What is ISO 27701
ISO 27701 is a standard published by the International Organization for Standardization (ISO) designed to help organizations manage Personally Identifiable Information (PII) through the implementation of a Privacy Information Management System (PIMS).
ISO 27701 serves as an extension to ISO 27001, addressing the need to manage privacy and PII more explicitly. Organizations must hold an ISO 27001 certification to secure an ISO 27701 certification. Organizations that are new to both standards can use ISO 27701 as a framework to simultaneously manage information security and privacy.
Getting ISO 27701 Certified
The ISO/IEC 27701 certification process is the same as other ISO standards. An accredited third-party certification body will execute an audit to determine if your PIMS meets the standard’s requirements. Certification is valid for three years. To maintain accreditation for the three years, a certification body must perform annual surveillance audits to verify the organization continues to meet the requirements of ISO 277001.
ISO 27701 Clauses 5-8 are mandatory and detail what is required of a PIMS to achieve certification.
5 PIMS-specific requirements related to ISO/IEC 27001
5.1 General
5.2 Context of the organization
5.3 Leadership
5.4 Planning
5.5 Support
5.6 Operation
5.7 Performance evaluation
5.8 Improvement
6 PIMS-specific guidance related to ISO/IEC 27002
6.1 General
6.2 Information security policies
6.3 Organization of information security
6.4 Human resource security
6.5 Asset management
6.6 Access control
6.7 Cryptography
6.8 Physical and environmental security
6.9 Operations security
6.10 Communications security
6.11 Systems acquisition, development, and maintenance
6.12 Supplier relationships
6.13 Information security incident management
6.14 Information security aspects of business continuity management
6.15 Compliance
7 Additional ISO/IEC 27002 guidance for PII controllers
7.1 General
7.2 Conditions for collection and processing
7.3 Obligations to PII principals
7.4 Privacy by design and privacy by default
7.5 PII sharing, transfer, and disclosure
8 Additional ISO/IEC 27002 guidance for PII processors
8.1 General
8.2 Conditions for collection and processing
8.3 Obligations to PII principals
8.4 Privacy by design and privacy by default
ISO 27701 contains six annexes that guide organizations on how to manage privacy information and implement controls to comply with the standard.
Annex A: PIMS-specific reference control objectives and controls (PII Controllers)
Annex B: PIMS-specific reference control objectives and controls (PII Processors)
Annex C: Mapping to ISO/IEC 29100
Annex D: Mapping to the General Data Protection Regulation
Annex E: Mapping to ISO/IEC 27018 and ISO/IEC 29151
Annex F: How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO 27002
Benefits of ISO 27701 Certification
Meeting ISO 27701 requirements will make it easier for businesses to comply with international and domestic privacy laws like the GDPR and CCPA.
Having both ISO 27001 and 27701 certifications demonstrates to customers and prospects that your business has a heightened commitment to protecting data. Another benefit of certifying against both standards is integrating privacy and security management into a single framework can streamline processes and reduce the complexity of managing privacy risks.
How we can Help
At CompliancePoint, we have a team of former ISO auditors and experienced practitioners who can prepare your organization for a successful ISO 27701 audit. We will put you on the path to certification by helping you design and implement the controls, policies, and procedures that will be the foundation of a PIMS that meets the framework’s requirements.
CompliancePoint has a partnership with Mastermind, a certification body accredited by the International Accreditation Service that specializes in the auditing of ISO standards. We work with Mastermind to simplify the entire certification process for our customers, from initial readiness assessments and policy development to the resulting certification audit.
The experts at CompliancePoint are here to help you avoid breach of data, loss of ability to process or handle 3rd party data, loss of business customers or partners or regulatory fines. Find out how.
Frequently Asked Questions
ISO 27001 is an Information Security Standard published by the International Organization for Standardization (ISO) that is recognized across the globe. It is a certifiable framework consisting of security policies and procedures for data protection through an Information Security Management System (ISMS).
ISO 27001 certification is an effective way for organizations to demonstrate to customers and prospects that they have effective procedures and policies in place to protect data.
ISO 27001 is a certifiable framework consisting of security policies and procedures for data protection through an Information Security Management System (ISMS).
ISO 9001 is a quality management standard. It helps organizations of all sizes and sectors to improve their performance, meet customer expectations and demonstrate their commitment to quality.
There is no one-size-fits-all answer to this question. The answer depends on the organization’s operations, requirements from third parties, and security goals.
From a high-level perspective, ISO 27001 could make the most sense because it is an internationally recognized and certifiable standard. It's a full-on information security management system with security controls. Many of the ISO 27001 controls will also satisfy SOC 2 and NIST requirements. If you decide to pursue one of those standards later, you can fill in any gaps, but your ISO certification will have you already well on the way to compliance with the other frameworks.
Yes, ISO 27001 certification will result in better security for your organization’s sensitive data, but it's not an end all be all. Implementing ISO 27001-compliant processes and procedures needs to be accompanied by a security-focused mindset from the organization's personnel.
If you're getting a lot of privacy-related inquiries, building a framework around privacy makes sense to address concerns from your customers. It depends on the information that you're protecting and who you're trying to demonstrate that you have it secured.
A privacy information management system is not going to cover the broader range of ISO 27001.
It shouldn’t be too heavy of a lift. The keys will be understanding the new controls and getting personnel ready to move forward with a new framework. You need to educate staff on the new controls and the timing for when they need to be implemented.
Set your organization’s goals and objectives and determine what new controls need to be prioritized.
The real impact is the changes in focus. ISO 27001: 2022 focus more on items like the use of cloud resources and continual improvement. The new controls are getting up to speed with how businesses are managing their data in the current environment. The 2022 version is a modernization of the framework that addresses the new security challenges organizations are facing.
Think of working backward as broadening what you already have. You're already meeting the SOC 2 Trust Services Criteria, so you have predictable, repeatable processes implemented. You have a great deal of the ISO 27001: 2022 requirements in place with the assignment of controls, control owners, and management.
ISO 27001 will have requirements that are not part of SOC 2, so you’ll need to identify those gaps. Map all the Annex A controls and make sure you cover the ISO requirements for an ISMS.
Yes, we have a customer that reduced their compliance or audit overall work effort by 40% for the next year by overlapping the evidence, using the same personnel, etc. There are privacy-related controls that need to be implemented in addition to Annex A of ISO 27001.