ISO/IEC 27701 certification is integral to a Privacy Information Management System (PIMS). The standard is an extension of ISO/IEC 27001 (information security management) and ISO/IEC 27002 (security controls).
Building on the two standards, ISO/IEC 27701 specifies the requirements and guidance for establishing, implementing, maintaining and continually improving a PIMS specific to your organization.
It outlines PIMS-related requirements and guidance for Personally Identifiable Information (PII) controllers and processors that are responsible and accountable for PII processing. ISO/IEC 27701 applies to all organizations that are PII controllers and/or processors that process the relevant information within an Information Security Management System (ISMS).
The standard includes mappings to Global Data Protection Regulation (GDPR), ISO/IEC 29100 (privacy frameworks), ISO/IEC 27018 (protecting PII in public clouds acting as PII processors) and ISO/IEC 29151 (PII protection).
The standard can lead to:
Compliance with ISO/IEC 27001’s requirements is a prerequisite for compliance with ISO/IEC 27701. These standards are intended to complement each other.
Fulfilling ISO/IEC 27701’s requirements will show evidence of how an organization is processing PII. This can be used to facilitate agreements with business partners where PII processing is relevant. It also clarifies the organization’s processing of PII to other stakeholders.
You need to understand your management system requirements and intended application.
You must familiarize yourself with these documents, which are referred to throughout the standard, including:
Terms and definitions
This section provides a few more definitions used in the standard that are not included in ISO/IEC 27000 and ISO/IEC 29100.
You must learn an overview of the document’s structure and location of PIMS-specific requirements concerning ISO/IEC 27001 and ISO/IEC 27002.
For your PIMS, you need to learn the specific requirements related to ISO/IEC 27001 and guidance on ISO/IEC 27002.
PII controllers & processors
There are two clauses with additional guidance on PII controllers and processors.
There is a universal set of operation controls to capture privacy regulations in practice.
For example, GDPR would be mapped to ISO and compliance controls, leading to goods and services and/or product development and vendor management. A third-party audit of compliance controls would lead to certification for sufficient demonstration of compliance.
Mappings must be:
The natural solution is:
It then helps:
ISO/IEC 27701 has a clearly established certification process.
Application and quote
Obtain a quote for your certification project.
Identify any skill and competence gaps that your staff may have.
Identification of any weaknesses.
Confirmation that management system implementation is on the right track.
Confirmation that the management system is fully implemented.
Share your success with the world.
Regular surveillance visits ensure your management.
Armed with the above, you should review ISO/IEC 27001 (again), as well as ISO/IEC 27701’s content. You can also try the regulatory mapping tool at https://www.dpmap.org.
With expertise in all major industries, we understand each sector’s pain points and have the technical skills and logistical capabilities to ensure realistic outcomes.
An audit against ISO/IEC 27701 from us will help your organization to stand out from the crowd by supporting you to develop and improve processes and increase skillful talent and sustainable customer relationships.
In addition, we offer a range of complementary services across:
SGS Academy has also just launched these training courses:
With a global presence, we have a history of successfully executing large-scale, complex international projects. We speak the language, understand local markets and operate consistently, reliably and effectively globally.
Manage your privacy, protect your business and customers. Learn more here.