What is the ISO 27701 standard?

General information about the standard ISO 27701


What is the ISO 27701 standard?

Gain confidence that your business can demonstrate privacy compliance with a certified Privacy Information Management system (PIMS). Organizations increasingly need to prove to potential customers, business partners and regulators that they can keep Personal information (PI) secure and can comply with laws (e.g. CCPA, GDPR) that define how PI is stored, processed and manages.

ISO/IEC 27701:2019 is a service extension to ISO/IEC 27001. The ISO 27701 standard is the first global information privacy management standard that contains requirements, objectives and security controls related to the effective implementation of a Privacy Management System of Information (PIMS). It also includes how organizations should effectively manage personal information and help them achieve compliance with various other international privacy regulations.

PIMS management and monitoring

A well-defined and designed PIMS is an asset to any organization from the point of view of its information security. Our consulting service effectively manages your PIMS with continuous improvement and recommendations for optimal privacy levels. We focus on your PIMS through strict control and monitoring policies as part of the critical requirement to maintain the right privacy posture.

Addressing privacy and information security simultaneously

Information security and privacy are interrelated. While privacy is concerned with the rights that govern the use of personal information, information security concentrates on the protection of personal data. A robust system implementation must meet security requirements while meeting privacy requirements.

ISO/IEC 27701 (PIMS), the extension of ISO/IEC 27001 (ISMS), bridges the gap between information privacy and security. The integration can create an effective information security and privacy management system (ISPMS) capable of meeting the highest security requirements.

ISO/IEC 27701 and GDPR complement each other as most GDPR requirements adhere to the same rules. While GDPR compliance defines the security principles and policies for effective data handling, ISO 27701 ensures data confidentiality and integrity. Both help organizations effectively manage and reduce risks around personal information.

Organizations seeking ISO/IEC 27701 certification in compliance with the GDPR should first acquire ISO/IEC 27001 certification, as ISO 27701 is an extension of the latter. If organizations are not previously certified to ISO 27001, it is strongly recommended to implement ISO 27001 and ISO 27701 together.

A major step forward in information privacy is compliance with ISO/IEC 27701. IS Consult Service is a leading and trusted ISO 27701 consultant that helps its clients build and certify a robust Privacy Information Management System (PIMS).

How do I implement this standard?

ISO 27701 compliance certification can be achieved indirectly at most. For example, it is possible to mention ISO 27701 in the context of the ISO 27001 certificate, after appropriate verification, with a reference in the Statement of Applicability. ISO 27701 extends the requirements of ISO 27001 to take into account the protection of personal data privacy.

The standard is entirely based on ISO 27001. This means that, first of all, to comply with ISO 27701, all points of ISO 27001 must be fulfilled. Most of the requirements of ISO 27001 also apply to ISO 27701.

Certification

We are happy to carry out the audits for you that are required to obtain ISO 27701 certification. As every organization is unique, we are happy to talk to you about your starting position and determine what steps (perhaps) still need to be taken to be ready for certification. We then make a customized certification proposal for you. The cost of ISO 27701 certification depends on several factors, such as the size and complexity of your organization.

Please note! ISO 27701 certification can only be obtained in combination with accredited ISO 27001 certification.

Do you already have accredited ISO 27001 certification from another certification body? Call us to discuss the possibilities.

IS Consult Service's ISO 27701 consulting services are performed by cyber security experts who have many years of experience in conducting security audits and implementing control measures in the field of privacy and data protection. We can help you achieve ISO compliance.

Our approach to ISO/IEC 27701 compliance

Choosing a PIMS strategy

The initial step of ISO 27701 certification services is to choose the right approach in developing a Privacy Information Management System (PIMS) that correlates with business objectives, compliance needs and other privacy needs. The PIMS development process relies heavily on the defined strategic objectives and its privacy controls.

PIMS scope analysis

The scope defines the requirements for PIMS, which helps create an ideal framework for implementing, maintaining and improving compliance with the data protection standard. Defining the scope of PIMS is the main element for sound practice of implementing ISO 27701. External/internal issues, specific needs, organizational objectives, risk acceptance levels and regulatory obligations are covered.

PIMS Gaps & Risk Assessments

The phase involves conducting privacy impact assessments and security risk assessments to investigate deviations or gaps in your current security framework based on ISO 27701 compliance guidelines. Identified deficiencies, vulnerabilities and gaps are the subject of plans and actions to correction. The phase brings together the best security assessment tools, tests, methodologies and expert resource capabilities.

Risk treatment plans

The risk treatment plan is a road map built on the results of detailed assessments and tests. This includes developing remediation guidelines and security control recommendations to mitigate risks and reconcile identified deviations. It is actually a prioritized roadmap that includes vulnerabilities and action plans based on the severity or impact of the risks.