Privacy Management – The Case for a Global Approach Leveraging ISO/IEC 27701

DEFINING ISO/IEC 27701

ISO/IEC 27701 certification is integral to a Privacy Information Management System (PIMS). The standard is an extension of ISO/IEC 27001 (information security management) and ISO/IEC 27002 (security controls).

Building on the two standards, ISO/IEC 27701 specifies the requirements and guidance for establishing, implementing, maintaining and continually improving a PIMS specific to your organization.

It outlines PIMS-related requirements and guidance for Personally Identifiable Information (PII) controllers and processors that are responsible and accountable for PII processing. ISO/IEC 27701 applies to all organizations that are PII controllers and/or processors that process the relevant information within an Information Security Management System (ISMS).

MAPPINGS TO OTHER STANDARDS AND REGULATIONS

The standard includes mappings to Global Data Protection Regulation (GDPR), ISO/IEC 29100 (privacy frameworks), ISO/IEC 27018 (protecting PII in public clouds acting as PII processors) and ISO/IEC 29151 (PII protection).

ISO/IEC 27701’S KEY BENEFITS

The standard can lead to:

• Greater trust in managing personal information
• More transparency between key people
• Effective business agreements
• Defined roles and responsibilities
• Compliance with privacy regulations
• Decreased complexity through integration with ISO/IEC 27001

Compliance with ISO/IEC 27001’s requirements is a prerequisite for compliance with ISO/IEC 27701. These standards are intended to complement each other.

Fulfilling ISO/IEC 27701’s requirements will show evidence of how an organization is processing PII. This can be used to facilitate agreements with business partners where PII processing is relevant. It also clarifies the organization’s processing of PII to other stakeholders.

KEY REQUIREMENT AREAS

Scope

You need to understand your management system requirements and intended application.

Normative references

You must familiarize yourself with these documents, which are referred to throughout the standard, including:

• ISO/IEC 27000 and ISO/IEC 27001 (information security management)
• ISO/IEC 27002 (code of practice for information security controls)
• ISO/IEC 29100 (privacy framework)
• Terms and definitions

This section provides a few more definitions used in the standard that are not included in ISO/IEC 27000 and ISO/IEC 29100.

General

You must learn an overview of the document’s structure and location of PIMS-specific requirements concerning ISO/IEC 27001 and ISO/IEC 27002.

PIMS-specific clauses

For your PIMS, you need to learn the specific requirements related to ISO/IEC 27001 and guidance on ISO/IEC 27002.

PII controllers & processors

There are two clauses with additional guidance on PII controllers and processors.

THE DESIGN INTENT OF ISO/IEC 27701

There is a universal set of operation controls to capture privacy regulations in practice.

For example, GDPR would be mapped to ISO and compliance controls, leading to goods and services and/or product development and vendor management. A third-party audit of compliance controls would lead to certification for sufficient demonstration of compliance.

WHY OPEN-SOURCE REGULATORY MAPPING?

Mappings must be:

• Comprehensive
• Responsive to changes
• High quality
• A shared reality

The natural solution is:

Open source (GitHub) with quality control

It then helps:

• Internal compliance tools
• Commercial tools

THE CERTIFICATION PROCESS

ISO/IEC 27701 has a clearly established certification process.

Application and quote

Obtain a quote for your certification project.

Competence

Identify any skill and competence gaps that your staff may have.

Gap assessment

Identification of any weaknesses.

Stage 1

Confirmation that management system implementation is on the right track.

Stage 2

Confirmation that the management system is fully implemented.

Certification

Share your success with the world.

Ongoing improvement

Regular surveillance visits ensure your management.

YOUR NEXT STEPS

Armed with the above, you should review ISO/IEC 27001 (again), as well as ISO/IEC 27701’s content. You can also try the regulatory mapping tool at https://www.dpmap.org.

HOW WE CAN HELP

With expertise in all major industries, we understand each sector’s pain points and have the technical skills and logistical capabilities to ensure realistic outcomes.

An audit against ISO/IEC 27701 from us will help your organization to stand out from the crowd by supporting you to develop and improve processes and increase skillful talent and sustainable customer relationships.

In addition, we offer a range of complementary services across:

• Information security
• Cloud
• Data privacy
• Availability

SGS Academy has also just launched these training courses:

• ISO/IEC 27701 Requirements
• ISO/IEC 27701 Implementation
• ISO/IEC 27701 Lead Implementer

With a global presence, we have a history of successfully executing large-scale, complex international projects. We speak the language, understand local markets and operate consistently, reliably and effectively globally.

Manage your privacy, protect your business and customers. Learn more here.