ISO27701 is set to be the international standard for Privacy Information Management Systems (PIMS). It allows organisations that have already achieved ISO 27001 to align their privacy and Information Security Management Systems (ISMS) and demonstrate an appropriate control environment.
In the same way that ISO 27001 is considered to be the ‘gold standard’ for information security management, ISO 27701 will become the ‘gold standard’ for privacy management.
How would an organisation Approach 27701?
As extensions to the ISMS go, ISO 27701 is a much bigger task for organisations that may have previously included ISO/IEC 27017 or ISO/IEC 27018 into their management systems. The effort must consider key modifications to the overall ISMS structure and requirements, modification of existing controls from Annex A, as well as the implementation of the control objectives and controls that may be relevant to either a PII processor or PII controller. For organisations that may have a structure and processes in place to support the requirements of GDPR, the transition to conform to ISO 27701 may be a bit simpler; however, they still need to ensure that these processes are effectively implemented into the scope of the ISMS.
For any scope modification, including incorporating ISO 27701 into your ISMS, there are some necessary tasks to complete.
- Perform a gap assessment of your existing ISMS to the requirements of ISO 27701
- Assign owners to identified gaps and produce an action plan as to how to address those gaps
- Revise the design of the ISMS to incorporate these new requirements
- Perform the necessary activities on the revised ISMS, including but not limited to the risk assessment, measurement and monitoring, internal audit, management review
- Assess the output from the operations of the revised ISMS to ensure that it meets the existing and new requirements, and that any areas of deficiency or nonconformance are processed through the formalised continual improvement or corrective action process.
What are the benefits of ISO 27701 compliance?
ISO 27701 will make it easier for organisations to respond to security questionnaires, to demonstrate compliance with contractual and regulatory obligations, and to assure individuals that their data is protected. It will also assure Governance Boards that personal data risks are appropriately managed.
What can organisations do to start working towards ISO 27701?
Organisations that have already been certified to ISO 27001 will be able to extend this into ISO 27701. Whilst organisations do not necessarily have to have ISO 27001 to gain ISO 27701, having ISO 27001 in place will act as a good baseline as the work towards ISO 27701 certification.
If organisations do not currently have a suitable ISO 27001 certification it will be possible to work towards both ISO 27001 and ISO 27701 simultaneously.
An organisation’s ISO 27001 certification will need to be updated so that the existing ISMS includes the additional privacy requirements that can implement and maintain a PIMS.
Also, organisations that were prepared for the GDPR will have already completed quite a lot of the initial groundwork needed for ISO 27701.
For organisations that may consider starting the process of ISO 27701 certification, it is recommended that they undertake the following actions:
- Action 1: Undertake a gap analysis that will highlight all the issues that will need to be addressed.
- Action 2: Based on the gap analysis report, develop an action plan that details every step of what needs to happen.
- Action 3: Engage an external ISO certified body to conduct an ISO 27701 readiness assessment which aligns with the certification exercise. This will give you a strong indication of whether your organisation is ready for the ISO 27701 assessment from a certified body and will flag any issues that could potentially stop your organisation from achieving the certification.
- Action 4: Work with an ISO certified body to prepare your organisation for certification.
Organisations that already have ISO 27001 certification, run an effective GDPR compliance programme, and have incorporated privacy by design and by default into their project management process will find achieving ISO 27701 relatively easy.
Organisations that are less confident in their GDPR compliance will find ISO 27701 particularly helpful as it provides specific recommendations for actions to comply with the regulation.
To conclude, the design intent of ISO 27701 is to have in place a universal set of operation controls to reconcile privacy regulations into practice. Organisations that may lack the resources to engage in a full-scale certification process may still decide to engage their internal audit function in a self-regulatory exercise. Trilateral Research’s data protection advisors can also support you on this journey.