What is ISO 27701 and what does it mean?
ISO/IEC 27701 :2019 is an extension to the international standard for information security management, ISO/IEC 27001. (ISO/IEC 27701 Security Techniques - Extension to ISO/IEC 27001 or ISO/IEC 27022 Privacy Information Management - Requirements/Guidelines). See iso 27701 here.
ISO 27701 provides guidelines and guidelines for the creation maintenance, enhancement, and ongoing improvement of the Privacy Information Management System (PIMS) (privacy information management systems).
ISO 27701 is based on the requirements of control objectives, controls and requirements of ISO 27001, and includes the privacy-specific standards, controls and goals.
Alternatively, for a clear and concise overview of the fundamentals of personal information management as well as ISO/IEC 27701, read our bestselling pocket guide ISO/IEC 27701:2019: An introduction to privacy information management.
What is the objective of ISO 27701?
DPA (Data Protection Act) (Data Protection Act) UK (GDPR General Data Protection Regulation) and EU GDPR (General Data Protection Regulation), require companies to take steps to safeguard any personal information they manage.
But, they aren't very clear about what measures to take.
The ISO (the International Organization for Standardization) as well as the IEC (International Electrotechnical Commission) created this new standard to provide that guidance.
What is the relation between ISO 27001 & ISO 27701
ISO 27001 specifies the requirements for ISMS (information Security Management System), a risk-based approach that includes people and processes as well technology. ISO 27001 certification is independent and confirms that security of data has been maintained properly.
ISO 27001 certified organisations will be able use ISO 27701 in order to increase their security efforts to ensure privacy. This includes the processing of personal information or PII. This will help them show that reasonable actions were made to adhere to the laws governing data protection, such as the GDPR.
Organisations without ISMSs can implement ISO 27001/IS27701 in one project of implementation.
Download the free pdf on how to map your way to GDPR & DPA conformity to ISO 27701
With ISO 27701, map your way to GDPR 2018 and DPA 2018 conformance
Who should implement ISO 27701
All controllers and processors of data can apply ISO 27701. It encourages a risk-based approach similar to ISO 27001 so that each member organization addresses particular risks, as well as security and privacy concerns.
What is the distinction between a privacy and personal information management systems, and what are their differences?
While ISO 27701 sets out the specifications for a privacy management system, it is BS 10012 that is the British standard for a personal data management system.
The terms are very identical. They are both management systems designed to protect personal data. In your day-to-day activities, you can utilize the term PIMS for either. There are however some differences between these methods. The differences are explained below.
Do I need to use BS 10012 or ISO 27701?
Both standards have their benefits however, there are certain distinctions.
BS 10012 is aligned to the GDPR (2018) and DPA 2018, in contrast, ISO 27701 has no such alignment. This allows it to be used in a wider manner which allows conforming organizations to adhere to a range of privacy regimes.
The BS 10012 may be the ideal choice for your company if it is required to comply with only the GDPR 2018 as well as DPA 2018.
If you have to prove your compliance with various data protection protocols, then the standard internationally recognized is better suited to your purposes.
IT Governance can help you select the best standard to meet your needs and will offer the support for your implementation you need.
Prove that GDPR is compliant with ISO 27701/ISO 27001
Implementing ISO 27701/ISo27001 will allow you to comply with the privacy and information security rules of the GDPR. You will also be able prove that you have the management procedures to "appropriate technological and organisational steps" to safeguard the personal information that you handle, as well as uphold data subject's rights in accordance to the regulation's accountability principle (Article 5.(2)). Check Information technology - Security techniques for info.
Article 42 (GDPR) covers data protection certification systems and data protection seals, and marks. There is no mechanism for this. It is however possible to obtain an independently-accredited certification to ISO 27001 - and by extension ISO 27701 if you implement the appropriate controls. This will show regulators and other stakeholders that your company is following international best practice when it comes to securing personal information/PII.