Management Systems Certification

ISO 27701 Privacy Information Management System

UCERT

WHAT IS ISO 27701?

ISO/IEC 27701:2019 is a privacy extension in the international information security management standard, ISO/ IEC 27001 (ISO/ IEC 27701 Security Techniques- ISO/ IEC 27001 Extension and ISO/ IEC 27002 for privacy information management- Demands and regulations).

ISO 27701 determines the requirements- and offers guidance for the creation, application, preservation and the continuous improvement- of a PIMS (Privacy Information Management System)

ISO 27701 is based on the demands, the control targets and the inspections of ISO 27001, and it includes a set of requirements, inspections and control targets specifically related to the protection of private life.

WHY WAS THE ISO 27701 STANDARD DEVELOPED?

The EU GDPR (General Data Protection Regulation) as well as the UK DPA (Data Protection Act) 2018 demand from the organizations to take measures for the personal data privacy they process.

However, no piece of legislation provides sufficient guidance concerning how these measures should be.

Therefore, ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission), have developed this new standard to provide the necessary guidance.

HOW CAN ISO 27001 AND ISO 27701 BE UNITED TOGETHER?

ISO 27001 defines the demands of an ISMS (Information Security Management System), a risk -based approach which includes people, procedures and technology. The independently accredited certification according to ISO 27001, offers the interested parties, confirmation that their data are properly protected.

The organizations that have applied ISO 27001 can use ISO 27701 to extend their efforts to cover privacy management- including personal data processing/ PII (Personally Identifiable Information)- which can help them prove that appropriate legislation compliance measures concerning data protection such as GDPR have been taken.

Organizations without ISMS can apply ISO 27001 and ISO 27701 together as a single implementation project.

WHO SHOULD APPLY ISO 27701?

ISO 277101 has been designed for use by all data processing and management officials. Just like ISO 27001, it supports a risk- based approach so that every complying organization can address the specific risks they face as well as the personal data and privacy risks.

WHAT IS THE DIFFERENCE BETWEEN A PRIVACY INFORMATION MANAGEMENT SYSTEM AND A PERSONAL INFORMATION MANAGEMENT SYSTEM?

Whilst ISO 27701 defines the demands for a privacy information management system, BS 10012 is the British standard for a personal information management system.

There is a little tangible difference between the two terms- both are management systems designed to ensure personal data- and for the sake of daily activities you can assume that the acronym “PIMS” refers to each of them. However, there are some notable differences between the two approaches which are disclosed below.

GDPR

ISO 27701

Personal Data

PII

Data Controller

PII controller

Data Processor

PII processor

Data Subject

PII principal

Data Protection by design

Privacy by design

Data Protection by default

Privacy by default