ISO 27701: UKAS requirements for ISMS certification bodies

ISO/IEC 27701:2019 is a privacy extension to the internationally recognised management system standard for information security, ISO/IEC 27001:2013, providing a set of privacy-specific requirements, controls and control objectives.

It specifies the requirements for, and provides guidance on, establishing, implementing, maintaining and continually improving a PIMS (privacy information management system).

ISO 27701 refers to the processing of PII (personally identifiable information), which is similar to “personal data” under the GDPR (General Data Protection Regulation) – information that can be used to identify an individual.

Why was ISO 27701 developed?

The GDPR and local data protection laws in EU member states and beyond require organisations to take measures to ensure the privacy of any PII they process. However, none of the current laws provide significant guidance on what those measures should look like.

The ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) therefore developed a new standard to provide that guidance, and ISO/IEC 27701:2019 was published in August 2019.

Obtaining ISO 27701 certification

An organisation has two options when it comes to ISO 27701 certification:

Option A:

An organisation has already been certified to ISO/IEC 27001:2013 and wishes to become certified to ISO/IEC 27701:2019.

Option B:

An organisation seeks certification to both ISO/IEC 27001:2013 and ISO/IEC 27701:2019 at the same time.

You cannot achieve stand-alone ISO 27701 certification – you must either have ISO 27001 certification already or certify to both standards in tandem.

UKAS has published its national accreditation requirements for ISO 27701 – what is required of accreditation bodies?

All ISMS (information security management system) certification bodies wishing to extend their scope to include ISO 27701 must submit a completed AC1 application form and documentary evidence.

Thus includes a gap analysis of the operational differences between offering ISMS certification and offering the PIMS extension, the impact of changes to the certification activity, implementation plans, etc.) to UKAS.

UKAS will then assess the certification body, which will involve:

  • A remote desktop assessment of all the documentation submitted;
  • A head office assessment, which will include verification of the process of administration of the requirements, and technical competence of personnel; and
  • A witnessed assessment for ISO/IEC 27701:2019, selected by UKAS, before the scope of accreditation can be extended.

When considering the competence of personnel, UKAS requires the certification body to:

  • Ensure it has knowledge of the technological, legal and regulatory developments necessary for assessing the PIMS of its clients;
  • Have criteria in place for verifying the background experience and training of audit team members; and
  • Be able to demonstrate that its auditors have the required knowledge and experience as outlined in 7.11 of the published accreditation requirements (CIS 16 UKAS Requirements for ISMS Certification Bodies Certifying Privacy against ISO/IEC 27701:2019).

To ensure confidentiality and impartiality, UKAS requires the certification body to have a contract (legally enforceable) in place with its clients to protect sensitive, proprietary or vulnerable information that it acquires during the audit.

While a certification body may add value by suggesting opportunities for improvement during an audit, it must ensure that such action does not give rise to any perceived conflicts of interest.

The certification body is not permitted to carry out any information security or privacy reviews of a client’s system subject to certification.

In addition, the certification body must be independent from the bodies undertaking internal audits of the client’s management system subject to certification.

As ISO 27701 is a privacy extension to ISO 27001, a single certification body must audit both standards for a client – i.e. one certification body cannot audit the ISMS and another the PIMS.

So, what’s next?

If you are a certification body auditor, check out our ISO 27701 PIMS Lead Auditor training course. This fully accredited, practitioner-led course will teach you how to extend an ISO 27001-compliant audit programme and conduct PIMS audits against ISO/IEC 27701.

If you are implementing a PIMS within your organisation and considering certification to ISO 27701, consider our ISO 27701 PIMS Lead Implementer training course.

This two-day, instructor-led course equips you to lead an ISO/IEC 27701 PIMS implementation project. You’ll learn:

  • The key concepts, principles and main requirements of ISO/IEC 27701;
  • How to prepare for your ISO 27701 certification audit and ensure you pass first time;
  • Privacy impact assessments; and
  • How to manage and drive continual improvement under ISO 27701.

Find out more

The Weekly Round-up: subscribe now