A Data Privacy Extension of ISO 27001 and ISO 27002
ISO 27701 is an extension of ISO 27001 and ISO 27002, which specifies the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
Personal Identifiable Information (PII)
The data that can be used to specifically identify a person, eg: Name, Social Security Number, Credit Card) and other information linked to an individual (eg: Financial or Medical Records).
This refers to the person whom the Personal Identifiable Information relates to.
Collects the personal data for which they determine the purpose and means of the processing of personal data.
Engage in the processing of personal data on behalf of a PII Controller. This includes suppliers to PII Controllers
An example of the relationship:
- PII Principal buys something online,
- PII Controller collects the personal details (eg: Credit Card Details and Address etc) during the check out.
- PII Processor processes the data to arrange the delivery of the goods
*Processing refers to any operations (or set) performed on personal data, such as but not limited to the collection, structuring, storage, use or disclosure.
Who needs ISO 27701(PIMS)?
Applicable to all organisations (PII Controllers and PII Processors), ISO 27701 PIMS (Privacy Information Management System) is beneficial to any business dealing with PIIs that are responsible and accountable for the PII Processing.
Benefits of ISO 27701
Extensive Framework For Privacy Information Management
An internationally recognised framework for PII Controllers and PII Processors to manage Data Privacy
Establish Digital Trust For Clients' Data
Robust policies, processes and procedures embedded within organisation to protect personal information
Support Compliance With Privacy Legislation Like GDPR
An effective management systems to support compliance with GDPR and other related privacy legislation
An Integrated system for Information Security & Privacy Management
A data privacy extension to ISO 27001, where privacy related controls are added to an already implemented ISMS to address privacy requirements
Implementation of ISO 27701 (PIMS)
ISO 27701 details the requirements and provides guidance for the establishment, implementation, maintenance and improvement of a Privacy Information Management System (PIMS).
Note: ISO 27701 is only available as an add-on to an ISO 27001 certification and cannot be obtained as a standalone certification.
The Design Of PIMS
Tailored to the organisation’s business and needs for privacy management, the design of the PIMS would include consideration of applicable privacy legislation. The PIMS provides organisations with a robust management system to support compliance with other data privacy legislation like EU GDPR. For local standards/ regulations like Singapore DPTM or PDPA, the local requirements can be mapped to the PIMS requirements and managed accordingly.
As an privacy extension to ISMS, the design of PIMS would include privacy-specific objectives, processes and controls for to manage PIIs. This include but not limited to :
- Strengthen oversight and enforce accountability for the handling of PIIs;
- Identify risks that relates to data processing and ensure relevant processes are followed through;
- Demonstrate compliance and provide transparency to privacy management for the privacy rights of an individual;
- Protect data using an integrated system of privacy and information security
Security Is Instrumental For Privacy
As a privacy extension of ISO 27001 and ISO 27002, the PIMS is built on top of an already established Information Security Management System (ISMS). Hence, to implement an ISO 27701 (PIMS), organisation would need to achieve compliance with ISO 27001.
1. For organisations with an existing ISO 27001 Certification
4 – 6 months
While ISO 27001 is a framework for ISMS and ISO 27701 is a framework for PIMS, there is significant overlap in security and technical requirements between both standards. Organisations with an existing ISMS can modify and integrate the additional privacy-specific requirements and controls set out in ISO 27701 to establish a PIMS for privacy management.
Catered to PII Controllers and PII Processors, in ISO 27701, there are different clauses that relates specifically to the designs of the system, for PII processing. Thus, organisation can first conduct an assessment to better scope and identify the maturity and needs of the business with regards to Privacy Management.
Upon the integration of the privacy-specific requirements within the ISMS, an integrated audit can be conducted.
2. For organisations Implementing both ISO 27001 And ISO 27701 Together As A Single Engagement
6 – 9 months
As an extension of ISO 27001, the ISO 27701 is specifically designed to built on top of ISO 27001, where requirements and controls can be mapped directly to the ISO 27001 standards. Thus, organisation without an ISMS can implement both standards in a single engagement, which would effectively reduce costs and overall time and effort involved as compared to implementing in a series.
By establishing an integrated system that complies with both ISO 27701 and ISO 27001, it allows organisations to demonstrate robust information security and privacy management that can be assessed via an integrated audit.
All in all, the implementation of ISO 27701, provides a great framework for organisations to integrate privacy specific requirements and put in place an effective system for privacy management.
Other Related Standards
For organisation with cloud
The code of practice for the protection of PII in public Clouds acting as a PII Processors
The code of practice for Information Security Controls based on ISO 27002 for cloud services
As an extension to ISO 27002, the ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. With specific guidance on securing the Cloud Environments, it is beneficial for organisations who are Cloud services providers and cloud service customers to adopt this along with ISO 27018.
Note: ISO 27017 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS).
Expeditious implementation period
Cybersecurity Trained ISO Experts
Ng Wee Hao, COO of Hydra X
Joanne Koh, Operations Director at STACS
Privasec supported our entire journey to achieve ISO 27001 certification, with their team demonstrating deep industry experience and providing constant guidance, ensuring our company not only complies with the standards, but has plans to continually improve.
Aaron Seabrook, COO of Contour
They have efficiently performed an analysis of these gaps and proposed effective governance processes and solutions to suitably and practically meet the challenges of these vulnerabilities
Chief Legal and Compliance Officer, DigiFinex
The Journey Towards Cyber Security Maturity Journey
We could not have done it without your guidance. Thank you for helping us through it all!
The Canva Team
Want to Become ISO 27701 Certified?
Get on your way to obtain the IEC 27701 certification today.