The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent. Fortunately, guidance exists in the form of ISO/IEC 27701:2019 (ISO 27701), an International Standard, which sets out how organisations should manage personal information and demonstrate compliance with global privacy regulations. In this blog, we will provide you with an overview of ISO 27701, as well as the benefits of implementing it.
Purpose of ISO 27701
Let’s first look at the full title of ISO 27701: Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines. As per its title, ISO 27701 details best practice guidelines and requirements as a privacy extension to ISO 27001 and ISO 27002.
The Standard helps to reduce complexity and, by integrating with ISO 27001, negates the need to develop and maintain separate information security and privacy management systems. It is a Standard you can either comply or certify to. By achieving the latter through an accredited certification body, you are able to provide stakeholders with the added assurance of an independent validation of the way you protect privacy and manage personal information.
Evidence of Compliance with Data Protection Regulations and Legislation
ISO 27701 provides the ideal mechanism for managing compliance with regulations from multiple jurisdictions around the world. A key difference from the British Standard BS 10012 is that it is jurisdiction/legislation neutral. Most significantly, it aligns with the GDPR and one of the appendices specifically addresses mapping with the Regulation.
By complying with the requirements of ISO 27701, you will, as a matter of course, generate documentary evidence on how you process personally identifiable information (PII). Data protection managers will be able to use the documentary evidence as part of a privacy information management system (PIMS)** to provide assurance of compliance.
** Privacy Information Management System (PIMS) – Information security management system which incorporates the protection of privacy potentially affected by the processing of personally identifiable information (PII).
Assurance to Stakeholders
Not only can ISO 27701 provide assurance to senior management and the board, the Standard can also help you build trust with other stakeholders (such as customers, partners and shareholders) by providing tangible evidence of your organisation’s commitment to protecting PII.
This is particularly the case if your PIMS is certified with an accredited certification body. If you’re a PII processor, you can use the certification to provide validated evidence to PII controllers that your PIMS adheres to relevant privacy requirements.
Suitable for all Organisations
An important feature of ISO 27701 is its versatility. Just as ISO 27001 works for all organisations, so does ISO 27701. It has been written in such a way that it can be used by organisations of all sizes and from all business sectors. It is also structured in such a way that it clearly differentiates the guidance for PII controllers and PII processors.
Article 42 of the GDPR details data protection certification mechanisms and data protection seals and marks. In August 2021, the ICO approved 3 purpose-specific certification schemes (for IT asset disposal, age assurance and age appropriate design), but there has been speculation as to whether certification to ISO 27701 will be adopted as a potential GDPR certification mechanism.
However, irrespective of whether it is formally adopted, achieving accredited certification to ISO 27701 is, without doubt, the most effective, current, widely-applicable method of demonstrating to customers, stakeholders and regulators that your organisation is following international best practice when it comes to protecting PII.
Do I Need to Implement or be Certified to ISO 27001 First?
The short answer is no, although it certainly helps. If you have already implemented an ISO 27001-compliant information security management system (ISMS) you should find it relatively straightforward to extend your management system to include the processing of PII and develop a PIMS.
However, if your organisation has not yet implemented ISO 27001, you can implement a combined information security and privacy management system and achieve certification for both 27001 and 27701 simultaneously.
A question we are increasingly asked is ‘Is there a catch-all international standard that effectively proves external verification of data protection compliance?’ It would be great if the answer to..