ISO 27701 27001 Information Technology Security Techniques

What exactly is ISO 27701?
ISO/IEC 27701:2019 is a privacy extension to the internationally recognized standard for managing information security, ISO/IEC 27001 (ISO/IEC 27701 Security techniques Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management of information - Requirements and guidelines). See iso 27701 here.

ISO 27701 defines the requirements for a PIMS, and provides guidelines for setting up, maintaining improvement, and continuing to improve it.

ISO 27701 is built on the requirements of ISO 27001. It includes specific privacy requirements, controls and control objectives.

For a more concise and concise explanation of the principles of personal information management as well as ISO/IEC 27701, check out our bestseller pocket guide ISO/IEC 27701:2019: A brief introduction to privacy management.

What was the reason behind ISO 27701 established?
DPA (Data Protection Act), DPA 201 (UK) General Data Protection Regulation and EU GDPR General Data Protection Regulation (General Data Protection Regulation), both oblige organizations to take the appropriate steps to safeguard personal information they might handle.

These laws do not provide any guidance as to what these measures should look like.
The ISO (the International Organization for Standardization) along with the IEC (International Electrotechnical Commission) developed this new standard in order to provide that guidance.

What does ISO 27001 integrate with ISO 27701
ISO 27001 outlines the requirements for an ISMS which is an information security management system. This ISMS is a risk-based approach that incorporates processes, people and technologies. An independent, accredited certification according to ISO 27001 provides stakeholders with assurance that data is being adequately secured.

ISO 27001 is a standard for the management of security. Organizations that have implemented it may also utilize ISO 27701 to enhance their privacy policies. Personal information or PII (personally identifiable information) can be used to demonstrate the compliance of data protection laws.

Organisations without an ISMS can apply ISO 27001 and ISO 27701 together as a single implementation project.
Free PDF Download: Track your progress towards GDPR and DPA Conformity to ISO 27701
Map your path towards GDPR and DPA 2018 compliance using ISO 27701

Who should implement ISO 27701?
ISO 27701 was created to be used by data processors and controllers. It advocates a risk based approach similar to ISO 27001 so that each member organization addresses specific risks and also privacy and personal data.

What's the difference between privacy information management system and a personal information management system?
While ISO 27701 outlines the requirements for privacy information management systems, the BS 10012 standard is the British standard.

There are little differences between these two terms - both are management systems designed to protect personal information - and you could use the abbreviation PIMS for either. However, there are some distinctions between these two approaches. These are discussed in the following paragraphs.

Should I pick ISO 27701 over BS 10012?
Both standards have their benefits, but there are certain distinctions.

BS 10012 has been aligned to DPA 2018 (2018) and GDPR 2018, while ISO 27701 is not aligned to any data protection law. This allows for broader usage and ensures that conforming organisations be in compliance with various privacy laws.

BS 10012 could be the best option for your company if you need to comply with only the GDPR or DPA 2018.

If you have to prove that you are in compliance with a variety of privacy rules, the international standard may be more appropriate for you.

IT Governance will assist you to choose the right standards to meet your needs, and can offer the support for your implementation you require.

Show that GDPR compliance is met with ISO 27701 & ISO 27001
Implementing ISO 27701 and ISO 27001 will allow you to comply with the privacy and information security requirements of the GDPR and other data protection regulations and show that you have management plans that are in place for "appropriate organisational and technical measures" to safeguard the personal data you process and ensure the rights of data subjects in line with the Regulation's accountability principle (Article 5(2)). Check Guidelines for the assessment of information security controls for info.

Article 42 (GDPR) covers the certification of data protection systems, as well as seals of protection for data, and marks. There are no such mechanisms. You can get an independently accredited ISO 27001 certification, and additional ISO 27701 certification if you apply the appropriate controls. This will show regulators and stakeholders that your business is adhering to international best practices regarding the security of personal data/PII.