ISO 27701: The New International Privacy Standard to Demonstrate Compliance with Privacy Laws

1

In August 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released a new privacy standard set to become the benchmark for helping organizations comply with international privacy frameworks and laws. ISO/IEC 27701:2019 serves as a privacy extension to the internationally recognized management standard for information security, ISO/IEC 27001, which already enjoys significant global adoption rates.

ISO 27701 is designed to be implemented by organizations worldwide that collect and process personally identifiable information (PII) and was developed to help organizations comply with key privacy laws, such as the General Data Protection Regulation (GDPR).

Privacy laws introduced within the past few years such as the GDPR, the UK DPA (Data Protection Act) 2018 and the CCPA (California Consumer Privacy Act) prove that authorities and regulatory bodies are raising the bar on baseline information security and data privacy, and impose significant fines for non-compliant organizations that suffer a data breach. Organizations now face more significant consequences for breaches that result from failing to embrace legal requirements.

What is ISO 27701 and what is a privacy information management system?

ISO 27701 provides a framework that helps organizations to implement, maintain and continually improve a privacy information management system (PIMS). It sets the provisions for implementing a PIMS by expanding on the requirements and guidance provided by ISO 27001 and its recommended controls and measures.

It sets out the requirements for an extension of an information security management systems (ISMS) to address privacy management.

What is ISO 27001 and how do these two standards support GDPR compliance?

ISO 27001 is designed to help organizations manage their information security processes in line with international best practice while optimizing costs. It provides the specification for managing information security through working arrangements, policies, procedures and other controls involving people, processes and technology to help organizations protect and manage all their data.

Combined with ISO 27001, ISO 27701 can help organizations demonstrate how their management arrangements support compliance with key privacy laws – a critical benefit when evidence of robust data privacy practices is sought by a supervisory authority following a breach.

While the GDPR does not specifically mention adopting ISO 27001 (or ISO 27701) as a pathway to support compliance, many organizations already recognize ISO 27001 as the global benchmark for information security management. According to the 2018 ISO survey, there are around 32,000 organizations with an ISO/IEC 27001-compliant ISMS certificate worldwide and the number is increasing.

Certification to standards such as ISO 27001 brings a wide range of benefits above and beyond simple certification. According to the ISO 27001 Global Report 2018, 81% of organizations implementing an ISMS are doing so to meet growing client demands for increased data security, while 62% reported improved staff awareness of information security as one of the key benefits of implementing an ISMS.

Implementing a PIMS as an extension to an existing ISMS

If an organization has implemented ISO 27001, it can use ISO 27701 to extend its security efforts to cover privacy requirements. Organizations that have not implemented an ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project, but ISO 27701 cannot be implemented as a standalone standard. The reason for this is that an ISO 27001-conforming ISMS is the kernel onto which the ISO 27701 additions accommodate privacy.

The benefits of implementing a PIMS

While an ISO 27701-conformant PIMS is likely to be valuable for any organization with data protection obligations, it is likely to be of special interest to organizations that operate internationally, work with clients from other jurisdictions or operate in international supply chains. These organizations are often required to comply with a variety of privacy regulations and laws, and ISO 27701’s approach can make this challenge more approachable.

The framework helps organizations appropriately address their information security and privacy risks and could reduce the time spent on client-requested and contractually required audits.

Extending an ISO 27001-conforming ISMS with ISO 27701 can provide evidence that the organization has taken steps to implement “appropriate technical and organizational measures” to reduce risks and protect personal data, as required by an increasing range of privacy laws globally.

By implementing a PIMS as an extension to an existing ISO 27001-compliant ISMS, an organization can collect and process data – including personal data – in a systematic way, manage risks related to the confidentiality, integrity and availability of information, and respond to evolving threats and risks to that data and its privacy.

A privacy information management system also allows organizations to reduce the costs associated with privacy and information security by constantly adapting to changes both in the environment and within the organization, significantly increasing its resilience to cyber attacks.

Why consider ISO 27001 certification?

Although accredited certification can only be awarded against the ISO 27001 requirements, and not currently to ISO 27701, the increasingly regulated security and privacy landscape, and the dramatic increase in cyber attacks on businesses, regardless of size, should only encourage organizations to adopt international frameworks such ISO 27001 and ISO 27701.

Independently accredited certification can support bids for government-funded projects, provide clients with proof of security practices, and assure the board and supervisory authorities that an organization takes accountability for data privacy in line with this international framework and other legal provisions.

With the introduction of data protection laws with significant teeth, we should see more organizations than ever adopt internationally recognized standards such as ISO 27001 and its new extension.

By certifying to ISO 27001, an organization can demonstrate that it has taken the appropriate steps to meet its legal and regulatory obligations to reduce and manage data security risks. Keep informed on the development of an ISO 27701 accredited certification scheme by following IT Governance on social media.

Share.

About Author

Steve Watkins is the Executive Director of IT Governance Europe. He is an authority on information security management and ISO 27001 implementation and is co-author (with Alan Calder) of the definitive compliance guide, IT Governance – An International Guide to Data Security and ISO27001/ISO27002. Steve is Chair of the ISO/IEC 27001 User Group, the UK Chapter of the ISMS International User Group, and an ISMS Technical Assessor for UKAS, advising on its assessments of certification bodies offering accredited certification. Steve sits on the IST/33 committee, responsible for the UK’s contributions to the revisions of the ISO2700x series of standards, and RM/1, the committee responsible for BS 31100, the British standard for risk management, and the UK’s contributions to ISO 31000.

Comments are closed.