Your ISO 27701 questions answered

We recently hosted a webinar on ISO 27701, the new standard in the ISO 27000 series that helps organisations understand their privacy requirements.

Understandably, many viewers had questions at the end of the presentation. After all, ISO 27701 has significant consequences for the way organisations operate and how they approach the GDPR (General Data Protection Regulation), and we couldn’t answer everything in the allotted time.

We’ve taken those questions and answered them in this blog. If you have a question that isn’t covered here, please do leave a comment.

Q: If we already have a robust ISMS in place, are we ready to get the additional certification?

You are well on your way, but you should read the contents of ISO 27701 to make sure you’ve covered all the necessary compliance requirements.

It’s not just about creating privacy policies; you also need to make sure they’ve been implemented correctly and are being followed.

Q: Will ISO 27701 be updated on a regular basis in the same way as ISO 27001?

Yes. The latest version of ISO 27001 was published in 2013, but a new version is currently being drafted. Part of that process involves updating the associated Standards to align with whatever changes are made.

Q: We’re currently ISO 27001-accredited. For the next audit, should we ask for ISO 27701 to be scoped in as there’s no current certification for it?

You should check with your certification body to see what they offer. Some certification bodies are already offering (and reporting compliance) ‘non-accredited’ certification to ISO 27001.

Q: Does ISO 27701 cover the GDPR’s requirements in full?

Yes, and we’ve provided a green paper that shows you how to map the Standard onto the GDPR.

Q: How will Brexit affect the Standard, given that its requirements align with the GDPR?

Brexit won’t change the fact that ISO 27701 is the best practice for protecting individuals’ privacy.

Meanwhile, the GDPR’s requirements have been transferred into the UK GDPR, which covers the same requirements but is specific to domestic organisations.

Q: If ISO 27701 is part of ISO 27001, how do you implement a standalone PIMS (privacy information management systems)?

First, we should note that it’s a mistake to implement a PIMS without some form of information security management process, such as ISO 27001, in place, because privacy and security are closely linked.

The two Standard’s practices aren’t your only options, though. If for whatever reason you don’t want to adopt ISO 27001 and its associated standard, you could use BS 10012 as a standalone guide for privacy management.

Q: Where can I find a copy of the comparison between ISO 27701 and BS 10012?

This is available to download for free on the BSI website.

Q: Is there an any information regarding ISO 27701 certification schemes?

UKAS is currently calling for expressions of interest in an accredited certification scheme.

Check out our other ISO 27701 resources

If you found these questions useful, you might also be interested in our range of ISO 27701 products, including a handbook introducing you to the Standard’s requirements, our Lead Implementer training course and our ISO 27701 gap analysis tool.

We also have a selection of ISO 27001 webinars that cover the Standard as a whole and specific elements of it.

This includes discussions on certification audits, implementing the Standard’s requirements and conducting risk assessments.

Take a look