What is ISO 27701?
ISO 27701 (formerly known as ISO/IEC 27552 during drafting period) specifies the requirements for establishing, implementing, maintaining and continually improving – a privacy information management system (PIMS).
ISO 27701 is based on the requirements and controls of the widely adopted information security management standard ISO 27001, and provides and extension to ISO 27001 through its own set of privacy-specific requirements and controls. It outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy.
Why was ISO 27701 developed?
ISO 27701 (full title: ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines) is a management standard that was published in 2019 in response to the growing need for a global data privacy framework.
ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) developed ISO 27701 as an addition to the popular ISO 27000 family of information security standards to provide much-needed guidance for complying with global privacy standards, such as the California Consumer Privacy Act (CCPA), EU GDPR (General Data Protection Regulation) and New York SHIELD Act.
Compliance with ISO 27701 shows customers and stakeholders your company supports compliance with privacy legislation.
You can buy your copy of the 2019 ISO 27701 (PDF) here
Free download: ISO 27701 – Privacy information management systems
Download our free guide on how to implement a privacy information management system (PIMS) to support your privacy compliance objectives.
Can we get certified to ISO 27701?
Yes, although independently accredited certification is only available as an extension to an ISO 27001 certificate. This is because ISO 27001 is the only certifiable standard in the ISO 27000 family of standards.
Organizations without an ISMS can also implement ISO 27001 and ISO 27701 together as a single implementation project. Because ISO 27701 simply expands on the requirements and guidance provided by ISO 27001 and its code of practice, ISO 27002, there is no need to blend two separate management systems or implementation projects.
What is the difference between ISO 27001 and ISO 27701?
ISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.
ISO 27001 and its controls framework ISO 27002 provide guidance for implementing an ISMS (information security management system). ISO 27001 sets out the risk-based methodology for managing people, processes and technology in order to secure the confidentiality, integrity and availability of corporate information. Hundreds of firms have already implemented ISO 27001 due to its comprehensive approach to information security management.
Companies looking to implement a PIMS must either implement ISO 27001 first, or as a joint project
Who should implement ISO 27701?
ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it requires that organizations address specific risks, including the risks to personal data and privacy.
How does ISO 27701 map to other standards?
ISO 27701 includes annexes that map to the following other standards:
- ISO 29100 (Information technology – Security techniques – Privacy framework);
- ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
- ISO 27018 (Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
The standard also maps its requirements and controls to the GDPR’s requirements (e.g. GDPR requirements related to data subjects’ rights are covered by ISO 27701’s controls covering obligations to PII principles).
ISO 27701 provides guidance for implementing each control.
It’s also worth noting that BS 10012:2017 with Annex A1:2018 is a similar standard to ISO 27701, and doesn’t require implementing ISO 27001 as a prerequisite.
How will ISO 27701 certification support CCPA compliance?
Achieving certification to both ISO 27701 and ISO 27001 will enable you to meet the privacy and data security requirements of all major privacy frameworks. You will also be able to demonstrate that you have taken the necessary measures for to protect the consumer data you process and uphold data subjects’ rights
Need help implementing ISO 27701? We have everything you need
We’ve been leading ISO 27001 certification projects since the Standard’s inception, and have everything you need to extend your ISMS to cover ISO 27701 and privacy management.
Contact us now for support on achieving compliance with ISO 27701, drawing on the expertise of our team of information security and data privacy experts.