ISO 27701: A Pathway to Privacy and Regulatory Compliance

Written by

Information security is a crucial element of your security ecosystem. For any organization, information security exists as part of a wide-ranging and complex security ecosystem. If any part of that ecosystem is neglected, it can have a significant knock-on impact that puts your organization at the mercy of increasingly malicious threats which pose a substantial risk to your business and your stakeholders.

ISO 27701 – the first global privacy standard – demonstrates the importance of and demand for improved privacy protection. In this technology-driven world, it is critical to protect your organization’s data and that of your customers. Implementing an information security management system (ISMS) and gaining ISO 27001 certification will ensure you have in place the processes and controls to protect your information assets and manage the threats posed to your organization from cyber-attacks. Below are the answers to some commonly asked questions regarding ISO 27701.

What is ISO 27701?

ISO 27701 is an extension to ISO 27001. Although it is based on ISO 27001, it includes specific requirements, objectives and controls relating to the implementation of a Privacy Information Management System (PIMS). ISO 27701 is a major step forward for privacy. It goes beyond existing regulations by providing actual guidance to organizations on how to act on data protection and privacy, helping them protect personally identifiable information (PII) and enabling them to achieve compliance with applicable regulations.

ISO 27701 focuses on implementing, maintaining and continually improving your PIMS. This improvement centric approach is about foresight and keeping companies ahead of threats, taking things a step further than many existing regulations.

What Are the Benefits of ISO 27701 Certification?

Privacy and data protection are high on the agenda of all stakeholders. ISO 27701 certification awarded by a reputable third-party certification body is an independent and impartial stamp of approval that demonstrates compliance and provides a competitive advantage. When a certified organization uses ISO 27701 to extend its focus to cover privacy management, it shows stakeholders that measures have been taken to achieve compliance with applicable laws and regulations.

Under the GDPR, data protection by design is a legal requirement. Although many organizations claim they’ve already achieved this, it’s often difficult to evidence. This is another area where ISO 27701 provides more guidance.

Who Should Seek ISO 27701 Certification?

All organizations handle some form of PII, which means ISO 27701 could be relevant to all businesses. We expect it to be popular with those handling sensitive data for whom a breach could be catastrophic – e.g. healthcare companies. When auditing these organizations, we often see that top management aren’t clear about what’s expected from them regarding protecting sensitive information. This creates risks which an ISO 27701-certified PIMS can help mitigate with clear requirements on what actions should be taken and how assets and personal data should be protected.

Can an ISO 27701 and ISO 27001 Assessment Be Performed at the Same Time?

ISO 27701 has been developed to be integrated within an ISO 27001 ISMS and cannot be assessed in isolation. This reduces duplication and saves time. Integrated assessments also enable auditors to perform deeper audits, going above and beyond the ISMS in isolation, yielding more insights and results.

Is an ISO 27701 Certified Organization Also GDPR Compliant?

Although links exist between the two, they’re not the same. GDPR addresses individuals’ rights whereas ISO 27701 is an auditable management system standard. While they share some of the same contents, the principles of the two are different.

If a Breach occurs, How Could ISO 27701 Certification Evidence Appropriate Steps Were Taken to Manage Risks?

A certified organization would have guidance in place to help manage such a situation. This would include policies, procedures and processes which dictate the response and address crucial questions, for example who to contact. This type of approach and recognition of legal requirements is at the core of all ISO standards. The systems implemented under ISO 27701 can provide evidence that the processing activities of an organization are compliant with the GDPR. ISO 27701 also adds value in its ability to give an organization insight into how well they’re addressing and managing privacy.

A business doesn’t need ISO certification to carry out key actions, however, it provides more of a guarantee that you’ve implemented adequate processes. A certified organization has been through an impartial assessment that evidences credibility, effectiveness and commitment while confirming that everything is in place for an appropriate reaction to a data breach.

How Does ISO 27701 Encourage Continual Improvement?

Continual improvement sits at the heart of any ISO standard. It’s important that organizations strive for this, and when considering privacy and data protection, it couldn’t be more important. Organizations must look at their environment and context to identify changes. This allows risk assessments to be optimized, improvements made and risks mitigated.

Brought to you by

What’s hot on Infosecurity Magazine?