The ISO 27001 standard has been a staple of cybersecurity compliance for some time. However, it was joined by its privacy twin in August 2019, with ISO 27701 offering a more strategic and privacy-focused approach to compliance.
To learn more, Infosecurity recently spoke to Arti Lalwani, who leads A-LIGN’s ISO practice and had recently accredited a client to 27701.
She said “we were one of the first accredited by ANAB” and she regarded it as a large feat to “be one of the first to go through that.”
According to IT Governance, ISO 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system), while the ISO says 27701 is an extension to 27001 which helps companies manage their privacy risks for personally identifiable information. Lalwani said that the standard has an overarching view of other privacy compliance standards, but also offers a very specific certification.
So how hard is it to comply with? If you’re complying with GDPR or other data protection regulations, is it a case of being almost at the level of compliance already? Lalwani said: “So you’re absolutely almost halfway there if you’re running through a GDPR compliance aspect. One of the first things that we would talk about is how you would classify yourself as an organization, and that is one of the main things for GDPR. Are you a controller? Are you a processor?
“Once you already have that category set up, then it is easier to run your compliance of privacy policies around that, to run your DPO around that. So it is very much set on the compliance that most people have already put into place.”
Lalwani admitted that GDPR compliance is far from easy, but she said once you’ve achieved a state of compliance, it is easier to achieve ISO 27701 certification, and the only thing that really sets it apart from GDPR overall, other than the certification aspect, is that companies that do not hold EU PII can also get certified.
“It's really a management system of saying: what are the risks that are going to come at your organization”
What exactly is 27701 trying to regulate? Lalwani said any management system can be seen as an outline where it tells you that in the essence of your company. “So it’s dependent upon the scope of what that organization is classifying that they need to be certified to,” she said.
“It’s really a management system of saying: what are the risks that are going to come at your organization? Whether it’s from a management system of a 27001, or from the 27701, the privacy aspect, what if your PII gets out? How is that contained? What would be the guideline and process if something does happen?”
Lalwani believed that these standards started to be introduced and adopted “when we started seeing people and organizations hosting all of their data in a public cloud,” and we were not clear on how secure that information was. Since then, there has been such a big uptake in the number of breaches, and the number of vulnerabilities, that a lot of PII is getting out. “I think because of that we are seeing these standards growing into a more privacy aspect.”
Overall, did she think 27701 was a positive thing? “I think me and our main privacy guy here would also agree that this is going to be a very big thing and it’s only the start of it,” she said. “Having something that is certifiable makes a huge difference to send a certificate to a vendor versus just saying that we’re GDPR compliant.”
She believed it will gain traction once people start realizing that it’s easier to avoid vendor questionnaires just by sending in a compliance certificate.
She also claimed going through such a stringent audit for 27001 certification, and only just having to add on the extension to be compliant with 27701 is worth it. “So from an A-LIGN opinion, I think this is going to become a very big thing in the next year or so, just like 27001 has become such a large thing for the past couple of years in the US.”