What is ISO 27701?
ISO/IEC 27701 2019 is a privacy enhancement for the international information security standard ISO/IEC 27001 (ISO/IEC 27701 Cybersecurity techniques - Extension of ISO/IEC 27001, ISO/IEC 27022 Privacy Information Management - Requirements/guidelines). See Security techniques for privacy information management here.
ISO 27701 outlines the requirements and provides guidelines on how to set up, implement, maintain and enhance a privacy information management system (PIMS).
ISO 27701 was developed based on ISO 27001's requirements and control goals, and controls. It also includes specific requirements for privacy as well as controls and control objectives.
We also have a bestseller pocket guide ISO/IEC27701 : 2019: An introduction to privacy management.
What is the reason for ISO 27701 established?
The DPA (Data Protection Act) 201 , UK (GDPR General Data Protection Regulation) as well as the EU GDPR (General Data Protection Regulation) require organisations to implement measures to protect the security of personal data that they process.
But the laws do not provide any guidance as to how those actions should look like.
In order to provide this direction, the ISO (the International Organization for Standardization) and as the IEC [International Electrotechnical Councilcreated the new standard.
What is the connection between ISO 27001 & ISO 27701
ISO 27001 sets out the standards for an ISMS (information security management system) that is a risk-based strategy that includes processes, people and technology. ISO 27001 certification can be independently certified to provide stakeholders with assurance that the data has been appropriately secured.
Companies that have implemented ISO 27001 will be able to make use of ISO 27701 to extend their security efforts to encompass privacy management, which includes the processing of personal information or PII (personally identifiable information) - which can aid them in proving that appropriate measures were taken to be in compliance with data protection laws such as the GDPR.
Organizations that don't have an ISMS are able to implement ISO 27001 and ISO 27701 in one implementation project.
Download a free pdf Get your way to GDPR compliance as well as DPA compliance by using ISO 27701
Your path to GDPR & DPA 2018 conformity to ISO 27701
Who should apply ISO 27701
All controllers and data processors are able to use ISO 27701. Like ISO 27001, this standard recommends a risk-based approach to ensure that each organization addresses both the specific threats and the risk to privacy and personal information.
What is the difference of a privacy information management system and a personal data management system?
ISO 27701 outlines requirements for privacy information management systems. The BS 10012 standard, however is the British standard.
There aren't any major differences between these terms, as they both refer to management systems that secure personal information. However, for everyday activities, the acronym PIMS can be referring to either. There are some significant differences between these two approaches. They are described below.
Should I choose BS 10012 or ISO 27701?
While there are some advantages for each standard, they are different in certain aspects.
BS 10012 aligns with the GDPR 2018 and DPA 2018. ISO 27701 does not conform to any specific privacy regime. This permits it to be used by more organizations and, consequently, it can be used in conjunction with multiple privacy regimes.
If your company needs to conform only to the GDPR and DPA 2018, you could find BS 10012 suits your requirements.
If you need to demonstrate that you are in compliance with various privacy protocols, the standard internationally recognized is more suitable for your requirements.
IT Governance can assist you in determining the best standard to meet your needs. We can also provide the support you require.
Show that GDPR is in compliance with ISO 27701 and ISO 27001
You can implement ISO 27701 or ISO 27001 to comply with privacy and information security requirements under the GDPR. Check Information technology - Security techniques for info.
Article 42 of the GDPR refers to methods for certification of data protection, as well as sealing and markings for data protection. There are no such mechanisms currently in place. However, you can get ISO 27001 accreditation if your business follows its best practices regarding the security of personal data.