ISO 27701 Overview and Guides
ISO/IEC 27701:2019 is the data privacy extension to ISO 27001. ISO 27701 was released in 2019 to provide guidance for establishing, implementing, maintaining and continually improving a Privacy Management System (PIMS). It provides guidance on how organizations can integrate privacy controls into their existing Information Security Management Systems (ISMS). The framework can help demonstrate that effective systems are in place to support compliance to GDPR, CCPA and other related privacy legislations.
27701 is designed to help organizations establish a systematic approach to managing privacy risks and complying with privacy regulations. It provides a comprehensive framework for managing personal information that can help organizations build trust with their customers and stakeholders, and demonstrate their commitment to protecting personal privacy.
What is a PIMS?
PIMS stands for Privacy Management System, and is a collection of documents including policies, processes, procedures and security & privacy controls that together implement an effective process for collecting, processing, storing, and destroying Personally Identifiable Information (PII).
ISO 27701 is composed of 10 sections (referred to as “clauses” in ISO 27701 terminology) that overlap with ISO 27001 and six (6) annexes that are normative (Annexes A to B) and informative (Annexes C to F). The first four clauses are introductory in nature and serve an as overview of the process itself. Clause 4-10 are more intentional, providing guidelines for PII security and privacy. Each clause contains a set of guidelines intended to improve your company’s data privacy posture. We have outlined these below:
- Clause 4: ISMS requirements related to ISO/IEC 27001.
Context of the organization: This clause specifies the requirements for identifying and analyzing the internal and external factors that affect the organization’s privacy management system, including the privacy risks and opportunities.
- Clause 5: PIMS-specific requirements related to ISO/IEC 27001
Leadership: This clause specifies the requirements for the leadership of the organization in establishing and maintaining the PIMS, including the assignment of roles and responsibilities, the development of privacy policies, and the establishment of a privacy culture.
- Clause 6: PIMS-specific guidance related to ISO/IEC 27002
Planning: This clause specifies the requirements for the planning of the PIMS, including the development of a privacy risk management plan, the identification and evaluation of privacy risks, and the development of privacy objectives and targets.
- Clause 7: Additional ISO/IEC 27002 guidance for PII controllers
Support: This clause specifies the requirements for providing the necessary resources, infrastructure, and support for the implementation and maintenance of the PIMS, including training, awareness, and communication.
- Clause 8: Additional ISO/IEC 27002 guidance for PII processors
Operation: This clause specifies the requirements for implementing and operating the PIMS, including the implementation of privacy controls, the management of personal data, the handling of privacy incidents, and the monitoring and measurement of the PIMS.
- Clause 9: ISMS requirements related to ISO/IEC 27001
Performance evaluation: This clause specifies the requirements for monitoring, measuring, analyzing, and evaluating the performance of the PIMS, including the use of internal audits and management reviews.
- Clause 10: ISMS requirements related to ISO/IEC 27001
Improvement: This clause specifies the requirements for continually improving the effectiveness of the PIMS, including the implementation of corrective and preventive actions, the management of nonconformities, and the implementation of improvements based on the results of performance evaluations.
What are the overlap between ISO 27001 and ISO 27701?
ISO 27701 requires an existing ISMS program to attach to. Clauses 5 to 8 within PIMS extend the requirements of ISO 27001 to incorporate PII considerations. The specific PIMS requirements in clauses are listed below:
- PIMS requirements related to ISO 27001 are outlined at clause 5
- PIMS requirements related to ISO 27002 are outlined at clause 6
- PIMS guidance for PII Controllers are outlined at clause 7
- PIMS guidance for PII Processers are outlined at clause 8
It is smart for an organization to combine the ISMS-PIMS programs and extend their ISMS SoA to include the PIMS controls.
Annex A + Clause 6 = 37 enhanced controls
Annex A + Clause 7 = 31 new controls for controllers
Annex A – Clause 8 = 18 new controls for processors
Why should pursue an ISO 27701certification?
For organizations that process customer and employee data in multiple jurisdictions, ensuring compliance with several countries’ data governance laws is complex and not always straightforward, ISO 27701 can be a great start. Among many benefits, the most notable are the following:
- ISO 27701 provides a framework for complying with privacy regulations such as the General Data Protection Regulation (GDPR) in the European Union, and the California Consumer Privacy Act (CCPA) in the United States.
- ISO 27701 provides a systematic approach to identifying and mitigating privacy risks, helping organizations to better protect personal data and reduce the risk of privacy breaches.
- ISO 27701 can help organizations streamline their privacy management processes, reducing the cost and complexity of managing personal data and improving overall operational efficiency
- ISO 27701 certification can help enhance an organization’s brand reputation by demonstrating a commitment to privacy and data protection, which can be particularly important for companies that handle sensitive personal data such as healthcare or financial information.
Traditionally, ISO 27701 can cost anywhere between $15,000 to $100,000 when you factor including an ISO 27001 certification, the cost of the audit firm, as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.
At TrustCloud, we believe compliance shouldn’t cost an arm and a leg. We want to make the readiness and audit process both affordable and simple. We’ve broken the cost down into two areas:
- A compliance automation platform. By automating much of the process, platforms such as TrustOps help you reduce and better manage your internal costs. We’ve developed a transparent and straightforward pricing structure to make it easier for you to manage the overall cost of the program.
An auditor. We’ve developed strong relationships with a number of audit firms. Not only does this mean that they are trained on the platform and know how to evaluate your business, they are also able to pass along discounts as a result of a referral from TrustCloud. ISO 27701 audit partners in the TrustCloud network charge between $7,000 – $50,000 for audits, based on the maturity and complexity of the engagement
ISO 27701 Preparation and tips
Well we take care of the preparation piece at TrustCloud! However, though you can use a GRC tool for preparation, there are still some important considerations:
- Make sure you have a dedicated team to handle the effort that an ISMS-PIMS preparation demands. Compliance is a team effort and does require intent and continual effort, making sure you have a clear goal and drive will help you succeed in this endeavor.
- Perform an internal assessment to determine your gaps. This will help you determine how much time is needed. This is also something TrustCloud can help you with.
- Document, document, document everything! If its not documented, it is not happening!
- Identify your Internal Audit team! A unique characteristic of ISO 27701 and ISO 27001 is the requirement to perform an internal audit. And this activity can be performed by an independent third-party, or by employees of your company, as long as they are qualified (understand the auditing process and requirements) and objective (have no conflict of interest).
We have curated for you a toolkit to help you in your ISO 27701 journey! Follow each article below
Join the conversation