What is the Purpose of ISO 27701 and What Benefits Does it Bring?

Latest update:
25 Jul

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.  Fortunately, guidance exists in the form of ISO/IEC 27701:2019 (ISO 27701), an International Standard, which sets out how organisations should manage personal information and demonstrate compliance with global privacy regulations.   In this blog, we will provide you with an overview of ISO 27701, as well as the benefits of implementing it.

Purpose of ISO 27701

Let’s first look at the full title of ISO 27701: Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines.  As per its title, ISO 27701 details best practice guidelines and requirements as a privacy extension to ISO 27001 and ISO 27002.

The Standard helps to reduce complexity and, by integrating with ISO 27001, negates the need to develop and maintain separate information security and privacy management systems.  It is a Standard you can either comply or certify to.  By achieving the latter through an accredited certification body, you are able to provide stakeholders with the added assurance of an independent validation of the way you protect privacy and manage personal information.

Evidence of Compliance with Data Protection Regulations and Legislation

ISO 27701 provides the ideal mechanism for managing compliance with regulations from multiple jurisdictions around the world.  A key difference from the British Standard BS 10012 is that it is jurisdiction/legislation neutral.  Most significantly, it aligns with the GDPR and one of the appendices specifically addresses mapping with the Regulation.

By complying with the requirements of ISO 27701, you will, as a matter of course, generate documentary evidence on how you process personally identifiable information (PII).  Data protection managers will be able to use the documentary evidence as part of a privacy information management system (PIMS)** to provide assurance of compliance.

** Privacy Information Management System (PIMS) – Information security management system which incorporates the protection of privacy potentially affected by the processing of personally identifiable information (PII).

Assurance to Stakeholders

Not only can ISO 27701 provide assurance to senior management and the board, the Standard can also help you build trust with other stakeholders (such as customers, partners and shareholders) by providing tangible evidence of your organisation’s commitment to protecting PII.

This is particularly the case if your PIMS is certified with an accredited certification body.  If you’re a PII processor, you can use the certification to provide validated evidence to PII controllers that your PIMS adheres to relevant privacy requirements.

Suitable for all Organisations

An important feature of ISO 27701 is its versatility.  Just as ISO 27001 works for all organisations, so does ISO 27701.  It has been written in such a way that it can be used by organisations of all sizes and from all business sectors.  It is also structured in such a way that it clearly differentiates the guidance for PII controllers and PII processors.

GDPR Certification?

Article 42 of the GDPR details data protection certification mechanisms and data protection seals and marks.  In August 2021, the ICO approved 3 purpose-specific certification schemes (for IT asset disposal, age assurance and age appropriate design), but there has been speculation as to whether certification to ISO 27701 will be adopted as a potential GDPR certification mechanism.

However, irrespective of whether it is formally adopted, achieving accredited certification to ISO 27701 is, without doubt, the most effective, current, widely-applicable method of demonstrating to customers, stakeholders and regulators that your organisation is following international best practice when it comes to protecting PII.

Do I Need to Implement or be Certified to ISO 27001 First?

The short answer is no, although it certainly helps.  If you have already implemented an ISO 27001-compliant information security management system (ISMS) you should find it relatively straightforward to extend your management system to include the processing of PII and develop a PIMS.

However, if your organisation has not yet implemented ISO 27001, you can implement a combined information security and privacy management system and achieve certification for both 27001 and 27701 simultaneously.

Thumbnail of the Blog Illustration
Data Protection
Data Transfer Risk Assessment

In this blog, we are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions. What is a TRA? Who does it...

Read more
Thumbnail of the Blog Illustration
Data Protection
Transferring Personal Data Outside of the EEA

This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA. One of the ways in which you can legitimise an ex-EEA data transfer is by using the standard...

Read more
Thumbnail of the Blog Illustration
Data Protection
Data Protection and Management System Standards – Which is Best for Me?

A question we are increasingly asked is ‘Is there a catch-all international standard that effectively proves external verification of data protection compliance?’ It would be great if the answer to..

Read more
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.