ISO27701:2019, a new international standard concerned with the management of personal data, has been published. ISO27701 is a Privacy Information Management System (PIMS), and provides an extension to the better known ISO27001:2013 Information Security Management System (ISMS).
In this blog, we’ll take a brief look at the new standard, how it differs from ISO27001:2013, and how it can benefit your organisation.
What is ISO27701?
The new ISO27701 standard is designed to be used as an extension of ISO27001. If an organisation is certified or aligned to ISO27001, then ISO27701 can be used to introduce some privacy-specific controls through the control selection process that then reside within their existing ISMS.
What’s the Difference between ISO27701 and ISO27001?
The new standard brings additional requirements within the main clauses of ISO27001:2013, as well as further guidance to clauses in ISO27002.
ISO27701 extends the meaning of “information security” beyond what it currently encompasses in ISO27001. The requirements of ISO27001 are now extended to include “protection of privacy as potentially affected by the processing of PII”. Privacy and protection of personal data was always in ISO27001 through a legislative requirement, but adoption of 27701 makes it intrinsic to your management system.
In basic terms, when ISO27001 mentions “Information security”, this now reads “Information security and privacy”.
New requirements for clauses 4 and 5 of ISO27001 are contained within clauses 5.2 and 5.4 of ISO27701 respectively.
When determining the context of your organisation, ISO27701 additionally requires that you consider your role as a data controller or data processor. You must determine internal and external factors that are relevant to this, and identify interested parties.
In reality this will usually mean, at a minimum, identifying the local supervisory authority. In the UK this is the Information Commissioner’s Office. It may also include your customers, and any contractors who process personal data on your behalf.
You must also expand the scope of your ISMS to include the scope of the PIMS, that is to say, your scope needs to include all processing of personal data.
ISO27701 also requires that your risk assessment considers risks associated with the confidentiality, integrity, and availability of personal data. Your statement of applicability must also be amended to include controls from Annex A and/or Annex B of ISO27701.
The new standard also provides additional PIMS specific guidance that maps to ISO27002, this applies to all clauses in ISO27002, with the exception of clause 17. Some examples of new guidance include:
- Updating policies to include a commitment to comply with relevant personal data regulations, and with contractual agreements with customers and third parties
- Designate a point of contact for queries regarding personal data
- Make a person or team responsible for implementing and maintaining a governance and privacy program to ensure compliance with regulations
- Ensure all relevant staff are trained to be aware of personal data principles, and how to report incidents
- Specifically consider personal data in information classification systems
- Implement controls around the use of removable media, and the disposal/re-use of equipment
- Have a policy to address backup and recovery requirements specifically relating to personal data
- Use logging and monitoring to where possible log all access to personal data, and measures to ensure personal data is not inadvertently stored in logs
- Ensure system/software development policies include guidance relating to personal data and deliver privacy by design
Does ISO27701 help with GDPR compliance?
The new standard is clearly aligned to GDPR. It provides organisations with a recognised standard, that will in the future offer certification in much the same way as ISO27001:2013.
Prior to the release of the standard, ISO27001:2013 was viewed (if implemented appropriately) as a good framework to assist with compliance with the GDPR. The addition of this privacy specific extension only strengthens this.
Article 42 of the GDPR does allow for the establishment of data protection certification mechanisms to allow organisations to demonstrate compliance – and there are many reasons why ISO27701:2019 could provide this:
- As an internationally recognised standard;
- It extends an already widely-used and mature information security standard;
- Organisations can be certified against the standard by recognised auditors.
LRQA Nettitude’s expert consultants are highly experienced in helping businesses and other organisations comply with complex regulations including ISO27001, and can help your business implement ISO27701. If you would like to discuss your organisation’s compliance needs, please get in touch.