What is the Purpose of ISO 27701 and What Benefits Does it Bring?

|
|
PUBLISHED on
25 Jul
2022

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.  Fortunately, guidance exists in the form of ISO/IEC 27701:2019 (ISO 27701), an International Standard, which sets out how organisations should manage personal information and demonstrate compliance with global privacy regulations.   In this blog, we will provide you with an overview of ISO 27701, as well as the benefits of implementing it.

Purpose of ISO 27701

Let’s first look at the full title of ISO 27701: Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines.  As per its title, ISO 27701 details best practice guidelines and requirements as a privacy extension to ISO 27001 and ISO 27002.

The Standard helps to reduce complexity and, by integrating with ISO 27001, negates the need to develop and maintain separate information security and privacy management systems.  It is a Standard you can either comply or certify to.  By achieving the latter through an accredited certification body, you are able to provide stakeholders with the added assurance of an independent validation of the way you protect privacy and manage personal information.

Evidence of Compliance with Data Protection Regulations and Legislation

ISO 27701 provides the ideal mechanism for managing compliance with regulations from multiple jurisdictions around the world.  A key difference from the British Standard BS 10012 is that it is jurisdiction/legislation neutral.  Most significantly, it aligns with the GDPR and one of the appendices specifically addresses mapping with the Regulation.

By complying with the requirements of ISO 27701, you will, as a matter of course, generate documentary evidence on how you process personally identifiable information (PII).  Data protection managers will be able to use the documentary evidence as part of a privacy information management system (PIMS)** to provide assurance of compliance.

** Privacy Information Management System (PIMS) – Information security management system which incorporates the protection of privacy potentially affected by the processing of personally identifiable information (PII).

Assurance to Stakeholders

Not only can ISO 27701 provide assurance to senior management and the board, the Standard can also help you build trust with other stakeholders (such as customers, partners and shareholders) by providing tangible evidence of your organisation’s commitment to protecting PII.

This is particularly the case if your PIMS is certified with an accredited certification body.  If you’re a PII processor, you can use the certification to provide validated evidence to PII controllers that your PIMS adheres to relevant privacy requirements.

Suitable for all Organisations

An important feature of ISO 27701 is its versatility.  Just as ISO 27001 works for all organisations, so does ISO 27701.  It has been written in such a way that it can be used by organisations of all sizes and from all business sectors.  It is also structured in such a way that it clearly differentiates the guidance for PII controllers and PII processors.

GDPR Certification?

Article 42 of the GDPR details data protection certification mechanisms and data protection seals and marks.  In August 2021, the ICO approved 3 purpose-specific certification schemes (for IT asset disposal, age assurance and age appropriate design), but there has been speculation as to whether certification to ISO 27701 will be adopted as a potential GDPR certification mechanism.

However, irrespective of whether it is formally adopted, achieving accredited certification to ISO 27701 is, without doubt, the most effective, current, widely-applicable method of demonstrating to customers, stakeholders and regulators that your organisation is following international best practice when it comes to protecting PII.

Do I Need to Implement or be Certified to ISO 27001 First?

The short answer is no, although it certainly helps.  If you have already implemented an ISO 27001-compliant information security management system (ISMS) you should find it relatively straightforward to extend your management system to include the processing of PII and develop a PIMS.

However, if your organisation has not yet implemented ISO 27001, you can implement a combined information security and privacy management system and achieve certification for both 27001 and 27701 simultaneously.

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
18/7/2024
ICO Enforcement Action January – June 2024

URM’s blog reviews ICO enforcement activities for the 1st half of 2024, highlighting trends & shifts in how it enforces against data protection breaches.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
ISO 27701:2019 and the GDPR

The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
What is the UK International Data Transfer Agreement and What Are the Implications?

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.

Read more
This was a good webinar, thank you. Having it as a webinar rather than face to face worked really well and much more convenient with the new standards for travel and cost being put in place etc. The information was useful and well paced. Would be great to get a copy of the slide deck sent out as well. I missed the first minute or so but it would of been good to see an image of who was presenting as well. And you answered my question as well. Thanks
Webinar 'How to Achieve ISO 27001 Certification'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.