ISO 27701

What is ISO 27701

ISO 27701 is a standard published by the International Organization for Standardization (ISO) designed to help organizations manage Personally Identifiable Information (PII) through the implementation of a Privacy Information Management System (PIMS).

ISO 27701 serves as an extension to ISO 27001, addressing the need to manage privacy and PII more explicitly. Organizations must hold an ISO 27001 certification to secure an ISO 27701 certification. Organizations that are new to both standards can use ISO 27701 as a framework to simultaneously manage information security and privacy.

The Relationship with ISO 27001

ISO 27701 serves as an extension to ISO 27001, addressing the need to manage privacy and PII more explicitly. Organizations must hold an ISO 27001 certification to secure an ISO 27701 certification. Organizations can use ISO 27701 as a framework to manage information security and privacy simultaneously.

Getting ISO 27701 Certified

When an organization has achieved ISO 27001 compliance, it can expand its focus to privacy and ISO 27701 certification by executing these tasks:

• Identify the Personally Identifiable Information in scope
• Defining privacy-related roles and responsibilities
• Updating risk assessments to account for privacy risks
• Implementing privacy controls

The ISO/IEC 27701 certification process is the same as other ISO standards. An accredited third-party certification body will execute an audit to determine if your PIMS meets the standard’s requirements. Certification is valid for three years. To maintain accreditation for the three years, a certification body must perform annual surveillance audits to verify the organization continues to meet the requirements of ISO 277001.

ISO 27701 Clauses 5-8 are mandatory and detail what is required of a PIMS to achieve certification.

5 PIMS-specific requirements related to ISO/IEC 27001

5.1 General
5.2 Context of the organization
5.3 Leadership
5.4 Planning
5.5 Support
5.6 Operation
5.7 Performance evaluation
5.8 Improvement

6 PIMS-specific guidance related to ISO/IEC 27002

6.1 General
6.2 Information security policies
6.3 Organization of information security
6.4 Human resource security
6.5 Asset management
6.6 Access control
6.7 Cryptography
6.8 Physical and environmental security
6.9 Operations security
6.10 Communications security
6.11 Systems acquisition, development, and maintenance
6.12 Supplier relationships
6.13 Information security incident management
6.14 Information security aspects of business continuity management
6.15 Compliance

7 Additional ISO/IEC 27002 guidance for PII controllers

7.1 General
7.2 Conditions for collection and processing
7.3 Obligations to PII principals
7.4 Privacy by design and privacy by default
7.5 PII sharing, transfer, and disclosure

8 Additional ISO/IEC 27002 guidance for PII processors

8.1 General
8.2 Conditions for collection and processing
8.3 Obligations to PII principals
8.4 Privacy by design and privacy by default

ISO 27701 contains six annexes that guide organizations on how to manage privacy information and implement controls to comply with the standard.

Annex A: PIMS-specific reference control objectives and controls (PII Controllers)
Annex B: PIMS-specific reference control objectives and controls (PII Processors)
Annex C: Mapping to ISO/IEC 29100
Annex D: Mapping to the General Data Protection Regulation
Annex E: Mapping to ISO/IEC 27018 and ISO/IEC 29151
Annex F: How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO 27002

Benefits of ISO 27701 Certification

Meeting ISO 27701 requirements will make it easier for businesses to comply with international and domestic privacy laws like the GDPR and CCPA. ISO 27701 maps directly to key requirements commonly found in data privacy laws, such as data minimization, purpose limitation, accountability, and processing security.

Having both ISO 27001 and 27701 certifications demonstrates to customers and prospects that your business has a heightened commitment to protecting data. Another benefit of certifying against both standards is integrating privacy and security management into a single framework can streamline processes and reduce the complexity of managing privacy risks.

How we can Help

At CompliancePoint, we have a team of former ISO auditors and experienced practitioners who can prepare your organization for a successful ISO 27701 audit. We will put you on the path to certification by helping you design and implement the controls, policies, and procedures that will be the foundation of a PIMS that meets the framework’s requirements.

CompliancePoint has a partnership with Mastermind, a certification body accredited by the International Accreditation Service that specializes in the auditing of ISO standards. We work with Mastermind to simplify the entire certification process for our customers, from initial readiness assessments and policy development to the resulting certification audit.