What is ISO 27701?
ISO/IEC 27701:2019 is a privacy extension to the international information security management standard, ISO/IEC 27001 (ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines).
ISO 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system).
ISO 27701 is based on the requirements, control objectives and controls of ISO 27001, and includes a set of privacy-specific requirements, controls and control objectives.
Get your copy of ISO 27701 here
Alternatively, for a clear and concise overview of the principles of personal information management and ISO/IEC 27701, read our bestselling pocket guide ISO/IEC 27701:2019: An introduction to privacy information management.
Who needs ISO 27701?
ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.
Why was ISO 27701 developed?
The DPA (Data Protection Act) 201 and UK GDPR (General Data Protection Regulation), and the EU GDPR (General Data Protection Regulation) require organisations to take measures to ensure the privacy of any personal data that they process.
However, none of these laws provide much guidance on what those measures should look like.
ISO (the International Organization for Standardization) and IEC (International Electrotechnical Commission) developed ISO 27701 to provide that guidance.
Speak to an expert
For expert advice on GDPR compliance or implementing ISO 27701, ISO 27001 or BS 10012, call us now on +44 (0)333 800 7000.
Alternatively, you can request a call back using the form below. Our experts are ready and waiting with practical advice.
How do ISO 27001 and ISO 27701 integrate with each other?
ISO 27001 establishes the requirements for an ISMS (information security management system) that takes a risk-based approach to security, covering people, processes and technology.
Certification to ISO 27001 provides stakeholders with assurance that data is being secured appropriately.
Organisations that have implemented ISO 27001 can use ISO 27701 to extend their security efforts to cover privacy management, including the processing of PII (personally identifiable information), which can help them demonstrate compliance with data protection laws such as the GDPR.
Organisations without an ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project.
Map your path to GDPR and DPA 2018 compliance with ISO 27701
Download our free green paper for an introduction to ISO/IEC 27701:2019, the international standard for privacy information management.
What’s the difference between a privacy information management system and a personal information management system?
There is little material difference between a privacy information management system (ISO 27701) and a personal information management system (BS 10012). Both are management systems designed to secure personal information. However, there are some notable differences between the two approaches, which are considered below.
Should I implement ISO 27701 or BS 10012?
While there are benefits to both standards, they differ in certain aspects.
BS 10012 is aligned with the GDPR and DPA 2018, whereas ISO 27701 avoids aligning itself with any specific data protection regime. This grants it wider application, allowing conformant organisations to comply with several privacy regimes.
If your organisation needs to conform only to the GDPR and DPA 2018, you might find BS 10012 suits your requirements.
If, however, you need to demonstrate that you comply with several data protection regimes then you will find ISO 27701 better suits your purposes.
IT Governance can help you determine which standard is better suited to your needs and provide any implementation support you require.
ISO 27701 control mappings
As well as providing privacy-specific requirements, controls and control objectives for controllers and processors, ISO 27701 includes annexes that map them to:
- ISO 29100 (Information technology – Security techniques – Privacy framework);
- ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
- ISO 27018 ((Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
It also contains an annex that maps its requirements and controls to the GDPR’s requirements, so ISO 27701 can be used as a GDPR compliance guide by data controllers and processors.
For instance, data controllers’ obligations for meeting data subjects’ rights under the GDPR are covered by ISO 27701’s controls covering obligations to PII principals.
Guidance is provided for implementing each control.
Demonstrate GDPR compliance with ISO 27701 and ISO 27001
ISO 27701 and ISO 27001 will help you meet GDPR requirements and show that you have the necessary security measures in place to protect personal data and uphold data subjects’ rights.
Article 42 of the GDPR discusses data protection certification mechanisms and data protection seals and marks. It is possible to achieve independently accredited certification to ISO 27001 – and by extension ISO 27701 if you implement its controls – which will demonstrate to stakeholders and regulators that your organisation is following international best practice when it comes to securing personal data/PII.
Find out more about ISO 27001 certification
Need help implementing ISO 27701? We have everything you need.
We’ve been leading ISO 27001 certification projects since the Standard’s inception and have everything you need to extend your ISMS to cover ISO 27701 and privacy management.