ISO/IEC 27701:2019 is a privacy extension in the international information security management standard, ISO/ IEC 27001 (ISO/ IEC 27701 Security Techniques- ISO/ IEC 27001 Extension and ISO/ IEC 27002 for privacy information management- Demands and regulations).
ISO 27701 determines the requirements- and offers guidance for the creation, application, preservation and the continuous improvement- of a PIMS (Privacy Information Management System)
ISO 27701 is based on the demands, the control targets and the inspections of ISO 27001, and it includes a set of requirements, inspections and control targets specifically related to the protection of private life.
The EU GDPR (General Data Protection Regulation) as well as the UK DPA (Data Protection Act) 2018 demand from the organizations to take measures for the personal data privacy they process.
However, no piece of legislation provides sufficient guidance concerning how these measures should be.
Therefore, ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission), have developed this new standard to provide the necessary guidance.
ISO 27001 defines the demands of an ISMS (Information Security Management System), a risk -based approach which includes people, procedures and technology. The independently accredited certification according to ISO 27001, offers the interested parties, confirmation that their data are properly protected.
The organizations that have applied ISO 27001 can use ISO 27701 to extend their efforts to cover privacy management- including personal data processing/ PII (Personally Identifiable Information)- which can help them prove that appropriate legislation compliance measures concerning data protection such as GDPR have been taken.
Organizations without ISMS can apply ISO 27001 and ISO 27701 together as a single implementation project.
ISO 277101 has been designed for use by all data processing and management officials. Just like ISO 27001, it supports a risk- based approach so that every complying organization can address the specific risks they face as well as the personal data and privacy risks.
Whilst ISO 27701 defines the demands for a privacy information management system, BS 10012 is the British standard for a personal information management system.
There is a little tangible difference between the two terms- both are management systems designed to ensure personal data- and for the sake of daily activities you can assume that the acronym “PIMS” refers to each of them. However, there are some notable differences between the two approaches which are disclosed below.
GDPR |
ISO 27701 |
Personal Data |
PII |
Data Controller |
PII controller |
Data Processor |
PII processor |
Data Subject |
PII principal |
Data Protection by design |
Privacy by design |
Data Protection by default |
Privacy by default |