Home Resources Blog December 2020

Quick Guide to ISO 27701

03 December 2020
Read this quick guide to ISO 27701 the data compliance management system supporting GDPR compliance.

What is ISO 27701?

ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. 

  • It’s a method of helping organisations demonstrate compliance to GDPR and other global privacy regulation.

  • It is a bolt-on to ISO 27001 for managing privacy and privacy risks. It would therefore be a combined management system.

  • It adds a suite of privacy requirements and controls to ISO 27001.

  • It details the requirements and gives guidance for the implementation and maintenance of a Privacy Information Management System.

  • It has extra Annex A controls for PII Controllers and for PII Processors.

Who is ISO 27701 for?

Clients who process PII and need to show that they are complying with GDPR or want internal assurance they are doing right by GDPR. It could be business contact data, employee data, marketing data, customer data – any PII that matters to them.

What are the benefits of ISO 27701?

  • It provides a comprehensive privacy management framework.

  • It provides clarity on the required GDPR compliance activities.

  • It was developed by several data protection regulators from around the world, with input from the European Data Protection Board.

  • The French data protection authority said: ‘It represents the state of the art in terms of privacy protection’.

  • It can be selectively applied in order to demonstrate compliance e.g. customer PII only.

  • Through the IAF it is a globally recognised standard. It is the ONLY standard that has this global applicability to privacy regulation.

  • It helps reduce the risk of a privacy breach and potential fines from the ICO.

What else do you need to know about ISO 27701?

  • Client must either have an existing ISO 27001 certificate or they can start a new ISO 27001 & ISO 27701 certification - you can get a quote using our online quote tool above.

  • PII = Personally Identifiable Information / Personal Data = data that relates to someone

  • BS10012 maps to GDPR only and is not an ISO standard. We would recommend taking the route of ISO 27701 as it's globally applicable and recognised. 

  • Controller is a GDPR term for the owner of the PII e.g. client owns their employee data.

  • Processor is someone who acts on the instructions of a Controller e.g. outsourced HR services provider.

  • NQA anticipates that by 2022 there will be increasing expectations and demand for organisations to demonstrate compliance to GDPR and other global privacy regulation.

  • Ideal client representative is a Data Protection Officer or a Chief Security Officer.

​What next?

We can assess your compliance to ISO 27701 as an addition to your ISO 27001 assessment. We will ensure our approach follows the same method as the standard – looking at one system supporting information security and personal information management.

  • If you already have ISO 27001 certification with NQA we will conduct a scope extension audit to add ISO 27701 to your certification. 

  • If you have ISO 27001 with an alternative certification body we will need to transfer this certificate to NQA – don’t worry it’s a very simple process that can be found here

  • If you don’t have ISO 27001 certification in place, we will audit you for both ISO 27001 and ISO 27701 at the same time during your initial audit.