What exactly is ISO 27701 exactly?
ISO/IEC 27701 is 2019 is an extension for privacy in the international standards for information security management, ISO/IEC 27001 Security techniques - Extension ISO/IEC 27001 & ISO/IEC 2702 Privacy Information Management - Requirements & Guidelines See Information technology -- Cybersecurity here.
ISO 27701 defines the requirements for a PIMS. It also offers guidance on how to set up, maintain it, enhancing and continuously improving it.
ISO 27701 is based on the requirements of control objectives, controls and requirements of ISO 27001, and includes specific privacy guidelines, controls, and goals.
Our bestselling pocket guide ISO/IEC 27701 provides a succinct overview of the fundamentals and procedures of personal data management.
Why did ISO 27701 get created?
DPA (Data Protection Act) DPA (Data Protection Act), DPA201 (Data Protection Act), UK (GDPR General Data Protection Regulation), EU GDPR(General Data Protection Regulation), all oblige companies to adopt security measures to ensure the privacy of any personal information they manage.
However, these laws do not provide any guidance on what measures to take.
To provide this guidance to help users, the ISO (the International Organization for Standardization), as well as the IEC [International Electrotechnical Commission] developed this new standard.
What is the relationship between ISO 27001 and ISO 27701 interrelate?
ISO 27001 describes the requirements of an ISMS (information security management systems) that is a risk-based method that involves people, processes and technologies. ISO 27001 certification is independent and proves that the security of data has been properly maintained.
Organizations that have adopted ISO 27001 can use ISO 27701 to manage privacy. This includes personal data/PII. This allows them to show that they've taken the necessary measures to ensure compliance with the GDPR.
Organizations that do not have an ISMS can implement ISO 27001 or ISO 27701 as a single project.
Free PDF download: Map your route to GDPR and DPA compliance in accordance with ISO 27701
You can plan your journey towards GDPR as well as DPA 2018 compliance with ISO 27701
Who is the person who should be applying ISO 27701
The ISO 27701 standard is intended to be used by all data processors and controllers. As with ISO 27001, this standard recommends a risk-based approach to ensure that every firm is aware of both the unique risks and the risks to personal information and privacy.
What is the difference between privacy and personal information management systems, and what are the differentiators?
While ISO 27701 sets out the specifications for a privacy management system, it is BS 10012 that is the British standard for a personal data management system.
There are few differences between the two terms. Both are management systems that are that are designed to safeguard personal information which is why for daily activities you could use the term PIMS as being referring to either. The distinctions between these approaches are notable, and these are discussed below.
Do I need to implement ISO 27701 or BS 10012?
While there are some advantages to each standard, they differ in a few aspects.
BS 10012 aligns with the GDPR 2018 and DPA 2018. ISO 27701 does not align with any particular regulation for data protection. This gives it broader application, allowing conformant organisations to be compliant with a variety of privacy regimes.
The BS 10012 may be a possibility if your organisation is only bound by DPA 2018 and GDPR.
If you are required to prove your compliance with different data protection protocols, then the standard internationally recognized is better suitable for your requirements.
IT Governance can assist you to identify which method is best for your requirements and offer any assistance with implementation that you require.
Show that GDPR compliance is met to ISO 27701 or ISO 27001
Implementing ISO 27701 and ISO 27001 will enable you to meet the privacy and information security requirements of GDPR and other regimes for data protection and prove that you have the proper management procedures that are in place for "appropriate technical and organisational measures" to protect the personal information you handle and ensure the rights of data subjects as per the Regulation's accountability principle (Article 5(2)). Check Guidelines for the assessment of information security controls for info.
Article 42 of the GDPR covers methods for certification of data protection, as well as sealing and markings for data protection. Unfortunately, such mechanisms are not yet in place. You may be able to get ISO 27001 certification (and by extension ISO 27701) if your business implements its own security measures. This certification will demonstrate to regulators or other stakeholders that you follow the international best practices for protecting personal information/PII.