Thursday, August 26th, 2021
Insights on ISO27701 – An extension to ISO27001
What is ISO27701?
The main aim of ISO27701 is to fill the assurance gap and provide an international approach to data protection as an extension of information security. It provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements.
As organizations work to continue to meet customer and legal requirements for compliance, it is becoming more common for those organizations to have a need to obtain and maintain multiple ISO certifications. It can also be difficult for many businesses to decide whether or not to obtain new certifications for ISO Standards, while ISO standards are not always mandatory, they are often useful indicators of good business practice.
The new ISO 27701 standard has been designed as a certifiable extension to ISO 27001. It is based on the requirements and control objectives of ISO 27001 and includes a set of privacy-specific requirements and control objectives to protect Personally Identifiable Information (PII). PII can be defined as any information that can be used to uniquely identify an individual such as name, home address or email address. Protecting PII is essential for data protection and information security.
ISO 27701 covers privacy management within an organisation, which is unsurprising given the global trend towards bolstered data protection regulation. It sets out guidance for controllers and processors to demonstrate accountability in relation to their personal data processing.
- ISO27701 includes mapping to GDPR, ISO/IEC 29100, ISO/IEC 27018 and ISO/IEC 29151
- It integrates with other management system standards, including ISO 27001
- Provides PIMS-specific guidance for ISO/IEC 27002
- Provides guidance for data controllers and processors responsible for processing personal data
Organisations that have implemented ISO 27001 will be able to use ISO 27701 to extend their security efforts to cover privacy management, including their processing of PII, which can help them demonstrate that reasonable measures have been taken to comply with data protection laws such as the GDPR.
ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.
ISO 27701 fills in some PII related control gaps in ISO 27001 and puts a much greater emphasis on ensuring that all PII processing activities are done so securely and as per regulatory requirements. Implementation of the standard is completely flexible so organisations can choose to implement it at the same time as ISO 27001, or do it afterwards as a separate project. It is logical and more efficient to integrate your organizations new privacy controls provided by ISO/IEC 27701. This approach means the implementation and audit of both will be less expensive and easier to achieve.
It is worth noting that organisations without any ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project.
Is ISO27701 a useful addition to existing ISO standards?
In line with the GDPR, ISO/IEC 27701 provides guidance for implementing and maintaining a Privacy Information Management System (PIMS) that is capable of ensuring effective management of the PII within your organization.
Benefits of ISO 27701:
- Defines technical and organisational controls to protect both the PII itself, along with the rights of the PII Principles (known as data subjects under the GDPR);
- Ensures that both PII Controllers and PII Processors are aware of what their responsibilities are when it comes to protecting PII;
- Protect the organisation’s reputation and maintain customer trust through improved governance of PII;
- Understand the Privacy Information Management System implementation process;
- Speed up your sales process and opening up new marketplaces;
- Increase transparency of the organisation’s processes and procedures;
- Reliably implement the relevant regulatory requirements
Implementing ISO 27701
If you are looking to implement ISO 27701 as an extension of ISO 27001, Smarttech247 are here to help with the process. Reach out to us today for a free consultation.