What is the Purpose of ISO 27701 and What Benefits Does it Bring?

25 Jul

Table of Contents

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.  Fortunately, guidance exists in the form of ISO/IEC 27701:2019 (ISO 27701), an International Standard, which sets out how organisations should manage personal information and demonstrate compliance with global privacy regulations.   In this blog, we will provide you with an overview of ISO 27701, as well as the benefits of implementing it.

Purpose of ISO 27701

Let’s first look at the full title of ISO 27701: Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines.  As per its title, ISO 27701 details best practice guidelines and requirements as a privacy extension to ISO 27001 and ISO 27002.

The Standard helps to reduce complexity and, by integrating with ISO 27001, negates the need to develop and maintain separate information security and privacy management systems.  It is a Standard you can either comply or certify to.  By achieving the latter through an accredited certification body, you are able to provide stakeholders with the added assurance of an independent validation of the way you protect privacy and manage personal information.

Evidence of Compliance with Data Protection Regulations and Legislation

ISO 27701 provides the ideal mechanism for managing compliance with regulations from multiple jurisdictions around the world.  A key difference from the British Standard BS 10012 is that it is jurisdiction/legislation neutral.  Most significantly, it aligns with the GDPR and one of the appendices specifically addresses mapping with the Regulation.

By complying with the requirements of ISO 27701, you will, as a matter of course, generate documentary evidence on how you process personally identifiable information (PII).  Data protection managers will be able to use the documentary evidence as part of a privacy information management system (PIMS)** to provide assurance of compliance.

** Privacy Information Management System (PIMS) – Information security management system which incorporates the protection of privacy potentially affected by the processing of personally identifiable information (PII).

Assurance to Stakeholders

Not only can ISO 27701 provide assurance to senior management and the board, the Standard can also help you build trust with other stakeholders (such as customers, partners and shareholders) by providing tangible evidence of your organisation’s commitment to protecting PII.

This is particularly the case if your PIMS is certified with an accredited certification body.  If you’re a PII processor, you can use the certification to provide validated evidence to PII controllers that your PIMS adheres to relevant privacy requirements.

Suitable for all Organisations

An important feature of ISO 27701 is its versatility.  Just as ISO 27001 works for all organisations, so does ISO 27701.  It has been written in such a way that it can be used by organisations of all sizes and from all business sectors.  It is also structured in such a way that it clearly differentiates the guidance for PII controllers and PII processors.

GDPR Certification?

Article 42 of the GDPR details data protection certification mechanisms and data protection seals and marks.  In August 2021, the ICO approved 3 purpose-specific certification schemes (for IT asset disposal, age assurance and age appropriate design), but there has been speculation as to whether certification to ISO 27701 will be adopted as a potential GDPR certification mechanism.

However, irrespective of whether it is formally adopted, achieving accredited certification to ISO 27701 is, without doubt, the most effective, current, widely-applicable method of demonstrating to customers, stakeholders and regulators that your organisation is following international best practice when it comes to protecting PII.

Do I Need to Implement or be Certified to ISO 27001 First?

The short answer is no, although it certainly helps.  If you have already implemented an ISO 27001-compliant information security management system (ISMS) you should find it relatively straightforward to extend your management system to include the processing of PII and develop a PIMS.

However, if your organisation has not yet implemented ISO 27001, you can implement a combined information security and privacy management system and achieve certification for both 27001 and 27701 simultaneously.

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
Facial Recognition Technology and Data Protection Compliance

URM’s blog outlines the DP concerns around the use of facial recognition technology (FRT), and offers guidance on making sure your FRT use is GDPR compliant.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
How to Create a Record of Processing Activities (ROPA)

In this blog, we will outline a step-by-step procedure on how you can create a ROPA.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
When and How to Conduct a Data Protection Impact Assessment (DPIA)

A DPIA delivers a pre-emptive approach to assessing these risks, and can prevent a data breach occurring. We present an outline of steps in conducting a DPIA

Read more
Complicated topic summarised really simply making GDPR accessible. I would love a recording as was distracted part way through and would like to re-enforce my knowledge by listening again (possibly a couple of times just to get it to sink in......)
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.