ISO 27701 privacy information management
The need for guidance on how organisations should best protect privacy and manage
personal information has never been more pertinent. Fortunately, guidance has now arrived
in the form of ISO/IEC 27701:2019 (ISO 27701*), a new International Standard, which sets out
how organisations should manage personal information and demonstrate compliance with updated global privacy regulations.
Initially published as a draft international standard (DIS) in December 2018, a final draft international standard (FDIS) was made available in June 2019, followed closely by its final publication as ISO 27701 in August 2019. In this blog, we will provide you with the basics on what ISO 27701 is, as well as the benefits of implementing it.
*The Standard was initially numbered 27552 but was changed to 27701 in order to align more closely to other standards in the ISO 27000 series.
Purpose of ISO 27701
Let’s first look at the full title of ISO 27701: Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines. As per its title, ISO 27701 details best practice guidelines and requirements as a privacy extension to ISO 27001 and ISO 27002.
The new Standard helps to reduce complexity and, by integrating with ISO 27001, negates the need to develop and maintain separate information security and privacy management systems. It is a Standard you can either comply or certify to. By achieving the latter through an accredited certification body, you are able to provide stakeholders with the added assurance of an independent validation of the way you protect privacy and manage personal information.
Evidence of Compliance with Data Protection Regulations and Legislation
ISO 27701 provides the ideal mechanism for managing compliance with regulations from multiple jurisdictions around the world. A key difference from the British Standard BS 10012 is that it is jurisdiction/legislation neutral. Most significantly, it aligns with the GDPR and one of the appendices specifically addresses mapping with the European Regulation.
By complying with the requirements of ISO 27701, you will, as a matter of course, generate documentary evidence on how you process personally identifiable information (PII). Data protection managers will be able to use the documentary evidence as part of a privacy information management system (PIMS)** to provide assurance of compliance.
** Privacy Information Management System (PIMS) – Information security management system which incorporates the protection of privacy potentially affected by the processing of personally identifiable information (PII).
Assurance to Stakeholders
Not only can ISO 27701 provide assurance to senior management and the Board, the Standard can also help you build trust with other stakeholders (such as customers, partners and shareholders) by providing tangible evidence of your organisation’s commitment to protecting PII.
This is particularly the case if your PIMS is certified with an accredited certification body. If you’re a PII processor, you can use the certification to provide validated evidence to PII controllers that your PIMS adheres to relevant privacy requirements.
Suitable for all Organisations
An important feature of ISO 27701 is its versatility. Just as ISO 27001 works for all organisations, so does ISO 27701. It has been written in such a way that it can be used by organisations of all sizes and from all business sectors. It is also structured in such a way that it clearly differentiates the guidance for PII controllers and PII processors.
Article 42 of the GDPR details data protection certification mechanisms and data protection seals and marks. At the time of writing, there is no formal certification scheme in place, but there has been speculation as to whether certification to ISO 27701 will be adopted as a potential GDPR certification mechanism.
However, irrespective of whether it is formally adopted, achieving accredited certification to ISO 27701 is, without doubt, the most effective current method of demonstrating to customers, stakeholders and regulators that your organisation is following international best practice when it comes to protecting PII.
Do I Need to Implement or be Certified to ISO 27001 First?
The short answer is no, although it certainly helps. If you have already implemented an ISO 27001-compliant information security management system (ISMS) you should find it relatively straightforward to extend your management system to include the processing of PII and develop a PIMS.
However, if your organisation has not yet implemented ISO 27001, you can implement a combined information security and privacy management system and achieve certification for both 27001 and 27701 simultaneously.