ISO / IEC 27701: 2019 is a privacy extension for the international information security management standard ISO / IEC 27001 (ISO / IEC 27701 Security techniques - Expansion to ISO / IEC 27001 and ISO / IEC 27002 for privacy information management - Requirements and guidelines).
ISO 27701 specifies requirements - and guides to create, implement, maintain and continually improve a PIMS (privacy information management system).
ISO 27701 is based on the requirements, control objectives and controls of ISO 27001 and includes a series of privacy-specific requirements, control and control objectives.
Both the EU GDPR (General Data Protection Regulation) and the British DPA (Data Protection Act) 2018 require organizations to take measures to ensure the confidentiality of the personal data they process.
However, both regulations do not provide much guidance on what these measures should look like.
ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) therefore developed this new standard to provide this guidance.
This standard sets out the requirements within the framework of GDPR and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) for privacy management within the scope of expansion to ISO / IEC 27001 and ISO / IEC 27002. On the other hand, it determines the PIMS related requirements and guides the PII controllers that bear the responsibility and responsibility of PII experts. It also applies to organizations of all types and sizes, including PII controllers and / or PII processors that process PII within an ISMS, including public and private companies, government agencies, and non-profit organizations.
In the style of the industry-specific ISO / IEC 27001 variant, the ~ 70 page standard focuses on the differences in clauses of the PIMS related 27001 and 27002 standards.
For example:
“ISO / IEC 27001: 2013, 6.1.3.c) has been revised as follows:
The controls set out in 27001 b) of ISO / IEC 2013: 6.1.3 will be compared with those of ISO / IEC 27001: 2013, Annex A and / or Annex B of this document to verify that the required controls are not skipped.
In order to eliminate risks, when assessing the applicability of control objectives and controls in Annex A of ISO / IEC 27001: 2013, control objectives and controls will be considered in the context of both information security risks and risks associated with their processing. Including risks for PII managers. "
This reduces the risk of privacy rights for individuals and organizations by improving an existing Information Security Management System.
This standard is a great way to show clients, external stakeholders and internal stakeholders that effective systems exist to support compliance with GDP and other relevant privacy legislation.
Organizations wishing to obtain ISO 27701 certification to comply with GDPR will either need to have an existing ISO 27001 certificate or apply ISO 27001 and ISO 27701 together as a single application audit. ISO 27701 is a natural expansion to the requirements and guidance set out in ISO 27001.
The ISO 27001 standard provides a framework for an Information Security Management Systems (ISMS) that ensures the continuity of legal compliance as well as the confidentiality, integrity and availability of information. More than 60.000 organizations worldwide have ISO 27001 certified to date and have proven certification as an important part of protecting your most vital assets.
Significant conflict in system and technical requirements between a privacy information management system and an information security system presents a challenging situation for adopting ISO 27001 and ISO 27701.
First, it is determined whether the organization meets the mandatory requirements of the standard and whether to proceed to the next stage.
It is checked whether necessary procedures and audits have been developed and your institution's readiness for evaluation is reviewed.
The findings that arise in the first two stages are evaluated and after all corrective actions are reviewed, document preparation is started.
To get an appointment, to get more detailed information or to request an evaluation, you can ask us to fill in our form and reach you.