In August, the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) released a new privacy standard set to become the benchmark for helping organisations comply with international privacy frameworks and laws. ISO/IEC 27701:2019 serves as a privacy extension to the internationally recognised management standard for information security, ISO/IEC 27001, which already enjoys significant global adoption rates.
ISO 27701 is designed to be implemented by organisations worldwide that collect and process personally identifiable information (PII) and was developed to help organisations comply with key privacy laws, such as the General Data Protection Regulation (GDPR).
Privacy laws introduced within the past few years such as the GDPR, the UK DPA (Data Protection Act) 2018 and the CCPA (California Consumer Privacy Act) prove that authorities and regulatory bodies are raising the bar on baseline information security and data privacy, and impose significant fines for non-compliant organisations that suffer a data breach. Organisations now face more significant consequences for breaches that result from failing to embrace legal requirements.
What is ISO 27701 and what is a privacy information management system?
ISO 27701 provides a framework that helps organisations to implement, maintain and continually improve a privacy information management system (PIMS). It sets the provisions for implementing a PIMS by expanding on the requirements and guidance provided by ISO 27001 and its recommended controls and measures.
It sets out the requirements for an extension of an information security management systems (ISMS) to address privacy management. Organisations that have implemented (and are compliant with) ISO 27001 can adopt ISO 27701 to extend their ISMS into a PIMS. Organisations that have not yet implemented ISO 27001 can implement both ISO 27001 and ISO 27701 together.
What is ISO 27001 and how do these two standards support GDPR compliance?
ISO 27001 is designed to help organisations manage their information security processes in line with international best practice while optimising costs. It provides the specification for managing information security through working arrangements, policies, procedures and other controls involving people, processes and technology to help organisations protect and manage all their data.
Combined with ISO 27001, ISO 27701 can help organisations demonstrate how their management arrangements support compliance with key privacy laws – a critical benefit when evidence of robust data privacy practices is sought by a supervisory authority following a breach.
While the GDPR does not specifically mention adopting ISO 27001 (or ISO 27701) as a pathway to support compliance, many organisations already recognise ISO 27001 as the global benchmark for information security management. According to the 2018 ISO survey, there are around 32,000 organisations with an ISO/IEC 27001-compliant ISMS certificate worldwide and the number is increasing.
Certification to standards such as ISO 27001 brings a wide range of benefits above and beyond simple certification. According to the ISO 27001 Global Report 2018, 81% of organisations implementing an ISMS are doing so to meet growing client demands for increased data security, while 62% reported improved staff awareness of information security as one of the key benefits of implementing an ISMS.
Implementing a PIMS as an extension to an existing ISMS
If an organisation has implemented ISO 27001, it can use ISO 27701 to extend its security efforts to cover privacy requirements. Organisations that have not implemented an ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project, but ISO 27701 cannot be implemented as a standalone standard. The reason for this is that an ISO 27001-conforming ISMS is the kernel onto which the ISO 27701 additions accommodate privacy.
The benefits of implementing a PIMS
While an ISO 27701-conformant PIMS is likely to be valuable for any organisation with data protection obligations, it is likely to be of special interest to organisations that operate internationally, work with clients from other jurisdictions or operate in international supply chains. These organisations are often required to comply with a variety of privacy regulations and laws, and ISO 27701’s approach can make this challenge more approachable.
The framework helps organisations appropriately address their information security and privacy risks, and could reduce the time spent on client-requested and contractually required audits.
Extending an ISO 27001-conforming ISMS with ISO 27701 can provide evidence that the organisation has taken steps to implement “appropriate technical and organisational measures” to reduce risks and protect personal data, as required by an increasing range of privacy laws globally.
By implementing a PIMS as an extension to an existing ISO 27001-compliant ISMS, an organisation can collect and process data – including personal data – in a systematic way, manage risks related to the confidentiality, integrity and availability of information, and respond to evolving threats and risks to that data and its privacy.
A privacy information management system also allows organisations to reduce the costs associated with privacy and information security by constantly adapting to changes both in the environment and within the organisation, significantly increasing its resilience to cyber attacks.
Why consider ISO 27001 certification?
Although accredited certification can only be awarded against the ISO 27001 requirements, and not currently to ISO 27701, the increasingly regulated security and privacy landscape, and the dramatic increase in cyber attacks on businesses, regardless of size, should only encourage organisations to adopt international frameworks such ISO 27001 and ISO 27701.
Independently accredited certification can support bids for government-funded projects, provide clients with proof of security practices, and assure the board and supervisory authorities that an organisation takes accountability for data privacy in line with this international framework and other legal provisions.
Over the past decade, privacy and cyber security have been a board-level issue, but top-level commitment remains a challenge. With the introduction of data protection laws with significant teeth, we should see more organisations than ever adopt internationally recognised standards such as ISO 27001 and its new extension.
By certifying to ISO 27001, an organisation can demonstrate that it has taken the appropriate steps to meet its legal and regulatory obligations to reduce and manage data security risks.