How Does ISO 27701 Relate To ISO/IEC 27001?
Published in August of 2019, ISO 27701 is a new standard for information and data privacy. The original name for the draft was ISO 27552, and it was written by an ISO/IEC Working Group. Your organization can benefit from integrating ISO 27701 with your existing security management system as doing so can help you comply with GDPR standards and improve your data security.
What Is ISO 27701?
Simply put, ISO 27701 is an enhancing extension of ISO 27001. The standard can provide the data privacy and information security standards required by General Data Protection Regulation (GDPR). To efficiently manage privacy, it contains the structure for Personally Identifiable Information (PII) processors and controllers. Implementing ISO 27701 will create a Privacy Information Management System, or PIMS for short.
Using ISO 27701 as the standard for data security shows customers and stakeholders your company supports GDPR compliance and privacy legislation. Also, it ensures that you have effective systems they can trust. By reducing the potential information security and privacy risks for individuals and your company by using the controls, you create a more trustworthy brand.
What Is The Purpose Of ISO 27701?
Since ISO 27701 is a type of PIMS, its purpose is mainly related to data privacy and security. It specifically holds the framework and requirements for privacy controls and practices. ISO 27701 serves as an extension to ISO 27001, so the latter is required for companies looking to implement a PIMS.
The main goal of ISO 27701 is to:
- strengthen the existing Information Security Management System (ISMS) with the extension of a PIMS, as well as privacy-related controls,
- simplify the management of complicated overlapping privacy laws,
- create a privacy program that's grounded in evidence and that shows GDPR compliance through a recognized form of certification and
- perform as the foundation for potential GDPR compliance.
The now published ISO 27701 standard also accomplishes several other purposes. For one, it serves as an outline for the relationship and connection between PIMS and the ISMS, or ISO 27001. It also details the required functions and lists the privacy controls for PIMS data processors and controllers. On a larger scale, ISO 27701 maps information privacy requirements to the relevant ISO standards and GDPR.
How Does ISO 27701 Relate To ISO 27001?
ISO 27701 serves as an enhancement to ISO 27001. It is one of several risk management standards, but it specifically gives assurance that your organization complies with GDPR and other applicable PII regulations. Before you can experience the security benefits and improvements of ISO 27701, you must first have the ISO 27001 system in place. However, ISO 27001 does not fulfill the requirements of GDPR independently, which is why the extension is significant.
As an extension of ISO 27001, ISO 27701 has the potential to decrease risk related to privacy and information breaches. By integrating it into your current ISMS, you demonstrate that your organization has effective systems for protecting the data of customers and stakeholders.
The technical and system requirements of a PIMS and an ISMS share significant overlap. The connection between the two makes the implementation of ISO 27001 with ISO 27701 straightforward. The international ISO standard supports bolstering your information management system with the additional security system.
The benefits of having the ISO 27701 certification include:
- Data privacy and GDPR compliance: ISO 27701 provides assurance that your company is compliant with GDPR while allowing you to use the same standard for other privacy regulations and requirements.
- Integrity: Your organization can conduct activities as usual with the confidence that you can manage security risks surrounding your invested parties' information.
- Time-saving: With ISO 27701, you'll be able to reply to security questionnaires, comply with security regulations and assure individuals that you have risk management systems in place.
- Preparedness: If the U.K. leaves the European Union, ISO 27701 will help prepare your organization for the further development of the Data Protection Act. The framework will already be in place.
How To Get Certified To ISO 27701
For companies that already possess the certifications for ISO 27001, the process of applying ISO 27701 is relatively straightforward. Standards require organizations that have ISO 27001 in place to also apply privacy information management systems. To ensure it is in place and meets risk management principals and standards, you need to understand your organization's context, internal and external requirements, the risks that apply and the risk acceptance criteria. It'll help ensure the privacy information management systems are well developed and thorough.
There are three steps to acquiring the ISO 27701 certification:
- Step one: First, you need to work with a qualified certification body that will audit your organization. Once you've found the right certification body, you'll likely fill out a quote request form. This will be used to create an accurate certification proposal.
- Step two: When you've settled on a specific proposal, an assessor will provide a thorough evaluation of your organization. Initial Certification Audit consists of a mandatory visit by an assessor. They will be checking to see if you have had a fully operational management system in place. The assessor will also check to see if your system has been through a thorough management review and internal audit cycle.
- Step three: Once the assessor finishes the audit, the certification body will determine whether or not your organization has met the requirements. If the result is positive, they will issue you a certificate confirming your organization meets the requirements of the standard. From that point, the certification is valid for the following three years or the validity of your ISO 27001 certificate, whichever is sooner. However, you must maintain its status by scheduling annual surveillance audits combined with your ISO 27001 audit, followed by a full reassessment before expiry.
If your organization doesn't already have ISO 27001 certification, you will need to either gain ISO 27001 certification first or gain ISO 27001 and ISO 27701 at the same time. If you don't necessarily need ISO 27001, you can instead implement BS 10012:2017 with Annex A1:2018. It functions as an independent Privacy Information Management System without requiring ISO 27001 as a prerequisite.
Get Your ISO 27701 Certification With NQA
When it comes to choosing who you want to certify your organization, NQA will provide the services you need at an excellent value. Our auditing sessions do more than check if your company meets the required standards — they help you improve your organization as well. We're passionate about exceeding your expectations. With NQA, you can expect quality customer service, competitive rates and no hidden fees.
Ensure your organization is GDPR compliant — request a free quote from NQA to get started with your certification.
To find out what information security training NQA offers click here.
Reviewed by: Tim Pinnell, NQA Information Security Assurance Manager 12/18/2020