What exactly is ISO 27701?
ISO/IEC 27701 2019 is an update to the international standard for information security management, ISO/IEC 27001. (ISO/IEC 27701 Security Techniques - Extension to ISO/IEC 27001 or ISO/IEC 27022 Privacy Information Management - Requirements/Guidelines). See Information technology -- Cybersecurity here.
ISO 27701 defines the requirements for a PIMS, and provides guidelines in setting up, maintaining, improving and continually improving it.
ISO 27701 is built on the specifications of ISO 27001. It includes specific privacy requirements, controls and control objectives.
Our most popular pocket guide ISO/IEC 27701 is an easy overview of the principles and practices of managing personal data.
Why was ISO 27701 created?
DPA (Data Protection Act) DPA (Data Protection Act) (Data Protection Act), UK (GDPR General Data Protection Regulation), EU GDPR(General Data Protection Regulation), all require companies to take measures to protect the privacy of all personal data they handle.
These laws do not provide any direction on what the measures are expected to look like.
The ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) created this new standard in order to provide that guidance.
What does ISO 27001 integrate with ISO 27701
ISO 27001 outlines the requirements for an ISMS, which is an information security management program. This ISMS is a risk-based approach which includes processes, people and technologies. Independently accredited certification according to ISO 27001 provides stakeholders with the assurance that data is appropriately protected.
Companies that have implemented ISO 27001 will be able to make use of ISO 27701 to extend their security efforts to cover privacy management, including the processing of personal information or PII (personally identifiable data) that can help them demonstrate that reasonable measures are in place to ensure compliance with laws governing data protection, like the GDPR.
An ISMS is not necessary for companies to implement ISO 27001 and ISO 27701 simultaneously.
Free PDF download: Plan your way to ensure that you are GDPR/DPA compliant in accordance with ISO 27701
Use ISO 27701 to map your route to GDPR/DPA 2018 compliance
Who should implement ISO 27701
ISO 27701 was created to be used by data processors and data controllers. It encourages a risk-based approach that is similar to ISO 27001 so that each member organisation addresses particular risks, as well as the privacy and personal data.
What is the distinction between a privacy and personal information management system and what are the main distinctions?
While ISO 27701 sets out the specifications for a privacy management system, it is BS 10012 that is the British standard for a personal data management system.
There is little material difference between the two terms - they're both management systems that are designed to protect personal information - and for purposes of everyday tasks it is possible to use the term "PIMS" to mean either. However, there are some distinctions between these approaches. They are discussed below.
What should I consider when choosing ISO 27701 over BS 10012?
Although both standards are helpful There are some differences.
BS 10012 has been aligned to DPA 2018 (2018) and GDPR 2018 The other is that ISO 27701 is not aligned with any data protection regime. This allows for wider use, and conformant organisations can be in compliance with various privacy laws.
The BS 10012 standard is a great choice if your company needs to comply to the GDPR as well as DPA 2018.
If you must demonstrate compliance with several data protection rules the international standard could be more appropriate for you.
IT Governance can help you identify which method is best suitable for your needs. We can also offer any assistance with implementation that you require.
Prove that GDPR is compliant with ISO 27701/ISO27001
Implementing ISO 27701 and ISO 27001 will help you meet the privacy and security requirements of the GDPR and other data protection regimes, and demonstrate that you have the proper management procedures in place to implement "appropriate organisational and technical measures" to safeguard the personal information you handle and protect the rights of data subjects, in accordance with the principle of accountability in the GDPR (Article 5(2)). Check iso 27001 for info.
Article 42 (GDPR) refers to certification systems for data protection and seals of protection for data, and marks. There aren't any such mechanisms. If you follow the controls it's possible for your business to receive an independent accreditation according to ISO 27001 and then ISO 27701 certification. This would prove to the regulators and other stakeholders that it follows international best practice in safeguarding personal information and data.