ISO 27701

A Data Privacy Extension of ISO 27001 and ISO 27002

ISO 27701 is an extension of ISO 27001 and ISO 27002, which specifies the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Key concepts

Personal Identifiable Information (PII)

The data that can be used to specifically identify a person, eg: Name, Social Security Number, Credit Card) and other information linked to an individual (eg: Financial or Medical Records). 

PII Principal

This refers to the person whom the Personal Identifiable Information relates to. 

PII Controller

Collects the personal data for which they determine the purpose and means of the processing of personal data. 

PII Processor

Engage in the processing of personal data on behalf of a PII Controller. This includes suppliers to PII Controllers

An example of the relationship:

  • PII Principal buys something online,
  • PII Controller collects the personal details (eg: Credit Card Details and Address etc) during the check out.
  • PII Processor processes the data to arrange the delivery of the goods

*Processing refers to any operations (or set) performed on personal data, such as but not limited to the collection, structuring, storage, use or disclosure. 

Who needs ISO 27701(PIMS)?

Applicable to all organisations (PII Controllers and PII Processors), ISO 27701 PIMS (Privacy Information Management System) is beneficial to any business dealing with PIIs that are responsible and accountable for the PII Processing. 

Benefits of ISO 27701

Extensive Framework For Privacy Information Management

An internationally recognised framework for PII Controllers and PII Processors to manage Data Privacy

Establish Digital Trust For Clients' Data

Robust policies, processes and procedures embedded within organisation to protect personal information

Support Compliance With Privacy Legislation Like GDPR

An effective management systems to support compliance with GDPR and other related privacy legislation

An Integrated system for Information Security & Privacy Management

A data privacy extension to ISO 27001, where privacy related controls are added to an already implemented ISMS to address privacy requirements

Implementation of ISO 27701 (PIMS)

ISO 27701 details the requirements and provides guidance for the establishment, implementation, maintenance and improvement of a Privacy Information Management System (PIMS)

Note: ISO 27701 is only available as an add-on to an ISO 27001 certification and cannot be obtained as a standalone certification.

The Design Of PIMS

Tailored to the organisation’s business and needs for privacy management, the design of the PIMS would include consideration of applicable privacy legislation. The PIMS provides organisations with a robust management system to support compliance with other data privacy legislation like EU GDPR. For local standards/ regulations like Singapore DPTM or PDPA, the local requirements can be mapped to the PIMS requirements and managed accordingly. 

As an privacy extension to ISMS, the design of PIMS would include privacy-specific objectives, processes and controls for to manage PIIs.  This include but not limited to : 

  • Strengthen oversight and enforce accountability for the handling of PIIs;
  • Identify risks that relates to data processing and ensure relevant processes are followed through; 
  • Demonstrate compliance and provide transparency to privacy management for the privacy rights of an individual; 
  • Protect data using an integrated system of privacy and information security

Security Is Instrumental For Privacy

As a privacy extension of ISO 27001 and ISO 27002, the PIMS is built on top of an already established Information Security Management System (ISMS). Hence, to implement an ISO 27701 (PIMS), organisation would need to achieve compliance with ISO 27001.

1. For organisations with an existing ISO 27001 Certification

4 – 6 months

While ISO 27001 is a framework for ISMS and ISO 27701 is a framework for PIMS, there is significant overlap in security and technical requirements between both standards. Organisations with an existing ISMS can modify and integrate the additional privacy-specific requirements and controls set out in ISO 27701 to establish a PIMS for privacy management. 

Catered to PII Controllers and PII Processors, in ISO 27701, there are different clauses that relates specifically to the designs of the system, for PII processing. Thus, organisation can first conduct an assessment to better scope and identify the maturity and needs of the business with regards to Privacy Management. 

Upon the integration of the privacy-specific requirements within the ISMS, an integrated audit can be conducted.  

2. For organisations Implementing both ISO 27001 And ISO 27701 Together As A Single Engagement

6 – 9  months

As an extension of ISO 27001, the ISO 27701 is specifically designed to built on top of ISO 27001, where requirements and controls can be mapped directly to the ISO 27001 standards. Thus, organisation without an ISMS  can implement both standards in a single engagement, which would effectively reduce costs and overall time and effort involved as compared to implementing in a series. 

By establishing an integrated system that complies with both ISO 27701 and ISO 27001, it allows organisations to demonstrate robust information security and privacy management that can be assessed via an integrated audit. 

All in all, the implementation of ISO 27701, provides a great framework for organisations to integrate privacy specific requirements and put in place an effective system for privacy management. 

Other Related Standards

For organisation with cloud

ISO 27018

The code of practice for the protection of PII in public Clouds acting as a PII Processors

With ISO 27701 providing the framework for Privacy Information Management System (PIMS), it outlines the controls and processes to manage data privacy and protect PII. On the other hand, ISO 27018 outlines the specific guidelines for implementing protections for Personal Identifiable Information in the cloud and sets out controls to protect PII in public cloud computing environments.  Thus, for organisations with PII within the cloud environment, it is advisable to go for both ISO 27701 and ISO 27018. This allows organisation to establish an integrated system with a robust set of controls for privacy management and to safeguard PII. Furthermore, with significant overlaps between the two standards, organisations can also effectively reduce costs and efforts as compared to implementation in a series.  Note: ISO 27018 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS). 

ISO 27017

The code of practice for Information Security Controls based on ISO 27002 for cloud services

As an extension to ISO 27002, the ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. With specific guidance on securing the Cloud Environments, it is beneficial for organisations who are Cloud services providers and cloud service customers to adopt this along with ISO 27018. 

Note: ISO 27017 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS). 

Why Privasec

Expeditious implementation period

With Privasec, an organisation without any ISO certification can implement both the PIMS and ISMS, taking around only 6 – 9 months.

Cybersecurity Trained ISO Experts

Our experts are cybersecurity trained and we prioritise your organisation’s cybersecurity when assessing and mitigating risks in your Management System.

Our Credentials

Our work

Previous slide
Next slide

Want to Become ISO 27701 Certified?

Get on your way to obtain the IEC 27701 certification today. 

Scroll to Top