How to implement the ISO 27701 standard

ISO 27701 is a relatively new standard in the ISO 27000 family. It was introduced to help organizations tackle data privacy alongside their data protection requirements.

The standard essentially bolts privacy processing controls on to ISO 27001, creating a PIMS (privacy information management system) that’s contains a set of privacy-specific requirements, controls, and objectives.

In this blog, we explain how ISO 27701’s requirements work and how you can implement the framework.

What is ISO 27701 and why is it important?

ISO 27701 was created by the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) in 2019 to tackle the growing need for advice on data privacy.

Regulations such as the GDPR (General Data Protection Regulation), the CCPA (California Consumer Privacy Act) and the New York SHIELD Act all make reference to the need for data privacy, but at the time there was no best-practice advice on how to address that.

ISO 27701 fills that gap, providing a set of requirements that organizations can follow to ensure that they are protecting people’s privacy.

Although compliance with the Standard isn’t directly tied to these regulations, organizations that follow the framework will have the pieces in place to meet their regulatory requirements.

In that regard, ISO 27701 is a lot like ISO 27001, which provides practical guidance on data protection. Again, it isn’t directly correlated to the likes of the GDPR, but because it is best practice, organizations that follow its advice will meet many of their compliance requirements.

What are the requirements of ISO 27701?

To comply with ISO 27701, you must design, build and implement a PIMS in accordance with both the Standard and relevant national and international regulations, such as the GDPR.

The PIMS works alongside your ISMS, so you must first achieve compliance with ISO 27001 before you can address your privacy requirements.

The good news is that organizations that are already ISO 27001 compliance will only have a few extra tasks to complete. This includes a second risk assessment to account for new controls.

Once implemented, auditors will assess your PIMS by:

  • Reviewing your documentation;
  • Interviewing employees to make sure they understand your processes and policies; and
  • Conducting tests to see how it works in practice.

You can find out what controls are available to you by reading a the ISO 27701 standard. It also lists control objectives and documentation requirements, which are based on ISO 27001.

Certifying to ISO 27701

It is possible to gain independently accredited certification to ISO 27701, but only as an extension of your ISO 27001. This is because ISO 27001 is the only certifiable standard in the ISO 27000 family.

Fortunately, organizations that aren’t already certified can implement both standards as a single implementation project. Because the privacy requirements are an expansion of your compliance requirements, there is no need to create separate management systems or implementation projects.

Whether you’re looking to start your project from scratch or want to add ISO 27701 to your existing ISMS, IT Governance can help you gain the expertise you need.

We have a pair of training courses dedicated to ISO 27701. The Certified ISO 27701 PIMS Lead Implementer Training Course equips you to lead an PIMS implementation project.

This two-day course explains the key concepts, principles, and main requirements of ISO 27701 and helps you prepare for a certification audit.

You’ll also learn about privacy impact assessments and discover how to manage and drive continual improvement under the Standard.

Meanwhile, our Certified ISO 27701 PIMS Lead Auditor Training Course teaches you to conduct PIMS audits against ISO 27701 and in line with international data protection regimes such as the GDPR.

The course covers the key concepts, principles, and requirements of the Standard, and explains best-practice audit methodology.

You’ll also learn how to demonstrate compliance with other relevant data privacy frameworks and gain a practice working knowledge of ISO 27701.