How ISO 27701 and the GDPR help secure your organization

If your organization takes information security seriously, you’ve probably come across ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

But you may be less familiar with ISO 27701. It’s the newest standard in the ISO 27000 series, covering organizations’ requirements when creating a PIMS (privacy information management system).

It was created in 2019 in response to the EU GDPR (General Data Protection Regulation), which requires organizations to adopt “appropriate technical and organisational measures” to protect personal data. However, as with its requirements generally, it doesn’t specify what that should involve.

ISO 27701 fills that gap, providing privacy processing controls that organizations can adopt into their ISO 27001 framework.

What else does ISO 27701 cover?

In addition to privacy-specific requirements, controls and control objectives, ISO 27701 includes annexes that map them to:

  • ISO 29100 (Information technology – Security techniques – Privacy framework)
  • ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection)
  • ISO 27018 (Information technology – Security techniques – Code of practice for protection of PII (personally identifiable information) in public Clouds acting as PII processors)

ISO 27701 also contains and annex that maps its framework and controls to the GDPR’s requirements. As such, ISO 27701 can be used directly as a GDPR compliance guide by data controllers and processors.

By following its framework, you will meet your requirement to adopt appropriate technical and organizational measures to ensure that you process and uphold data subject rights, in line with the GDPR’s accountability principle (Article 5).

Additionally, Article 42 discusses data protection certification mechanisms and data protection seals and marks.

Although no such mechanism exists yet, it’s possible to achieve independently accredited certification to ISO 27001 (and by extension ISO 27701), which will demonstrate to stakeholders and regulators that your organization follows international best practice.

Free PDF download: ISO 27701 – Privacy information management systems

You can learn more about this topic by downloading our free green paper: ISO 27701 – Privacy information management systems.

You’ll learn:

  • How ISO 27701 differs from and complements ISO 27001
  • The structure and requirements of ISO 27701
  • How ISO 27701 can help you achieve compliance with privacy laws like the CPRA (California Privacy Rights Act) and the EU GDPR (General Data Protection Regulation)
  • Which additional requirements will apply if you already have an established ISMS