ISO 27701

A Data Privacy Extension of ISO 27001 and ISO 27002

ISO 27701 is an extension of ISO 27001 and ISO 27002, which specifies the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Key concepts

Personal Identifiable Information (PII)

The data that can be used to specifically identify a person, eg: Name, Social Security Number, Credit Card) and other information linked to an individual (eg: Financial or Medical Records).

PII Principal

This refers to the person whom the Personal Identifiable Information relates to.

PII Controller

Collects the personal data for which they determine the purpose and means of the processing of personal data.

PII Processor

Engage in the processing of personal data on behalf of a PII Controller. This includes suppliers to PII Controllers

An example of the relationship:

PII Principal buys something online,
PII Controller collects the personal details (eg: Credit Card Details and Address etc) during the check out.
PII Processor processes the data to arrange the delivery of the goods

*Processing refers to any operations (or set) performed on personal data, such as but not limited to the collection, structuring, storage, use or disclosure.

Who needs ISO 27701(PIMS)?

Applicable to all organisations (PII Controllers and PII Processors), ISO 27701 PIMS (Privacy Information Management System) is beneficial to any business dealing with PIIs that are responsible and accountable for the PII Processing.

Benefits of ISO 27701

Extensive Framework For Privacy Information Management

An internationally recognised framework for PII Controllers and PII Processors to manage Data Privacy

Establish Digital Trust For Clients' Data

Robust policies, processes and procedures embedded within organisation to protect personal information

Support Compliance With Privacy Legislation Like GDPR

An effective management systems to support compliance with GDPR and other related privacy legislation

An Integrated system for Information Security & Privacy Management

A data privacy extension to ISO 27001, where privacy related controls are added to an already implemented ISMS to address privacy requirements

Implementation of ISO 27701 (PIMS)

ISO 27701 details the requirements and provides guidance for the establishment, implementation, maintenance and improvement of a Privacy Information Management System (PIMS).

Note: ISO 27701 is only available as an add-on to an ISO 27001 certification and cannot be obtained as a standalone certification.

The Design Of PIMS

Tailored to the organisation’s business and needs for privacy management, the design of the PIMS would include consideration of applicable privacy legislation. The PIMS provides organisations with a robust management system to support compliance with other data privacy legislation like EU GDPR. For local standards/ regulations like Singapore DPTM or PDPA, the local requirements can be mapped to the PIMS requirements and managed accordingly.

As an privacy extension to ISMS, the design of PIMS would include privacy-specific objectives, processes and controls for to manage PIIs. This include but not limited to :

Strengthen oversight and enforce accountability for the handling of PIIs;
Identify risks that relates to data processing and ensure relevant processes are followed through;
Demonstrate compliance and provide transparency to privacy management for the privacy rights of an individual;
Protect data using an integrated system of privacy and information security

Security Is Instrumental For Privacy

As a privacy extension of ISO 27001 and ISO 27002, the PIMS is built on top of an already established Information Security Management System (ISMS). Hence, to implement an ISO 27701 (PIMS), organisation would need to achieve compliance with ISO 27001.

1. For organisations with an existing ISO 27001 Certification

4 – 6 months

While ISO 27001 is a framework for ISMS and ISO 27701 is a framework for PIMS, there is significant overlap in security and technical requirements between both standards. Organisations with an existing ISMS can modify and integrate the additional privacy-specific requirements and controls set out in ISO 27701 to establish a PIMS for privacy management.

Catered to PII Controllers and PII Processors, in ISO 27701, there are different clauses that relates specifically to the designs of the system, for PII processing. Thus, organisation can first conduct an assessment to better scope and identify the maturity and needs of the business with regards to Privacy Management.

Upon the integration of the privacy-specific requirements within the ISMS, an integrated audit can be conducted.

2. For organisations Implementing both ISO 27001 And ISO 27701 Together As A Single Engagement

6 – 9 months

As an extension of ISO 27001, the ISO 27701 is specifically designed to built on top of ISO 27001, where requirements and controls can be mapped directly to the ISO 27001 standards. Thus, organisation without an ISMS can implement both standards in a single engagement, which would effectively reduce costs and overall time and effort involved as compared to implementing in a series.

By establishing an integrated system that complies with both ISO 27701 and ISO 27001, it allows organisations to demonstrate robust information security and privacy management that can be assessed via an integrated audit.

All in all, the implementation of ISO 27701, provides a great framework for organisations to integrate privacy specific requirements and put in place an effective system for privacy management.

Other Related Standards

For organisation with cloud

ISO 27018

The code of practice for the protection of PII in public Clouds acting as a PII Processors

With ISO 27701 providing the framework for Privacy Information Management System (PIMS), it outlines the controls and processes to manage data privacy and protect PII. On the other hand, ISO 27018 outlines the specific guidelines for implementing protections for Personal Identifiable Information in the cloud and sets out controls to protect PII in public cloud computing environments. Thus, for organisations with PII within the cloud environment, it is advisable to go for both ISO 27701 and ISO 27018. This allows organisation to establish an integrated system with a robust set of controls for privacy management and to safeguard PII. Furthermore, with significant overlaps between the two standards, organisations can also effectively reduce costs and efforts as compared to implementation in a series. Note: ISO 27018 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS).

ISO 27017

The code of practice for Information Security Controls based on ISO 27002 for cloud services

As an extension to ISO 27002, the ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. With specific guidance on securing the Cloud Environments, it is beneficial for organisations who are Cloud services providers and cloud service customers to adopt this along with ISO 27018.

Note: ISO 27017 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS).

Why Privasec

Expeditious implementation period

With Privasec, an organisation without any ISO certification can implement both the PIMS and ISMS, taking around only 6 – 9 months.

Cybersecurity Trained ISO Experts

Our experts are cybersecurity trained and we prioritise your organisation’s cybersecurity when assessing and mitigating risks in your Management System.

Our Credentials

Our work

Hydra X ISO 27001, ISO 27017, ISO 27018 CERTIFICATION WITH PRIVASEC

As a fintech startup working with institutional clients, many of which are regulated entities, we are committed to being a responsible partner with strong risk management capabilities. The certifications reiterate this commitment and recognise our efforts in developing a strong internal controls framework that is aligned to international standards..

Ng Wee Hao, COO of Hydra X

Our Case Study

STACS ISO 27001 CERTIFICATION
WITH PRIVASEC
STACS is happy to partner with Privasec to ensure that the required security protocols are in place and maintained moving forward, to guarantee the immutability and security of our platforms for financial institutions and corporates.

Joanne Koh, Operations Director at STACS
Our Case Study

CONTOUR ISO 27001 CERTIFICATION
WITH PRIVASEC
As the leading digital trade finance network, complying with the highest standards of information security management is imperative for our corporate and banking clients.
Privasec supported our entire journey to achieve ISO 27001 certification, with their team demonstrating deep industry experience and providing constant guidance, ensuring our company not only complies with the standards, but has plans to continually improve.

Aaron Seabrook, COO of Contour
Our Case Study

DigiFinex MAS TRM GAP ASSESSMENT
WITH PRIVASEC
Privasec has extensive experience in cybersecurity. Coupled with their ability to conduct efficient fieldwork on our business processes, they have demonstrated remarkable acumen to learn, understand and identify the various vulnerabilities in our business.
They have efficiently performed an analysis of these gaps and proposed effective governance processes and solutions to suitably and practically meet the challenges of these vulnerabilities

Jonathan Cheong,
Chief Legal and Compliance Officer, DigiFinex
Our Case Study

Canva ISO 27001 Certification with Privasec:
The Journey Towards Cyber Security Maturity Journey
We needed someone who would take into account the state of Canva as it was before we start this project. Not only the state of our security and risk management maturity at the time, but also very importantly, the culture of the organisation. Privasec was very good at this. They had a high level of expertise, are very communicative and we had incredible engagement.

We could not have done it without your guidance. Thank you for helping us through it all!

The Canva Team
Our Case Study

Previous slide

Next slide

Latest News:

The new ISO 27001:2022 to address modern cybersecurity challenges.

December 20, 2022
Read More »

Related Posts:

Featured Case Study: Hydra X ISO 27001, ISO 27017 and ISO 27018 Certification with Privasec

March 27, 2023
Read More »

Meet Your Compliance Needs with ISO 27001 Certification

November 30, 2022
Read More »

Want to Become ISO 27701 Certified?

Get on your way to obtain the IEC 27701 certification today.

Quick Quote

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

ISO 27701

A Data Privacy Extension of ISO 27001 and ISO 27002