ISO/IEC 27701:2019-Security techniques
Safety & Risk
Environment & Energy
Good Industry Practices
1.Introduction to ISO/IEC 27701:2019-Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems.
This can be used by all types of organizations, which are Personally Identifiable Information (PII) controllers and/or PII processors processing PII, within an ISMS, irrespective of their size, complexity or the country they operate.
2. What is 27701:2019
ISO/IEC 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It builds on the requirements in ISO/IEC 27001, the information security management system (ISMS) standard, and the code of practice for information security controls in ISO/IEC 27002.
ISO/IEC 27701 provides the management system framework to protect personally identifiable information (PII). It covers how organizations should manage personal information and assists in demonstrating compliance with applicable privacy regulations.
3. Why is ISO/IEC 27701
This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.
This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.
Organizations looking to get certified to ISO 27701 in order to comply with GDPR will either need to have an existing ISO 27001 system or implement ISO 27001 and ISO 27701 together as a single management system. ISO 27701 is a natural expansion to the requirements and guidance set out in ISO 27001.
This standard is essential for every organization that is responsible and accountable for PII as it provides requirements on how to manage and process data and safeguard privacy. It enriches an already implemented ISMS, to properly address privacy concerns, by assisting the organizations to understand the practical approaches involved in the implementation of an effective management of PII.
4. What benefits it brings to business:
- Protect the organization’s reputation
- Build customer’s trust
- Increase customer satisfaction
- Increase transparency of the organization’s processes and procedures
- Maintain the integrity of customers’ and other interested parties’ information
- Ensure information within the company secure and effective
- Ensures information is available on time
- Prevents loss, abuse and unauthorized modification of information
- Ensures information is only accessible to authorized persons
- Assists compliance with legal requirements and data protection
- Whom ISO 27701 is applicable:
Software development, Cloud companies, and IT support, Banks, Insurance companies, brokerage houses, Internet providers, Government agencies, Healthcare, pharmaceutical and food processing.
- Our Consulting approach:
- Gap Analysis: Assessment of existing management system practices against the selected standard requirements.
- Project Plan: Prepare a implementation project plan based on the time lines looking for;
- Orientation Training: Top/Senior Management orientation on selected standard requirements and implementation action plans preparation;
- Developing different levels of documentation ( Tier 1-3/4): Identification of processes required for the products produced and services provided; External and internal issues affecting the business, interested parties needs and expectations, Framing draft quality policy, organizational objectives, role, responsibility and authority, various risks affecting and opportunities arises, functional and system procedures, different implementation formats and checklists;
- System Implementation: Implementation of the selected management system as per the developed documentation;
- Company-wide Training: Training on detailed clause wise requirements and relating them to their departments and Internal audit.
- Internal Audits: Periodic assessment of system implementation and corrective actions.
- Pre assessment: Initial audit by Certifying agency, and, implementation of corrective actions.
- Final Assessment: Certification audit by the Certifying agency and recommendation for certification.