DEFINING ISO/IEC 27701
ISO/IEC 27701 certification is integral to a Privacy Information Management System (PIMS). The standard is an extension of ISO/IEC 27001 (information security management) and ISO/IEC 27002 (security controls).
Building on the two standards, ISO/IEC 27701 specifies the requirements and guidance for establishing, implementing, maintaining and continually improving a PIMS specific to your organization.
It outlines PIMS-related requirements and guidance for Personally Identifiable Information (PII) controllers and processors that are responsible and accountable for PII processing. ISO/IEC 27701 applies to all organizations that are PII controllers and/or processors that process the relevant information within an Information Security Management System (ISMS).
MAPPINGS TO OTHER STANDARDS AND REGULATIONS
The standard includes mappings to Global Data Protection Regulation (GDPR), ISO/IEC 29100 (privacy frameworks), ISO/IEC 27018 (protecting PII in public clouds acting as PII processors) and ISO/IEC 29151 (PII protection).
ISO/IEC 27701’S KEY BENEFITS
The standard can lead to:
- Greater trust in managing personal information
- More transparency between key people
- Effective business agreements
- Defined roles and responsibilities
- Compliance with privacy regulations
- Decreased complexity through integration with ISO/IEC 27001
Compliance with ISO/IEC 27001’s requirements is a prerequisite for compliance with ISO/IEC 27701. These standards are intended to complement each other.
Fulfilling ISO/IEC 27701’s requirements will show evidence of how an organization is processing PII. This can be used to facilitate agreements with business partners where PII processing is relevant. It also clarifies the organization’s processing of PII to other stakeholders.
KEY REQUIREMENT AREAS
Scope
You need to understand your management system requirements and intended application.
Normative references
You must familiarize yourself with these documents, which are referred to throughout the standard, including:
- ISO/IEC 27000 and ISO/IEC 27001 (information security management)
- ISO/IEC 27002 (code of practice for information security controls)
- ISO/IEC 29100 (privacy framework)
- Terms and definitions
This section provides a few more definitions used in the standard that are not included in ISO/IEC 27000 and ISO/IEC 29100.
General
You must learn an overview of the document’s structure and location of PIMS-specific requirements concerning ISO/IEC 27001 and ISO/IEC 27002.
PIMS-specific clauses
For your PIMS, you need to learn the specific requirements related to ISO/IEC 27001 and guidance on ISO/IEC 27002.
PII controllers & processors
There are two clauses with additional guidance on PII controllers and processors.
THE DESIGN INTENT OF ISO/IEC 27701
There is a universal set of operation controls to capture privacy regulations in practice.
For example, GDPR would be mapped to ISO and compliance controls, leading to goods and services and/or product development and vendor management. A third-party audit of compliance controls would lead to certification for sufficient demonstration of compliance.
WHY OPEN-SOURCE REGULATORY MAPPING?
Mappings must be:
- Comprehensive
- Responsive to changes
- High quality
- A shared reality
The natural solution is:
Open source (GitHub) with quality control
It then helps:
- Internal compliance tools
- Commercial tools
THE CERTIFICATION PROCESS
ISO/IEC 27701 has a clearly established certification process.
Application and quote
Obtain a quote for your certification project.
Competence
Identify any skill and competence gaps that your staff may have.
Gap assessment
Identification of any weaknesses.
Stage 1
Confirmation that management system implementation is on the right track.
Stage 2
Confirmation that the management system is fully implemented.
Certification
Share your success with the world.
Ongoing improvement
Regular surveillance visits ensure your management.
YOUR NEXT STEPS
Armed with the above, you should review ISO/IEC 27001 (again), as well as ISO/IEC 27701’s content. You can also try the regulatory mapping tool at https://www.dpmap.org.
HOW WE CAN HELP
With expertise in all major industries, we understand each sector’s pain points and have the technical skills and logistical capabilities to ensure realistic outcomes.
An audit against ISO/IEC 27701 from us will help your organization to stand out from the crowd by supporting you to develop and improve processes and increase skillful talent and sustainable customer relationships.
In addition, we offer a range of complementary services across:
- Information security
- Cloud
- Data privacy
- Availability
SGS Academy has also just launched these training courses:
- ISO/IEC 27701 Requirements
- ISO/IEC 27701 Implementation
- ISO/IEC 27701 Lead Implementer
With a global presence, we have a history of successfully executing large-scale, complex international projects. We speak the language, understand local markets and operate consistently, reliably and effectively globally.
Manage your privacy, protect your business and customers. Learn more here.
About SGS
We are SGS – the world’s leading testing, inspection and certification company. We are recognized as the global benchmark for quality and integrity. Our 96,000 employees operate a network of 2,600 offices and laboratories, working together to enable a better, safer and more interconnected world.