ISO 27701 27001 Information Technology Security Techniques

What is ISO 27701 exactly?
ISO/IEC 27701 2019 is an extension to the international standard for information security management, ISO/IEC 27001. (ISO/IEC 27701 Security Techniques - Extension to ISO/IEC 27001 or ISO/IEC 27022 Privacy Information Management - Requirements/guidelines). See Information technology -- Cybersecurity here.

ISO 27701 defines the requirements for a PIMS and provides guidelines on how to set up, maintain it, enhancing, and continuing to improve it.

ISO 27701 is based upon the requirements, control goals and control methods of ISO 27001 and includes privacy-specific requirements and controls.

You can also read our bestseller pocket guide ISO/IEC 27701: 2019: A brief introduction to the management of privacy.

Why was ISO 27701 established?
DPA (Data Protection Act), DPA201 (Data Protection Act), UK (GDPR General Data Protection Regulation), EU GDPR(General Data Protection Regulation), all oblige companies to adopt measures to protect the privacy of all personal information they manage.

However, the laws don't provide much guidance about how the regulations should be interpreted.
To provide this guidance to help users, the ISO (the International Organization for Standardization) and as the IEC [International Electrotechnical Commissioncreated this new standard.

How do ISO 27001 and ISO 27701 work together?
ISO 27001 sets out the standards for an ISMS (information security management system) that is a risk-based strategy which encompasses processes, people as well as technology. Independently accredited certification according to ISO 27001 provides stakeholders with assurance that data is being properly protected.

Organisations who have adopted ISO 27001 can use ISO 27701 to manage privacy. This includes personal information and PII. This will enable them to show that they have taken reasonable steps to comply with the GDPR.

Organizations that don't have an ISMS can apply ISO 27001 and ISO 27701 in a single implementation project.
Free PDF download: Map your path to GDPR and DPA compliance in accordance with ISO 27701
Map your path to GDPR and DPA 2018 compliance with ISO 27701

Who is the person who should be applying ISO 27701
ISO 27701 has been designed to be used by all data controllers and data processors. As with ISO 27001, this standard recommends a risk-based approach to ensure that every conforming firm is aware of both the unique risks and the risks to personal information and privacy.

What is the difference between the privacy management system and a personal control system?
Whereas ISO 27701 sets out the specifications for a privacy management system, BS 10012 is the British standard for a personal data management system.

There's not much difference between these two terms - both are management systems that are designed to protect personal data - and for everyday activities, you can assume the acronym "PIMS" to mean either. However, there are notable differences between the two strategies, which will be discussed in the following section.

Do I need to use BS 10012 or ISO 27701?
While both standards have advantages however, there are some distinctions.

BS 10012 conforms to the GDPR, DPA 2018 and ISO 27701, whereas ISO 27701 doesn't align itself with any specific privacy system. This allows it to be used by more organizations and, consequently, it can be used in conjunction with multiple privacy laws.

The BS 10012 is an excellent choice if your company needs to be compliant with GDPR and DPA 2018.

If you need to demonstrate the compliance of a number of privacy rules an international standard might be more appropriate for you.

IT Governance can help you determine the appropriate standard to meet your needs and will offer the support for your implementation you need.

Demonstrate GDPR Compliance with ISO 27701 & ISO 27001
Implementing ISO 27701/ISo 27001 will help meet the GDPR's privacy requirements. Check iso 27001 for info.

Article 42 of GDPR covers data privacy certification mechanisms as well as data security seals and marks. These mechanisms aren't yet in place. However, it is possible to achieve an independently-accredited certification to ISO 27001 - and by extension ISO 27701 if you implement its security controls. This will prove to the regulators and other stakeholders that your organization is adhering to the best practices of international standards in the protection of personal information/PII.

Leave a Reply

Your email address will not be published. Required fields are marked *