ISO 27701 – New Standard for Privacy Information Management

A new and significant international privacy standard has been introduced called ISO 27701.

Both the EU GDPR (General Data Protection Regulation) and UK DPA (Data Protection Act) 2018 require organisations to take measures to ensure the privacy of any personal data that they process.

However, neither piece of legislation provides much guidance on what those measures should look like. The ISO (the International Organisation for Standardisation) and the IEC (International Electrotechnical Commission) have therefore developed this new standard to provide that guidance.

The new standard provides a specification for a Privacy Information Management System (PIMS) and is an extension to ISO 27001, the international standard for an Information Security Management System (ISMS).

ISO 27701 provides a specification for a PIMS, as well as processes and controls for managing personal information. It also includes mappings to other related standards in particular ISO 29100, the international standard for a Privacy Framework.

ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.

A major benefit of ISO 27701 is that organisations can demonstrate their compliance with privacy laws and regulations through a recognised international standard.  A further benefit is that organisations can obtain certification in the standard although it is dependent on obtaining certification in ISO 27001 because of its foundation being the ISMS.

ISO/IEC 27701 provides guidance to any organisation responsible for PII (personally identifiable information) processing within an information security management system.  Organisations of all sizes and types, including public and private companies as well as governmental entities and other types of organisation, can benefit. Providing a risk-based approach, it helps organisations address specific privacy risks faced as well as risks to personal data and privacy. 

Implementing ISO 27701 and ISO 27001 will enable you to meet the privacy and information security requirements of the GDPR and other data protection regimes, and demonstrate that you have management arrangements in place for “appropriate technical and organisational measures” to protect the personal data you process and uphold data subjects’ rights, in line with the Regulation’s accountability principle (Article 5(2)).is

Article 42 of the GDPR discusses data protection certification mechanisms and data protection seals and marks. No such mechanisms yet exist. However, it is possible to achieve independently accredited certification to ISO 27001 – and by extension ISO 27701 if you implement its controls – which will demonstrate to stakeholders and regulators that your organisation is following international best practice when it comes to securing personal data/PII.

Although ISO 27001 is built around the implementation of information security controls, none of them are universally mandatory for compliance. That’s because the Standard recognises that every organisation will have its own requirements when developing an ISMS, and that not all controls will be appropriate. The process follows a certification process in order to demonstrate compliance with the ISO standards which can aid building trust in your company’s ability to manage personal information, both for customers and employees.

According to DNV-GL (2020), it provides the following benefits:

• Supports in compliance with GDPR and other applicable privacy regulations.
• Clarifies the roles and responsibilities within your organisation.
• Improves internal competence and processes to avoid breaches.
• Provides transparency on established controls for the management of privacy.
• Facilitates agreements with business partners where the processing of PII is mutually relevant.
• Integrates easily with the leading information security standard ISO/IEC 27001.

The goal of ISO 27001 is to provide an internationally accepted framework of standards for how a modern organisation should manage their information and data. Risk management is a key part of ISO 27001, ensuring that a company or non-profit understands where their strengths and weaknesses lie. There are no penalties in not meeting the certification and is a voluntary certification that is used to strengthen best practices and user and organisational trust.

It is possible to get ISO 27701 certified, but only if you combine it with an ISO 27001 audit. Because of this ‘extension model’ the ISO 27701 will not be suited for every organisation. If, however, your organisation is already certified for ISO 27001, the PIMS-standard might be interesting to add.

According to IT Governance USA, in achieving the ISO 27001 certification the table below is a guide when budgeting for your initial certification audit.