ISO 27701 Implementation
ISO 27701: Introducing a Privacy Extension to Your Organisation’s Information Security Management System
This international standard, providing guidance and requirements regarding privacy protection for both controllers and processors of personal data, is said to be the privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls.
Additionally, the aim of the standard is also to enable an organisation to align or integrate its PIMS (privacy information management system) with the requirements of other Management System standards that an organisation would already be in-line with. These could be ISO 27001 and 27002 within the context of the organisation, leading to a harmonisation of approach towards adoption of best practices for information management.
Besides organisations acting as a controller or processor, the scope of the standard encompasses all types and sizes of companies, including public and private, government entities and non-profit organisations processing personal data within an ISMS.
Here, it is important to highlight that since this standard is based on the requirements, objectives and controls of ISO 27001, a separate and stand-alone ISO 27701 certification cannot be sought or achieved. An organisation should either be certified to ISO 27001 already or may choose to seek certification to both these standards together.
Potential benefits for your Organisation
International recognition of the organisation: accreditation by an international standardisation body will enable you to earn international recognition. This allows you to grow your operations across the world and maintain the reputation of the company, since it would reflect that the practices are aligned with a certified international standard for privacy information management system. Additionally, if the organisation is in-line with ISO 27001, that can leverage and build a base for ISO 27701. This is an add-on to your organisations’ existing ISO 27001 certification framework.
Global privacy compliance made easier: Complying with this standard enables compliancy with legal and regulatory requirements. It is important to note that besides the GDPR, other data protection legislations from other jurisdictions (like for instance from Canada, California, Brazil, Australia) are taken into account. This makes the ISO 27701 a global standard. However, the standard does map GDPR requirements to enable organisations to comply with the regulation, which can further help organizations demonstrate accountability while managing PII and instill trust and confidence in its stakeholders. Therefore, compliance with the standard can be a good privacy metric.
Helps identifying and mitigating risks: Information Security risks emerge when businesses process (sensitive) personal information about individuals, such as names and addresses or healthcare info (sensitive). A PIMS standard can help mitigate such risks with clear requirements on what actions should be taken and how assets and personal data should be protected.
Do you want more information?
Are you considering obtaining the ISO27701 certificate? Or do you want to gain insight into what it would mean for your organization?
Reach out through the form below or give us a call: +32 2 310 39 63.