ISO 27701: Data Compliance Management System Supporting GDPR Compliance
What is ISO 27701?
ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems.
This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.
This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation. In gov.uk Cyber Security Breaches Survey 2019, around 30 percent of businesses have made changes to cyber security because of GDPR and this number will rise in the upcoming years.
Organizations looking to get certified to ISO 27701 in order to comply with GDPR will either need to have an existing ISO 27001 certification or implement ISO 27001 and ISO 27701 together as a single implementation audit. ISO 27701 is a natural expansion to the requirements and guidance set out in ISO 27001.
The ISO 27001 standard provides a framework for an Information Security Management Systems (ISMS) that enables the continued confidentiality, integrity and availability of information as well as legal compliance. More than 60,000 organizations worldwide have certified to date to ISO 27001, proving certification to be an essential part of protecting your most vital assets.
The significant overlap in system and technical requirements between a privacy information management system and an information security system presents a compelling case to adopt ISO 27001 and ISO 27701. This is supported by the international recognition of an ISO standard.
Helps you with
- GDPR compliance
- Privacy rights of individuals
- Continued confidentiality
- IT governance
- Data breaches
- Securing personal information
- Building customers trust
- Increasing customer satisfaction
- Protecting the organization’s reputation
Other risk management standards:
- ISO 27701 - GDPR Compliance
- BS 10012 - Personal Information
- ISO 20000-1 - IT Service Management
- ISO 22301 - Business Continuity
- ISO 44001 - Collaborative Working
- ISO 55001 - Asset Management
- ISO 41001 - Facilities Management
NOTE: We are currently offering certification to this scheme.
Benefits of ISO 27701 Certification
Supporting GDPR and data privacy compliance
Aligning to GDPR but also allowing organizations to use the standard to encompass other privacy laws, regulations and requirements.
Maintain the integrity of customers’ and other interested parties’ information. Conduct your activities with assurance that your systems can help manage data privacy risks.
Save time and win bids
Certification to ISO 27701 will make it easier to respond to security questionnaires, demonstrate compliance and assure individuals their data is protected. This standard can provide extra assurance to potential customers which may enable you to win more bids.
Helps prepare an organization with a framework in the event that the UK exits Europe and further develops the Data Protection Act. Helps prepare an organization with a framework in the event that the UK becomes a third country after BREXIT.
Commitment to security
Demonstrate commitment to information security to customers, suppliers and other interested parties.
Global recognition as a reputable supplier
Certification is recognized internationally and accepted throughout industry supply chains, setting industry benchmarks for sourcing suppliers.
Is ISO 27701 certification right for me?
This standard is essential for organizations worldwide that are responsible for Personally Identifiable Information (PII). It provides a framework on how to manage and process data and safeguard privacy. ISO 22701 enhances an already implemented information security management system to address privacy requirements and put in place the systems and infrastructure to support compliance to legislation including GDPR.
The General Data Protection Regulations (GDPR) is in full swing. Since its implementation in May 2018, the EU's landmark legislation has brought sweeping change to data privacy rights, particularly who "owns" data, who controls it and who gets the final say in its uses and transactions in today's digital-first world.
Under the GDPR the upper limit could reach €20 Million or 4% of the annual global turnover of an organization - whichever is higher. Organizations also face significant reputational damage risk from non-compliance and data breaches. For some business this could posed a threat of bankruptcy or even closure.
The Information Commissioner’s Office (ICO) in the UK has indicated that organizations adopting certification or having a robust system in place to manage their data protection may be seen more favourably from a regulatory perspective in the event of a data breach.
Implementing a Privacy Information Management System (PIMS) in compliance with the requirements of ISO 27701 will enable organizations to assess, react and reduce risks associated with the collection, maintenance and processing of personal information. Certification to ISO 27701 does not confirm legal compliance to GDPR however it provides a valuable framework for any company to support their efforts in compliance to legislation.
Organizations can also consider implementing BS 10012:2017 with Annex A1:2018 as an alternative approach. This is for organizations seeking to implement a standalone Privacy Information Management System without ISO 27001.
Differences between ISO 27001 and ISO 27701
ISO 27701 is set to be the go to standard for compliance with GDPR regulations, in the same way that ISO 27001 is considered to be the ‘gold standard’ for information security management.
It aligns to GDPR but also allows organizations to use the standard to incorporate other privacy laws, regulations and requirements. This makes it an excellent choice for organizations of all industries and sizes looking to demonstrate their compliance with the ‘accountability’ principle of GDPR.
How to get certified to ISO 27701
If you already have accredited certification to ISO 27001 you will find applying the information risk management principals to personal information fairly straightforward.
The standards requires that organizations with certification to ISO 27001 must include privacy management, this means reviewing the organization’s contextual analysis, risk assessment and control environment to ensure that privacy management is incorporated.
The privacy information management system then needs to be documented. Organizations that are less confident in their GDPR compliance will find ISO 27701 particularly helpful as it provides specific recommendations for actions to comply with the regulation.
We can assess your compliance to ISO 27701 as an addition to your ISO 27001 assessment. We will ensure our approach follows the same method as the standard – looking at one system supporting information security and personal information management.
STEPS TO CERTIFICATION
Complete a Quote Request Form so that we can understand your company and requirements. You can do this by completing either the online quick quote or the online formal quote request form. We will use this information to accurately define your scope of assessment and provide you with a proposal for certification.
Once you’ve agreed your proposal, we will contact you to book your assessment with an NQA Assessor. This assessment consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been fully operational for a minimum of three months and has been subject to a management review and full cycle of internal audits.
Following a successful two stage audit, a certification decision is made and if positive, then certification to the required standard is issued by NQA. You will receive both a hard and soft copy of the certificate. Certification is valid for three years and is maintained through a programme of annual surveillance audits and a three yearly recertification audit.
Information Security Toolkit
Information Security Management Training
ISO 27001 in relation to GDPR video
Need a Consultant?
ISO 27001 Implementation Guide
Download Certification Logos
ISO 9001 to ISO 27001 Gap Guide