ISO/IEC 27701:2019

What is ISO 27701?

ISO 27701 was released in August of 2019 and seeks to provide a truly international approach to privacy protection as a component of information security. ISO 27701 is a framework for data privacy that builds on ISO 27001. This latest privacy best practice guides organizations on policies and procedures that should be in place to comply with GDPR and other data protection/privacy regulations and laws.The ISO 27701 standard, a PIMS (Privacy Information Management System) standard, lays out a detailed set of operational checklists that can be adapted to a variety of regulations, including GDPR. Companies document their policies, procedures, protocols and activities in line with the standard’s operational checklists, with records then audited by internal and third-party auditors, resulting in detailed proof of compliance with the standard. ISO 27701 helps companies to maintain an effective privacy and information security system and reduce privacy risks. ISO 27701 is an impressive way of demonstrating to consumers, external organizations and internal stakeholders, that mechanisms are in place to keep data safe and to comply with GDPR and other privacy laws. ISO 27701 is an extension of ISO 27001 which means that organizations intending to implement ISO 27701 certification must have ISO 27001, or complete both standards simultaneously.

Benefits of ISO 27701

• Identifies And Mitigates Risk by implementing rigorous privacy controls.
• Provides greater security guarantees on the processing of personal data.
• Defines roles and responsibilities on the processing of personal data.
• Establishes an improvement in the management of contracts with data processors.
• Improves mechanisms for the notification of personal data privacy breaches.
• Promotes the adoption of privacy by design and by default in the processing of personal data.
• Facilitates compliance by data controllers with the obligations for the exercise of personal data protection rights of data subjects.
• Helps organizations demonstrate compliance with the principles set out in data protection legislation and other regulatory regimes.
• Mechanism to demonstrate compliance with the authority
• Inspire Stakeholder Confidence by placing data protection at the heart of your business.

Why was ISO 27701 developed?

ISO 27701 was developed to provide a standard for data privacy controls, which, when coupled with an ISMS, allows an organisation to demonstrate effective privacy data management.ISO 27701 establishes the parameters for a PIMS in terms of privacy protection and processing personally identifiable information (PII).

The data protection standard

The Data Protection Act (DPA) came into law to regulate how personal or consumer data is used by companies and government agencies in the UK. It safeguards individuals and establishes guidelines for the use of personal data.

The General Data Protection Regulation (GDPR) seeks to establish a common set of data protection laws for all EU member states. Even if they are not in the country where their data is stored, GDPR makes it easier for EU citizens to understand how their data is being used and to file any complaints, should they have a problem with how their information is used. The ISO 27701 Standard provides the framework for assisting, guiding, and demonstrating compliance with the DPA, GDPR, and similar laws and regulations.

What’s personally identifiable information?

Personally, identifiable information is the data that can be used to specifically identify a person. By itself, the information may not necessarily be sensitive but, when taken in context, this data can lead to a variety of conclusions about an individual or company.

Personally, identifiable information includes an individual’s name, address, birthday, national insurance number, phone number, email address, and so on. PII may also include electronic identifiers, like IP addresses, geo-location tags, and ID numbers.

What is privacy information management?

Privacy information management covers the methods an organization has for collecting, processing, storing, and destroying personally identifiable information, also known as PII. Putting in place a privacy information management system ensures that organizations

comply with regulations like GDPR. The penalty for breaching data protection legislation in the UK and EU can be serious. For example, the maximum fine is about €17 million or 4% of total worldwide turnover (whichever is higher).

What are the building blocks of the standard?

ISO 27701 is an extension of ISO/IEC 27001, which is one of the most widely used international standards for information security management. If your organization is already acquainted with ISO/IEC 27001, integrating the new privacy controls of PIMS may be relatively straightforward. ISO 27701 is also based on other standards, like ISO 27002 and ISO 29100. ISO 27701 adds a data privacy layer to previous information security standards. If you are ticking the boxes for other standards you may be ticking some of the boxes for ISO 27701 already.

Important points to remember about ISO 27001 and PIMS:

PIMS provides new controller- and processor-specific controls that help organizations overcome the challenges of privacy and security by establishing a point of convergence between what could be two different functions.

Security is important for privacy. ISO 22701 PIMS relies on ISO 27001 for security management. IS0 27701 certification is only available as an add-on to ISO 27001 certification and cannot be obtained as a standalone certificate.

Show your customers and business partners with an ISO 27701 certificate, that information security is a priority for you.

What is the Kompleye certification process? Please Click here to learn more.

Would you like to learn more about information security management certification? Feel free to contact us!

HOW KOMPLEYE CAN HELP?

With in-depth industry knowledge and extensive experience in the field of Cybersecurity Maturity Models like HITRUST-CSF, CSA Star Attestation, and Cybersecurity Frameworks (i.e. ISO 27001-2013, NIST 800-171), we aim to offer the finest quality of services to your organization. With a team of specialists who have extensive experience, we can make for a seamless and streamlined assessment process offering the most appropriate recommendations based on the imminent needs of your firm and operations. Simply get in touch with us for a 1-hour free consultation with an ISO certification process Partner. You will also get all relevant information regarding the ISO certification process. Simply contact us at info@kompleye.com or call +1(703) -814-0119.