What is ISO/IEC 27701?
ISO/IEC 27701 establishes guidelines and describes standards for implementing, designing, maintaining, and continuing to improve a Privacy Information Management System as a complement to ISO/IEC 27001 and ISO/IEC 27002 for the management of privacy within organizations (PIMS). The original version of this standard was ISO/IEC 27552.
The standard outlines PIMS-related requirements and provides guidance to PII (Personally Identifiable Information) controllers and PII processors who are in charge of and accountable for PII processing.
Organizations of all sizes and types can benefit from ISO 27701, including government bodies, private and public, and non-profit organizations that are PII controllers and/or PII processors processing PII within an ISMS.
Abbreviations, definitions, and terms:
- PII controller: A person designated by a company to manage access to personally identifiable information (PII)
- PII processor: A privacy stakeholder who processes personally identifiable information on behalf of and in accordance with a PII controller’s guidance
- Joint PII controller: PII controller that, in collaboration with one or more other PII controllers, determines the purposes and means of PII processing
- Privacy Information Management System (PIMS): ISMS (Information Security Management System) that addresses the protection of privacy as it may be impacted by the processing of PII
What are the requirements for ISO 27701?
A privacy management system is not the same as an ISMS, but they are related. The ISO 27701 approach recognizes that information security (the preservation of information’s confidentiality, integrity, and availability) is a critical component of effective privacy management, and that the ISO 27001-documented ISMS requirements can support the addition of sector-specific requirements to the ISMS without the need for a new management system specification.
ISO 27701 specifies the additional requirements for an ISMS that address privacy and the processing of PII. These are supplemented by additional controls pertaining to data protection and privacy. As a whole, this results in what the Standard refers to as a Privacy Information Management System (PIMS).
ISO 27701 requirements, like other ISO standards, are divided into clauses. Clauses 5-8 outline the additional requirements of ISO 27001 that deserve special attention:
- Clause 5: PIMS requirements related to ISO 27001 are outlined here
- Clause 6: PIMS requirements related to ISO 27002 are outlined here
- Clause 7: PIMS guidance for PII Controllers are outlined here
- Clause 8: PIMS guidance for PII Processors are outlined here
There are also six very useful annexes:
- Annex A: Lists all applicable controls for PII Controllers
- Annex B: Lists all applicable controls for PII Processors
- Annex C: Mapping of ISO/IEC 27701 clauses to ISO/IEC 29100
- Annex D: Mapping of ISO/IEC 27701 clauses against GDPR
- Annex E: Mapping to ISO/IEC 27018 and to ISO/IEC 29151
- Annex F: Provides guidance for applying ISO 27701 to ISO 27001 and 27002
Why should you be ISO 27701 compliant?
Before delving into the benefits of this standard, keep in mind that compliance with ISO 27701 requires first meeting the requirements of ISO 27001; the two standards are meant to complement one another.
Organizations that integrate ISO 27701 can provide documentary evidence that they protect and secure PII, which can be used to facilitate agreements with business partners where PII processing is critical, as well as share information about the organization’s PII processing with other stakeholders. Additionally this standard can help you meet other privacy frameworks. For example, the GDPR currently lacks an accredited certification method; however, recent reports indicate that ISO 27701 may change that in the near future.
Data protection is especially useful, especially given the recent increase in fines and complaints regarding the privacy and security of personally identifiable information (PII). Furthermore, organizations must build trust with their authorities, partners, customers, and employers. Such a standard will make a significant contribution to this trust.
How to achieve compliance?
ISO 27701 is an addition to ISO 27001. ISO 27001-compliant organizations will be able to implement the requirements and controls of ISO 27701 as an extension to their existing security and privacy practices in order to achieve complete PII privacy.
The following are the steps towards compliance:
- Defining your role – either a controller, data processor or both
- Implementing the privacy principles and controls that are required by the ISO/IEC 27701 standard
- Communicating with your stakeholders and supply chain to hear feedback on your current privacy status
- Train your employees using and your entire organization to be more
- Conduct training courses to motivate and support your employees
- Review your ISO/IEC 27701 process on a regular basis to ensure that it is still effective and that you are constantly improving it
The Centraleyes platform provides solutions that streamline and support the process of achieving compliance such as built-in questionnaires, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring. These tools assist with meeting the ISO 27001 requirements, both for companies who chose to use this as a risk framework and for those who want to prepare for full compliance with ISO 27701.
Through the Centraleyes platform, your organization will also gain full visibility to its cyber risk levels and compliance and be fully prepared for the necessary audits.