ISO 27001 is the well recognised international standard for information security. A companion standard has now been added, this is ISO 27701. This page is a brief introduction to ISO 27701. It is the standard for Privacy Information Management. This page will discuss the benefits of becoming certified and how to start your journey towards achieving ISO 27701, the new international standard for privacy information management.
An introduction to ISO 27701
The discussions around the Data Protection Act 2018 and the EU GDPR have changed greatly since the enforcement of both on 25th May 2018.
Initially, the talk was of huge fines for this being found to be non-complaint. The lead to scramble to prove compliance leading up to enforcement day.
Whilst some businesses have fined for non-compliance and data breaches, the focus for us has moved on to maintain compliance and best practice in privacy management.
The GDPR has six principles whilst the DPA2018 brings a seventh. This is the accountancy principle. This requires organisations to have the appropriate measures and records in place in order to demonstrate compliance. This means an organisation must be able to increasingly prove how and why it has set up processes, procedures and policies to comply with the law.
One of the key ways of achieving this is through a certification – which is why one of the most famous international standards has just received a companion standard.
ISO 27701 is the new international standard for privacy. In the same way that ISO 27001 is considered to be the “gold standard” for information security management, ISO 27701 is set to become the “gold standard” for privacy management.
It aligns with GDPR but also allows organisations to use the standard to encompass other privacy laws, regulations and requirements. This makes it an excellent choice for organisations of all sizes looking to demonstrate their compliance with GDPR.
The importance of ISO 27701
Currently, there is no “official” EU or UK GDPR certification. ISO 27701 is the closest an organisation can get to prove its accountability with the regulation.
This will set the standard for data protection practices and help organisations demonstrate that they have the appropriate control environment in the form of a Privacy Information Management System (PIMS) which integrates with the Information Security Management System (ISMS).
It is applicable to all industries and to organisations of every size, and covers the processing of personal information for all data subjects.
ISO 27701 offers demonstrability that an organisation has put the appropriate measures in place. Above all, such measures that protect and manage personal data. This aligns with the requirements of the EU GDPR.
ISO 27701 provides a recognised certification scheme. It offers assurance to both commercial partners and data subjects that personal information is being handled in a compliant manner.
The standard will also certify compliance in an organisation’s processes and controls. These controls are used to assess and mitigate risk when transferring personal data between organisations in its supply chain.
This verifies that an organisation will adequately protect personal information and provides assurance between commercial partners. This in turn will improve trading practices.
In the future, it is likely that procurement teams will begin to look to ISO 27701 as a means of selecting suppliers. Therefore, suppliers that can demonstrate compliance with the standard are likely to be preferred over ones that cannot.
The benefits of the standard
IOS 27701 is an internationally recognised and applicable standard. ISO 27701 is designed to work across all legal jurisdictions and with all applicable legislation.
This gives a level of trust to clients and users well beyond local standards.
Certification to ISO 27701 will:
- Reduce workloads by removing an organisation’s need to demonstrate compliance with multiple certifications.
- Generate more trust between an organisation and its interested parties. ISO 27701 provides global recognition that it complies with privacy laws.
- Provide Data Protection Officers with the evidence they need. They can share data with with senior management and board members to prove that the applicable privacy requirements are being met.
- Subject to the outcome of Brexit negotiations, together with your organisation’s Statement of Applicability. ISO 27701 certification could grow opportunities for organisations through the EU Digital Single Market and cross-border data flows.
- Provide transparency and enable organisations to collaborate more effectively.
- Reduce complications through integrating the certification with the leading information security standard ISO 27001.
- Enhance the current ISMS with privacy-specific controls that create a PIMS. This ensures effective privacy management within an organisation.
One of the key factors in developing the ISO 27701 was ensuring it was created through recognised consensus-driven processes. A whole range of industry and regulatory leaders have provided input and guidance. This includes Data Protection Authorities from every EU/EEA country. Therefore, across Europe these authorities are satisfied that the ISO 27701 sufficiently demonstrates compliance with privacy laws. This is for organisations of all sizes and from all sectors.
The certification also addresses the requirements of both data controllers and data processors. Both have numerous controls defined in ISO 27701.
Certification to the Standard
Organisations that have already been certified to ISO 27001 will be able to extend this into ISO 27701. Your organisation’s ISO 27001 certification will have to be updated as a result of this. This is so that the existing ISMS includes the additional privacy requirements that can implement and maintain a PIMS.
However, if your organisation does not currently have ISO 27001 certification, don’t worry. It is possible to work towards both ISO 27001 and ISO 27701, simultaneously.
Businesses currently comply to the EU GDPR have begun their journey towards ISO 27701.
A key amendment is the updating of your organisation’s scope of applicability. Most importantly, this could reset the boundaries you need to be compliant within. This will include identifying other interested parties as well as implementing the necessary controls for instance.
The auditing process for ISO 27701
Audit: In the first instance, your audit commences with the conducting of a gap analysis. This highlights everything where your business needs to make changes or updates in order to achieve certification.
Action: Secondly, we can generate an easy to follow action plan. The plan details every step required. Each of these steps helps your organisation on its compliance journey. You can use our team for support at any stage of the ISO 27701 compliance journey, or you can use your own resources instead.
Assessment: At an agreed date, we will conduct an ISO 27701 readiness assessment. This will align with the certification exercise. Subsequently, this will give you a strong indication of whether your organisation is ready for the ISO 27701 assessment from the certification body. It will reveal any issues that could potentially stop your organisation from achieving certification to the standard as a result.
Alternative: Subsequently, we will work with you to resolve issues and prepare you for the official assessment.
ISO 27701 compliance auditing
Start your preparation for ISO 27701 certification today. An action plan can be designed for you and used alongside our certified assessment process.
The range of services and solutions we offer will give any business confidence in their data. So, whether you are an SME, a charity, or any type of business we can help you. We will take the time to understand your specific requirements and can provide support designed with you in mind through our specialist group of practitioners.
Call us today on 03333 22 1011 to find out more or you can contact us here.