ISO 27701 adoption can demonstrate data privacy compliance and reduce cyber risk

Register now

Released last year by the International Organization for Standardization and the International Electrotechnical Commission, ISO/IEC 27701:2019 provides the specification for managing information security through working arrangements, policies, procedures and other controls involving people, processes and technology to help organizations protect and manage their data.

The standard is designed to help organizations manage their information security processes in line with international best practices, serving as a privacy extension to the internationally recognized management standard for information security, ISO/IEC 27001, which already enjoys significant global adoption rates.

In recent years, standards such as ISO 27001 have seen an increased global adoption because of the wide range of benefits above and beyond simple certification. According to the ISO 27001 Global Report 2018, 81% of organizations implementing an information security management system (ISMS) are doing so to meet growing client demands for increased data security, while 62% reported improved staff awareness of information security as one of the key benefits of implementing an ISMS.

ISO 27701 is designed to be implemented by organizations worldwide that collect and process personally identifiable information (PII) and was developed to help organisations comply with key privacy laws, such as the General Data Protection Regulation (GDPR).

The benefits of adopting ISO 27701 and addressing your privacy requirements

An ISO 27701-conformant privacy information management system (PIMS) is likely to be valuable for any organisation with data protection obligations, especially those that operate internationally, work with clients from other jurisdictions or operate in international supply chains. These organizations are often required to comply with a variety of privacy regulations and laws, and ISO 27701’s approach can make this challenge more approachable.

The framework helps organizations appropriately address their information security and privacy risks, and could reduce the time spent on client-requested and contractually required audits.

Extending an ISO 27001-conforming ISMS with ISO 27701 can provide evidence that the organization has taken steps to implement “appropriate technical and organizational measures” to reduce risks and protect personal data, as required by an increasing range of privacy laws globally.

By implementing a PIMS as an extension to an existing ISO 27001-compliant ISMS, an organization can collect and process data – including personal data – in a systematic way, manage risks related to the confidentiality, integrity and availability of information, and respond to evolving threats and risks to that data and its privacy.

Integrating your privacy and security systems to reduce risk and minimise cost

ISO 27701 provides a framework that helps organizations implement, maintain and continually improve a PIMS in line with international best practices while optimising costs. It sets the provisions for implementing a PIMS by expanding on the requirements and guidance provided by ISO 27001 and its recommended controls and measures.

It also sets out the requirements for an extension of an ISMS to address privacy management.

If an organization has implemented ISO 27001, it can use ISO 27701 to extend its security efforts to cover privacy requirements. Organizations that have not implemented an ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project, but ISO 27701 cannot be implemented as a standalone standard. The reason for this is that an ISO 27001-conforming ISMS is the kernel onto which the ISO 27701 additions accommodate privacy.

ISO 27001 and ISO 27701 as the possible pathway to demonstrate international privacy compliance

Combined with ISO 27001, ISO 27701 can help organizations demonstrate how their management arrangements support compliance with key privacy laws – a critical benefit when evidence of robust data privacy practices is sought by a supervisory authority following a breach.

While the GDPR does not specifically mention adopting ISO 27001 (or ISO 27701) as a pathway to support compliance, many organizations already recognise ISO 27001 as the global benchmark for information security management. According to the 2018 ISO survey, there are around 32,000 organizations with an ISO/IEC 27001-compliant ISMS certificate worldwide, and the number is increasing.

Why should businesses implement a PIMS and consider certification?

A PIMS also enables organizations to reduce the costs associated with privacy and information security by constantly adapting to changes both in the environment and within the organization, significantly increasing its resilience to cyber attacks.

Privacy laws introduced within the past few years such as the GDPR, the UK Data Protection Act (DPA) 2018 and the California Consumer Privacy Act (CCPA) prove that authorities and regulatory bodies are raising the bar on baseline information security and data privacy, and impose significant fines for non-compliant organizations that suffer a data breach. Organizations now face more significant consequences for breaches that result from failing to embrace legal requirements.

Although accredited certification can only be awarded against the ISO 27001 requirements, and not currently to ISO 27701, the increasingly regulated security and privacy landscape, and the dramatic increase in cyber attacks on businesses, regardless of size, should only encourage organizations to adopt international frameworks such ISO 27001 and ISO 27701.

Independently accredited certification can support bids for government-funded projects, provide clients with proof of security practices, and assure the board and supervisory authorities that an organization takes accountability for data privacy in line with this international framework and other legal provisions.

By certifying to ISO 27001, an organization can demonstrate that it has taken the appropriate steps to meet its legal and regulatory obligations to reduce and manage data security risks. Keep informed on the development of an ISO 27701-accredited certification scheme by following IT governance on social media.

For reprint and licensing requests for this article, click here.