ISO 27701

A Data Privacy Extension of ISO 27001 and ISO 27002

ISO 27701 is an extension of ISO 27001 and ISO 27002, which specifies the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Key concepts

Personal Identifiable Information (PII)

The data that can be used to specifically identify a person, eg: Name, Social Security Number, Credit Card) and other information linked to an individual (eg: Financial or Medical Records).

PII Principal

This refers to the person whom the Personal Identifiable Information relates to.

PII Controller

Collects the personal data for which they determine the purpose and means of the processing of personal data.

PII Processor

Engage in the processing of personal data on behalf of a PII Controller. This includes suppliers to PII Controllers

An example of the relationship:

PII Principal buys something online,
PII Controller collects the personal details (eg: Credit Card Details and Address etc) during the check out.
PII Processor processes the data to arrange the delivery of the goods

*Processing refers to any operations (or set) performed on personal data, such as but not limited to the collection, structuring, storage, use or disclosure.

Who needs ISO 27701(PIMS)?

Applicable to all organisations (PII Controllers and PII Processors), ISO 27701 PIMS (Privacy Information Management System) is beneficial to any business dealing with PIIs that are responsible and accountable for the PII Processing.

Benefits of ISO 27701

Extensive Framework For Privacy Information Management

An internationally recognised framework for PII Controllers and PII Processors to manage Data Privacy

Establish Digital Trust For Clients' Data

Robust policies, processes and procedures embedded within organisation to protect personal information

Support Compliance With Privacy Legislation Like GDPR

An effective management systems to support compliance with GDPR and other related privacy legislation

An Integrated system for Information Security & Privacy Management

A data privacy extension to ISO 27001, where privacy related controls are added to an already implemented ISMS to address privacy requirements

Implementation of ISO 27701 (PIMS)

ISO 27701 details the requirements and provides guidance for the establishment, implementation, maintenance and improvement of a Privacy Information Management System (PIMS).

Note: ISO 27701 is only available as an add-on to an ISO 27001 certification and cannot be obtained as a standalone certification.

The Design Of PIMS

Tailored to the organisation’s business and needs for privacy management, the design of the PIMS would include consideration of applicable privacy legislation. The PIMS provides organisations with a robust management system to support compliance with other data privacy legislation like EU GDPR. For local standards/ regulations like Singapore DPTM or PDPA, the local requirements can be mapped to the PIMS requirements and managed accordingly.

As an privacy extension to ISMS, the design of PIMS would include privacy-specific objectives, processes and controls for to manage PIIs. This include but not limited to :

Strengthen oversight and enforce accountability for the handling of PIIs;
Identify risks that relates to data processing and ensure relevant processes are followed through;
Demonstrate compliance and provide transparency to privacy management for the privacy rights of an individual;
Protect data using an integrated system of privacy and information security

Security Is Instrumental For Privacy

As a privacy extension of ISO 27001 and ISO 27002, the PIMS is built on top of an already established Information Security Management System (ISMS). Hence, to implement an ISO 27701 (PIMS), organisation would need to achieve compliance with ISO 27001.

1. For organisations with an existing ISO 27001 Certification

4 – 6 months

While ISO 27001 is a framework for ISMS and ISO 27701 is a framework for PIMS, there is significant overlap in security and technical requirements between both standards. Organisations with an existing ISMS can modify and integrate the additional privacy-specific requirements and controls set out in ISO 27701 to establish a PIMS for privacy management.

Catered to PII Controllers and PII Processors, in ISO 27701, there are different clauses that relates specifically to the designs of the system, for PII processing. Thus, organisation can first conduct an assessment to better scope and identify the maturity and needs of the business with regards to Privacy Management.

Upon the integration of the privacy-specific requirements within the ISMS, an integrated audit can be conducted.

2. For organisations Implementing both ISO 27001 And ISO 27701 Together As A Single Engagement

6 – 9 months

As an extension of ISO 27001, the ISO 27701 is specifically designed to built on top of ISO 27001, where requirements and controls can be mapped directly to the ISO 27001 standards. Thus, organisation without an ISMS can implement both standards in a single engagement, which would effectively reduce costs and overall time and effort involved as compared to implementing in a series.

By establishing an integrated system that complies with both ISO 27701 and ISO 27001, it allows organisations to demonstrate robust information security and privacy management that can be assessed via an integrated audit.

All in all, the implementation of ISO 27701, provides a great framework for organisations to integrate privacy specific requirements and put in place an effective system for privacy management.

Other Related Standards

For organisation with cloud

ISO 27018

The code of practice for the protection of PII in public Clouds acting as a PII Processors

With ISO 27701 providing the framework for Privacy Information Management System (PIMS), it outlines the controls and processes to manage data privacy and protect PII. On the other hand, ISO 27018 outlines the specific guidelines for implementing protections for Personal Identifiable Information in the cloud and sets out controls to protect PII in public cloud computing environments. Thus, for organisations with PII within the cloud environment, it is advisable to go for both ISO 27701 and ISO 27018. This allows organisation to establish an integrated system with a robust set of controls for privacy management and to safeguard PII. Furthermore, with significant overlaps between the two standards, organisations can also effectively reduce costs and efforts as compared to implementation in a series. Note: ISO 27018 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS).

ISO 27017

The code of practice for Information Security Controls based on ISO 27002 for cloud services

As an extension to ISO 27002, the ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. With specific guidance on securing the Cloud Environments, it is beneficial for organisations who are Cloud services providers and cloud service customers to adopt this along with ISO 27018.

Note: ISO 27017 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS).

Navigating the Challenges of ISO 27701 Compliance

Achieving compliance with ISO 27701, the international standard for privacy information management systems (PIMS), poses several challenges for organisations. Here are some common ones:

1. Complexity of Regulations:

ISO 27701 is designed to align with various privacy regulations. Navigating and interpreting these complex regulatory requirements can be daunting, especially for organisations operating in multiple jurisdictions with differing privacy laws.

2. Data Mapping and Inventory:

One of the fundamental requirements of ISO 27701 is conducting thorough data mapping and inventory to understand the flow of personal information within the organisation. This process can be challenging, particularly for large enterprises with vast amounts of data stored across numerous systems and databases.

3. Risk Assessment:

ISO 27701 mandates that organisations conduct privacy risk assessments to identify and mitigate potential risks to personal information. Assessing privacy risks requires a deep understanding of the organisation’s data processing activities and potential threats, which can be time-consuming and resource-intensive.

4. Privacy by Design and Default:

Implementing privacy by design and default principles, as required by ISO 27701, involves integrating privacy considerations into the design and implementation of systems, processes, and products from the outset. This requires collaboration between privacy, security, and IT teams and may necessitate significant changes to existing practices and workflows.

5. Employee Training and Awareness:

Ensuring that employees understand their roles and responsibilities in protecting personal information is crucial for ISO 27701 compliance. Providing comprehensive training and raising awareness about privacy requirements across the organisation can be challenging, particularly in large or geographically dispersed teams.

6. Vendor Management:

Organisations often rely on third-party vendors for various services involving personal data processing. Ensuring that vendors comply with ISO 27701 requirements and adequately protect personal information presents a challenge, requiring robust vendor management processes and contractual agreements.

7. Continuous Compliance Monitoring:

Achieving ISO 27701 compliance is not a one-time effort but requires ongoing monitoring and maintenance of privacy management systems. Establishing mechanisms for continuous compliance monitoring and regular audits can be resource-intensive and require dedicated personnel and tools.

Understanding the Contrasts: ISO 27701 vs ISO 27001

When it comes to information security and privacy management, organisations often turn to internationally recognised standards like ISO 27701 and ISO 27001. While both standards aim to enhance data protection and mitigate risks, they serve distinct purposes and address different aspects of information security and privacy management. The main differences between ISO 27701 and ISO 27001 lie in their focus and scope:

1. Focus

ISO 27701: This standard specifically addresses privacy information management systems (PIMS). It provides guidelines for organisations to establish, implement, maintain, and continually improve a framework for managing personal data privacy, aligned with relevant privacy regulations.
ISO 27001: In contrast, ISO 27001 focuses on information security management systems (ISMS). It outlines requirements for establishing, implementing, maintaining, and continually improving an organisation’s information security management system to ensure the confidentiality, integrity, and availability of information assets.

2. Scope

ISO 27701: ISO 27701 builds upon the requirements of ISO 27001 and extends its scope to include privacy-specific considerations. It addresses the protection of personal data throughout its lifecycle, including collection, processing, storage, and disposal, in compliance with applicable privacy laws and regulations.
ISO 27001: While ISO 27001 encompasses a broader scope of information security, it does not specifically address privacy management requirements in depth. It focuses on establishing controls and measures to manage information security risks across all types of information assets, without a specific emphasis on personal data protection.

Why Privasec

Expeditious implementation period

With Privasec, an organisation without any ISO certification can implement both the PIMS and ISMS, taking around only 6 – 9 months.

Cybersecurity Trained ISO Experts

Our experts are cybersecurity trained and we prioritise your organisation’s cybersecurity when assessing and mitigating risks in your Management System.

Our Credentials

FAQs about ISO 27701

1. Who can benefit from implementing ISO 27701?

Any organisation that processes personal data, regardless of size, industry, or geographic location, can benefit from implementing ISO 27701. This includes businesses, government agencies, non-profit organisations, and service providers that handle personal information and seek to enhance their privacy management practices.

2. Is certification to ISO 27701 mandatory?

Certification to ISO 27701 is not mandatory, but it can be beneficial for organisations seeking to demonstrate their commitment to privacy protection and compliance with privacy regulations. ISO 27701 certification is typically achieved through an independent audit conducted by accredited certification bodies.

3. How can organisations get started with implementing ISO 27701?

Organizations can begin implementing ISO 27701 by:

Familiarising themselves with the standard’s requirements and guidance
Conducting a gap analysis to assess current privacy management practices
Developing a roadmap and implementation plan tailored to their specific needs and objectives
Engaging key stakeholders and allocating resources for implementation
Seeking assistance from consultants or experts with experience in privacy management and ISO standards compliance.

4. How does ISO 27701 relate to ISO 27001?

ISO 27701 is an extension of ISO 27001, the international standard for Information Security Management Systems (ISMS). While ISO 27001 focuses on information security, ISO 27701 specifically addresses privacy management within the broader framework of an ISMS. Organisations can integrate ISO 27701 requirements into their existing ISO 27001 ISMS or implement it as a standalone standard.

Our work

Hydra X ISO 27001, ISO 27017, ISO 27018 CERTIFICATION WITH PRIVASEC

As a fintech startup working with institutional clients, many of which are regulated entities, we are committed to being a responsible partner with strong risk management capabilities. The certifications reiterate this commitment and recognise our efforts in developing a strong internal controls framework that is aligned to international standards..

Ng Wee Hao, COO of Hydra X

Our Case Study

STACS ISO 27001 CERTIFICATION
WITH PRIVASEC
STACS is happy to partner with Privasec to ensure that the required security protocols are in place and maintained moving forward, to guarantee the immutability and security of our platforms for financial institutions and corporates.

Joanne Koh, Operations Director at STACS
Our Case Study

CONTOUR ISO 27001 CERTIFICATION
WITH PRIVASEC
As the leading digital trade finance network, complying with the highest standards of information security management is imperative for our corporate and banking clients.
Privasec supported our entire journey to achieve ISO 27001 certification, with their team demonstrating deep industry experience and providing constant guidance, ensuring our company not only complies with the standards, but has plans to continually improve.

Aaron Seabrook, COO of Contour
Our Case Study

DigiFinex MAS TRM GAP ASSESSMENT
WITH PRIVASEC
Privasec has extensive experience in cybersecurity. Coupled with their ability to conduct efficient fieldwork on our business processes, they have demonstrated remarkable acumen to learn, understand and identify the various vulnerabilities in our business.
They have efficiently performed an analysis of these gaps and proposed effective governance processes and solutions to suitably and practically meet the challenges of these vulnerabilities

Jonathan Cheong,
Chief Legal and Compliance Officer, DigiFinex
Our Case Study

Canva ISO 27001 Certification with Privasec:
The Journey Towards Cyber Security Maturity Journey
We needed someone who would take into account the state of Canva as it was before we start this project. Not only the state of our security and risk management maturity at the time, but also very importantly, the culture of the organisation. Privasec was very good at this. They had a high level of expertise, are very communicative and we had incredible engagement.

We could not have done it without your guidance. Thank you for helping us through it all!

The Canva Team
Our Case Study

Previous slide

Next slide

Latest News:

The new ISO 27001:2022 to address modern cybersecurity challenges.

December 20, 2022
Read More »

Related Posts:

Featured Case Study: Hydra X ISO 27001, ISO 27017 and ISO 27018 Certification with Privasec

March 27, 2023
Read More »

Meet Your Compliance Needs with ISO 27001 Certification

November 30, 2022
Read More »

Want to Become ISO 27701 Certified?

Get on your way to obtain the IEC 27701 certification today.

Quick Quote

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.