:

  • Fines of up to €20 million (under the EU’s GDPR regulations)
  • Substantial brand and reputational damage
  • Personal privacy issues for any compromised individuals

So, more and more organisations are creating privacy information management systems (or PIMS). An effective, ISO 27701 compliant or certified PIMS has many potential benefits. It can:

  • Ease the compliance burden by making privacy information security easy to manage and possibly meeting several regulatory needs at once
  • Boost management, regulator and other stakeholder confidence by creating transparent, easy-to-demonstrate security measures
  • Quickly, easily meet and even exceed the privacy needs of your customers and other commercial partners
  • Set clear conditions for sharing and monetising the valuable data your organisation’s built up
  • Send a strong, brand-building signal that your organisation takes security very seriously indeed

To increase security, you can pseudonymise or anonymise your PII. The GDPR definitions of those two ways of managing your personal data are:

  • To pseudonymise personal data you need to process it “in such a way that the data can no longer be attributed to a specific data subject without the use of additional information” (GDPR Article 3)
  • To anonymise personal data you need to make sure that you process it “in such a way that the data subject is not or no longer identifiable” (GDPR Recital 26) under any circumstances

Pseudonymised data can still be subject to PII regulations and requirements. Most regulatory regimes probably won’t apply to anonymised data.

The difference between pseudonymised and anonymised data can be quite subtle and complex. It can vary in different jurisdictions. You’ll need to check carefully to make sure you’re applying all relevant regulations to your PII.

Oh, and if you hold information on someone who has (very sadly) died, then it probably won’t be PII. Information about the deceased isn’t generally classed as personal. Details of companies, public authorities or other organisations probably aren’t PII either.

ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.

Daniel Clements

Information Security Manager, Honeysuckle Health

Book a demo

What’s a PIMS?

A PIMS is a Personal Information Management System. It combines:

  • clearly-defined and widely-understood policies and procedures
  • effective privacy management technology
  • well-trained people

to protect the Personally Identifiable Information (PII) your organisation holds and uses. An effective PIMS will reassure your organisation’s:

Your PIMS will help you store and share PII, both internally and externally. The right PIMS will also make it easy for people to update and correct any data you hold on them.

See our platform features in action

A tailored hands-on session based on your needs and goals

Book your demo

100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo
Assured Results Method

Getting ISO 27701 certified

Who can implement ISO 27701?

To implement ISO 27701, your organisation needs to:

1.   Process and / or manage Personally Identifiable Information (PII)

2.   Have an ISO 27001-certified information security management system (ISMS)

It doesn’t matter what type or size of organisation you are. ISO 27701’s requirements flex to cover all all types and sizes of organizations. That includes (but isn’t limited to):

1.   Public and private companies

2.   Government entities

3.   Not-for-profit organizations

How do you get started with ISO 27701?

Get to know the ISO 27701 standard. It’ll help you define your privacy management strategy and plan your PIMS. Next build your PIMS, creating its systems and tactical controls. Then implement your PIMS, making sure you follow all the ISO 27701 requirements.

You’ll be ready for your audit once full ISO 27701 certification becomes possible. At the moment the standard is so new that nobody’s accredited to certify you for it.

Oh, and to achieve ISO 27001 you’ll need to be either ISO 27001 compliant or certified. If you don’t have ISO 27001, you’ll need to plan how to implement it too.

What do you need to get ISO/IEC 27701:2019 certified?

ISO/IEC 27701:2019 is so new that it doesn’t have any accredited certification bodies. So, at time of writing, you can’t actually get ISO 27701 certified.<.p>

We recommend achieving ISO 27001 compliance, so you’re ready when certification becomes possible. It looks like you’ll be able to get ISO 27701 certified from mid-2021 onwards.

To achieve ISO/IEC 27701:2019 compliance, you need to design, build and implement a Personal Information Management System (PIMS) for your organisation.

Your new PIMS should follow:

1.   The ISO 27701 standard in all relevant ways

2.   Any national or international regulations that apply to your organisation

ISO 27701 assumes you’ve already achieved ISO 27001 compliance or certification. That means creating an information security management system (ISMS). You can set up your ISMS ahead of or alongside your ISO 27701 implementation.

How do you show good practice for ISO 27701?

When you go for ISO 27701 certification, your auditors will assess your PIMS by:

1.   Reading through your PIMS’ documentation

2.   Interviewing your people to make sure they understand it and use it

3.   Carrying out tests to see how well it works in practice

To show good ISO 27701 practice, you’ll need:

1.   Comprehensive PIMS documentation

2.   Well-trained staff

3.   Widely-understood and followed policies and procedures

How do you get ISO 27701 certified?

ISO/IEC 27701:2019 is so new that it doesn’t have any accredited certification bodies. So, at time of writing, you can’t actually get ISO 27701 certified. When ISO 27701 certification does become possible, it’ll follow a similar process to ISO 27001 certification.

First you’ll need to design, build and implement your Personal Information Management System (PIMS). Make sure you follow the requirements given in the ISO 27701 standard. Then sign up with a recognised independent certification body, who will audit your PIMS.

Your certification body’s auditors will assess your PIMS documentation. Then they’ll test your PIMS, usually through on-site interviews and sampling. If you pass your audit, you’re certified. You’ll then have two annual surveillance audits. After three years, you’ll need to get re-certified.

How ISO 27701 relates to other standards

How does ISO 27701 relate to ISO 27001?

ISO 27701 fills in some Personally Identifiable Information gaps in ISO 27001. So you can implement it either alongside or after ISO 27001.

Which other standards does ISO 27701 map onto?

As well as ISO 27001, ISO 27701 maps onto:

  • The privacy framework and principles defined in ISO/IEC 29100
  • ISO/IEC 27018
  • ISO/IEC 29151
  • GDPR

Bear in mind that you’ll also need to follow any local regulations if you map ISO 27701 onto any other standard.

How does ISO 27701 relate to GDPR?

ISO 27701 is separate from GDPR. But if you’re ISO 27701 compliant or certified, your Personal Information Management System will be GDPR compliant.

How does ISO 27701 relate to ISO 27552?

ISO 27701 was first developed as ISO/IEC 27522. The standard’s name changed to ISO 27701 before its 2019 launch. ISO 27522 became ISO 27701 because any standard that tells you how to set up a management system must end with 01.

What’s the ISO 27000 family of standards?

The ISO 27000 family of standards focuses on information security. Each ISO 27000 standard has a different infosec emphasis and requirements. Organisations of any size or type can use them.

Key family members include:

  • ISO 27000 introduces the family and explains basic terms and definitions
  • ISO 27001 tells you how to create an Information Security Management System
  • ISO 27017 and 27018 show you how to protect sensitive data held in the cloud
  • ISO 27031 focuses on maintaining business continuity when challenges or crises hit
  • ISO 27701 shows you how to create a Personal Information Management System

 

Key details of ISO 27701 annexes

What does Annex D cover?

Annex D of the ISO 27701 standard tells you how to map its controls on to the EU’s General Data Protection Regulation (GDPR).

What does Annex F cover?

Annex F of the ISO 27701 standard explains how to extend ISO IEC 27001 and ISO/IEC 27002 to protect Personally Identifiable Information (PII).

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Frequently Asked Questions

What is ISO 27701?

ISO 27701 relates to the management of Personally Identifiable Information (PII) within your organisation. This is a new standard, designed to be used by anyone in your organisation who is responsible for this type of information. The standard demonstrates how to design your own Privacy Information Management System (PIMS) and offers you enough flexibility on how to effectively manage it. ISO 27701 is flexible to the point where it can help you follow any local PII regulations too.

What are the benefits of ISO 27701?

ISO 27701 can help you avoid the negative impact of PII breaches such as:

  • Fines of up to 20m euros (under the EU’s GDPR regulations)
  • Substantial damage to brand and reputation
  • Personal privacy issues for compromised individuals

The positive impact of having ISO 27701 certification includes:

  • Being able to prove that you are serious about information security
  • Increasing the speed of sales processes and opening up new marketplaces
  • Building stronger relationships with existing customers and interested parties

What is Personally Identifiable Information?

PII is what gives away someone’s identity, revealing identifiable information on its own or in combination with other data. Some categories of personally identifiable information can be very sensitive. For example, you can only hold and process personal information on criminal convictions and offences in very limited circumstances.

What is a Privacy Information Management System (PIMS)?

A Privacy Information Management System combines:

  • Clearly defined and widely understood policies and procedures for personal information
  • Technology for effective privacy management
  • Well-trained people

To protect Personally Identifiable Information, an effective PIMS will reassure your organisations:

  • Employees
  • Customers
  • Contacts
  • Other stakeholders
  • That you’re managing their personal information in a secure and responsible way

Your system will help you store and share PII, both internally and externally. The right PIMS will also make it easy for people to update and correct any data you hold on them.

How do you get ISO 27701 certification?

This standard is so new that it does not have any accredited certification bodies. The recommendation is to achieve compliance with the standard so you are ready for certification when it becomes possible. Certification could be available from mid-2021 onwards. To achieve compliance, you need to design, build and implement a Personally Information Management system (PIMS) for your organisation. Your new system should follow:

  • The ISO 27701 standard in all relevant ways
  • Any national or international regulations that apply to your organisation.

ISO 27701 assumes that you have already achieved ISO 27001 compliance or certification. This means that you will have created an Information Security Management System (ISMS). It is possible to set up an ISMS ahead of or alongside your implementation of ISO 27701.

How ISMS.online can make implementing ISO 27701 easy

To make things simple for you, ISMS.online has built a cloud-based platform. This platform adheres to the ISO standards’ criteria and also satisfies the requirements of ISO 27701. This enables you to create and demonstrate compliance with the ISO 27701 standard, therefore simplifying certification.

Our cloud-based platform allows you to access all your ISMS resources in one place. We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27701 implementation so that you can demonstrate your dedication to information security governance best practices. Call ISMS.online on +44 (0)1273 041140 to find out more about how we can help you get certified to ISO 27701.

The proven path to ISO 27001 success

Built with everything you need to succeed with ease, and ready to use straight out of the box – no training required!
Policies

Perfect Policies & Controls

Easily collaborate, create and show you are on top of your documentation at all times

Find out more
Risk-Management

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Find out more
Reporting

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Find out more
Audits

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Find out more
Linking

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Find out more
Assets

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Find out more
Seamless-Integration

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Find out more
Standards-Regulations

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Find out more
Compliance

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Find out more
Supply-Chain

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Find out more
Interested-Parties

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Find out more
Privacy

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

Find out more
 

100% of our users achieve ISO 27001 certification first time

Start your journey today
See how we can help you

Streamline your workflow with our new Jira integration! Learn more here.