The ISO 27701 – Privacy Information Management Systems (PIMS) belongs to the ISO 27000 series, which is a set of standards focused on Information Security Management Systems (ISMS).
It is not possible to talk about the ISO 27701 without referencing two other standards: ISO 27001 and ISO 27002, as they are very closely related, as we’ll see later.
The ISO 27001 has been around for quite some time, originally created by the British Standards Institute as BS 7799 in 1995, which then evolved into the ISO 17799 before being established as the ISO 27001 in 2005.
Today the ISO 27001 standard is recognised globally as the gold standard for Information Security, with its latest version released in 2022.
The ISO 27002 expands the information given to the controls present in the ISO 27001’s Annex A, with its latest version also released in 2022. It is important to remark that an organisation can only become certified
against the ISO 27001, and that although the expanded controls in the ISO 27002 provide context for their implementation, they are not mandatory.
What is the ISO 27701?
The ISO 27701 standard, as its own title indicates, is an extension to the ISO 27001 and ISO 27002, centered around privacy and released in 2019. The standard seeks to leverage any prior efforts made by an organisation to build and maintain their ISMS. One of the drivers for its development was the advent of data protection laws, most notably the GDPR in the EU, enacted in 2018. It doesn’t come as a surprise that Annex D has a mapping to the GDPR’s 99 articles.
One of the main characteristics of the standard is a note under clause 5 that reads:
“NOTE: In practice, where ‘information security’ is used in ISO 27001:2013, ‘information security and privacy’ applies instead.”
This note means that privacy is factored into the equation when considering the Statement of Applicability (SoA), how clauses are addressed, and the way controls are implemented.
The ISO 27701 is aimed at two different roles an organisation may fulfil: data controllers and data processors. The additional set of controls for data controllers is more onerous than those for data processors, as they determine the means and the purpose(s) of processing personal data. On occasion, a single entity may fulfil both roles, which means all of the new controls need to be complied with.
How to Become Certified Against the ISO 27701
Now that we understand the PIMS in relation to the ISMS (Privacy Information Management Systems and Information Security Management Systems, respectively), and the context, we can delve into the certification process.
An organisation seeking to become certified against the ISO 27701 would need to firstly understand the standard, and then implement the clauses and controls, perhaps performing a gap analysis to identify areas that are currently lacking. Documentation, such as policies and procedures, but also training and contractual arrangements, would need to be reviewed and amended where necessary. The documentation then needs to be reflected in real practices within the organisation, for a close fit of design and operational effectiveness. This includes the enforcement of technical controls and employee training.
Once deemed to be ready, the organisation could conduct an internal or external audit, to gain an assurance that everything is well orchestrated and running to specification. At this point, the organisation would engage with an external party for the assessment.
It would be expected that an organisation is already certified against the ISO 27001 or would like to become certified against ISO 27001 and ISO 27701 at the same time. Both options are equally valid, although the latter may result in a domino effect, where non-compliance in one of the areas of the ISO 27001 would inevitably mean the ISO 27701 counterpart is also found to be non-compliant.
The assessment typically entails a two-stage process: a thorough documentation review, followed by interviews with key personnel to obtain further information on the state of the PIMS. The duration of the assessment varies depending on the complexity, size and sector where the organisation operates, with most assessments taking between six and eight days to complete.
In the case where the assessment is successful, the organisation would obtain an ISO 27701 certification, which needs to be revalidated every three years.
This certification demonstrates the organisation’s commitment to safeguard the privacy of the personal data it handles and can lead to a competitive advantage over other organisations solely focused on the security of the information.
Caveat and Imminent Changes
I would like to highlight the fact that certification against the ISO 27701 standard does not preclude compliance efforts with applicable regulatory, legislative, or statutory requirements, as these are oftentimes more specific.
For instance, handling requests of data subjects in the EU would have the following:
| ISO 27701 | GDPR |
|---|---|
| 7.3.9 - Handling requests | Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject |
| Requests should be handled within the appropriate defined response times. | […] without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary. |
This means that compliance with the ISO 27701 does not automatically mean compliance with legal requirements. However, it provides the perfect framework for jurisdictional flexibility, where an organisation operates across multiple territories with different local laws.
The other important bit to note is that the ISO 27001 is based on the ISO 27001:2013, i.e., the version released in 2013. The transition period for moving to the ISO 27001:20022 standard ends in October 2025. This leads to the question: will there be a new ISO 27701 release to keep up with the 2022 version of the ISO 27001? The answer is a rotund ‘yes’, with significant changes, where the ISO 27701 becomes a fully independent standard, not having to rely on the ISO 27001.
The new version of the document is currently being drafted, with an estimated release date sometime in 2025, probably March, as per the chart below:
Final Word
As we have seen, the ISO 27701 is a great option for organisations to extend their information systems with a robust set of privacy considerations. It is also a great tool for organisations that operate across multiple jurisdictions.
Follow Dionach to gain insights on the changes affecting the ISO 27701, and if you would like to discuss privacy related matters.