ISO 27701

A Data Privacy Extension of ISO 27001 and ISO 27002

ISO 27701 is an extension of ISO 27001 and ISO 27002, which specifies the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

Privasec is now a Sekuro Company

Key concepts

Personal Identifiable Information (PII)

The data that can be used to specifically identify a person, eg: Name, Social Security Number, Credit Card) and other information linked to an individual (eg: Financial or Medical Records). 

PII Principal

This refers to the person whom the Personal Identifiable Information relates to. 

PII Controller

Collects the personal data for which they determine the purpose and means of the processing of personal data. 

PII Processor

Engage in the processing of personal data on behalf of a PII Controller. This includes suppliers to PII Controllers

An example of the relationship:

  • PII Principal buys something online,
  • PII Controller collects the personal details (eg: Credit Card Details and Address etc) during the check out.
  • PII Processor processes the data to arrange the delivery of the goods

*Processing refers to any operations (or set) performed on personal data, such as but not limited to the collection, structuring, storage, use or disclosure. 

Who needs ISO 27701 (PIMS)?

Applicable to all organisations (PII Controllers and PII Processors), ISO 27701 PIMS (Privacy Information Management System) is beneficial to any business dealing with PIIs that are responsible and accountable for the PII Processing. 

Benefits of ISO 27701

Extensive Framework For Privacy Information Management

An internationally recognised framework for PII Controllers and PII Processors to manage Data Privacy

Establish Digital Trust For Clients' Data

Robust policies, processes and procedures embedded within organisation to protect personal information

Support Compliance With Privacy Legislation Like GDPR

An effective management systems to support compliance with GDPR and other related privacy legislation

An Integrated system for Information Security & Privacy Management

A data privacy extension to ISO 27001, where privacy related controls are added to an already implemented ISMS to address privacy requirements

Implementation of ISO 27701 (PIMS)

ISO 27701 details the requirements and provides guidance for the establishment, implementation, maintenance and improvement of a Privacy Information Management System (PIMS)

Note: ISO 27701 is only available as an add-on to an ISO 27001 certification and cannot be obtained as a standalone certification.

The Design Of PIMS

Tailored to the organisation’s business and needs for privacy management, the design of the PIMS would include consideration of applicable privacy legislation. The PIMS provides organisations with a robust management system to support compliance with other data privacy legislation like EU GDPR. For local standards/ regulations like Singapore DPTM or PDPA, the local requirements can be mapped to the PIMS requirements and managed accordingly.

As an privacy extension to ISMS, the design of PIMS would include privacy-specific objectives, processes and controls for to manage PIIs.  This include but not limited to :

  • Strengthen oversight and enforce accountability for the handling of PIIs;
  • Identify risks that relates to data processing and ensure relevant processes are followed through;
  • Demonstrate compliance and provide transparency to privacy management for the privacy rights of an individual;
  • Protect data using an integrated system of privacy and information security

Security Is Instrumental For Privacy

As a privacy extension of ISO 27001 and ISO 27002, the is built on top of an already established Information Security Management System (ISMS). Hence, to implement an ISO 27701 (PIMS), organisation would need to achieve compliance with ISO 27001.

1. For organisations with an existing ISO 27001 Certification

4 – 6 months

While ISO 27001 is a framework for ISMS and ISO 27701 is a framework for PIMS, there is significant overlap in security and technical requirements between both standards. Organisations with an existing ISMS can modify and integrate the additional privacy-specific requirements and controls set out in ISO 27701 to establish a PIMS for privacy management.

Catered to PII Controllers and PII Processors, in ISO 27701, there are different clauses that relates specifically to the designs of the system, for PII processing. Thus, organisation can first conduct an assessment to better scope and identify the maturity and needs of the business with regards to Privacy Management.

Upon the integration of the privacy-specific requirements within the ISMS, an integrated audit can be conducted.

2. For organisations Implementing both ISO 27001 And ISO 27701 Together As A Single Engagement

6 – 9  months

As an extension of ISO 27001, the ISO 27701 is specifically designed to built on top of ISO 27001, where requirements and controls can be mapped directly to the ISO 27001 standards. Thus, organisation without an ISMS  can implement both standards in a single engagement, which would effectively reduce costs and overall time and effort involved as compared to implementing in a series.  By establishing an integrated system that complies with both ISO 27701 and ISO 27001, it allows organisations to demonstrate robust information security and privacy management that can be assessed via an integrated audit.  All in all, the implementation of ISO 27701, provides a great framework for organisations to integrate privacy specific requirements and put in place an effective system for privacy management. 

Other Related Standards

For organisation with cloud

ISO 27018

The code of practice for the protection of PII in public Clouds acting as a PII Processors

With ISO 27701 providing the framework for Privacy Information Management System (PIMS), it outlines the controls and processes to manage data privacy and protect PII. On the other hand, ISO 27018 outlines the specific guidelines for implementing protections for Personal Identifiable Information in the cloud and sets out controls to protect PII in public cloud computing environments.

Thus, for organisations with PII within the cloud environment, it is advisable to go for both ISO 27701 and ISO 27018. This allows organisation to establish an integrated system with a robust set of controls for privacy management and to safeguard PII. Furthermore, with significant overlaps between the two standards, organisations can also effectively reduce costs and efforts as compared to implementation in a series. 

Note: ISO 27018 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS). 

ISO 27017

The code of practice for Information Security Controls based on ISO 27002 for cloud services

As an extension to ISO 27002, the ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. With specific guidance on securing the Cloud Environments, it is beneficial for organisations who are Cloud services providers and cloud service customers to adopt this along with ISO 27018. 

Note: ISO 27017 is not a standalone certification, and is only available as an add-on to ISO 27001 Certification like ISO 27701 (PIMS). 

Navigating the Challenges of ISO 27701 Compliance​

Achieving compliance with ISO 27701, the international standard for privacy information management systems (PIMS), poses several challenges for organisations. Here are some common ones:

1. Complexity of Regulations:

ISO 27701 is designed to align with various privacy regulations. Navigating and interpreting these complex regulatory requirements can be daunting, especially for organisations operating in multiple jurisdictions with differing privacy laws.

2. Data Mapping and Inventory:

One of the fundamental requirements of ISO 27701 is conducting thorough data mapping and inventory to understand the flow of personal information within the organisation. This process can be challenging, particularly for large enterprises with vast amounts of data stored across numerous systems and databases.

3. Risk Assessment:

ISO 27701 mandates that organisations conduct privacy risk assessments to identify and mitigate potential risks to personal information. Assessing privacy risks requires a deep understanding of the organisation’s data processing activities and potential threats, which can be time-consuming and resource-intensive.

4. Privacy by Design and Default:

Implementing privacy by design and default principles, as required by ISO 27701, involves integrating privacy considerations into the design and implementation of systems, processes, and products from the outset. This requires collaboration between privacy, security, and IT teams and may necessitate significant changes to existing practices and workflows.

5. Employee Training and Awareness:

Ensuring that employees understand their roles and responsibilities in protecting personal information is crucial for ISO 27701 compliance. Providing comprehensive training and raising awareness about privacy requirements across the organisation can be challenging, particularly in large or geographically dispersed teams.

6. Vendor Management:

Organisations often rely on third-party vendors for various services involving personal data processing. Ensuring that vendors comply with ISO 27701 requirements and adequately protect personal information presents a challenge, requiring robust vendor management processes and contractual agreements.

7. Continuous Compliance Monitoring:

Achieving ISO 27701 compliance is not a one-time effort but requires ongoing monitoring and maintenance of privacy management systems. Establishing mechanisms for continuous compliance monitoring and regular audits can be resource-intensive and require dedicated personnel and tools.

Understanding the Contrasts: ISO 27701 vs ISO 27001

When it comes to information security and privacy management, organisations often turn to internationally recognised standards like ISO 27701 and ISO 27001. While both standards aim to enhance data protection and mitigate risks, they serve distinct purposes and address different aspects of information security and privacy management. The main differences between ISO 27701 and ISO 27001 lie in their focus and scope:

1. Focus

  • ISO 27701: This standard specifically addresses privacy information management systems (PIMS). It provides guidelines for organisations to establish, implement, maintain, and continually improve a framework for managing personal data privacy, aligned with relevant privacy regulations.
  • ISO 27001: In contrast, ISO 27001 focuses on information security management systems (ISMS). It outlines requirements for establishing, implementing, maintaining, and continually improving an organisation’s information security management system to ensure the confidentiality, integrity, and availability of information assets.

2. Scope

  • ISO 27701: ISO 27701 builds upon the requirements of ISO 27001 and extends its scope to include privacy-specific considerations. It addresses the protection of personal data throughout its lifecycle, including collection, processing, storage, and disposal, in compliance with applicable privacy laws and regulations.
  • ISO 27001: While ISO 27001 encompasses a broader scope of information security, it does not specifically address privacy management requirements in depth. It focuses on establishing controls and measures to manage information security risks across all types of information assets, without a specific emphasis on personal data protection.

Why Privasec, A Sekuro company

Expeditious implementation period

With Privasec, an organisation without any ISO certification can implement both the PIMS and ISMS, taking around only 6 – 9 months.

Cybersecurity Trained ISO Experts

Our experts are cybersecurity trained and we prioritise your organisation’s cybersecurity when assessing and mitigating risks in your Management System.

Our Credentials

FAQs about ISO 27701

Any organisation that processes personal data, regardless of size, industry, or geographic location, can benefit from implementing ISO 27701. This includes businesses, government agencies, non-profit organisations, and service providers that handle personal information and seek to enhance their privacy management practices.

Certification to ISO 27701 is not mandatory, but it can be beneficial for organisations seeking to demonstrate their commitment to privacy protection and compliance with privacy regulations. ISO 27701 certification is typically achieved through an independent audit conducted by accredited certification bodies.

Organizations can begin implementing ISO 27701 by:

  • Familiarising themselves with the standard’s requirements and guidance
  • Conducting a gap analysis to assess current privacy management practices
  • Developing a roadmap and implementation plan tailored to their specific needs and objectives
  • Engaging key stakeholders and allocating resources for implementation
  • Seeking assistance from consultants or experts with experience in privacy management and ISO standards compliance.

ISO 27701 is an extension of ISO 27001, the international standard for Information Security Management Systems (ISMS). While ISO 27001 focuses on information security, ISO 27701 specifically addresses privacy management within the broader framework of an ISMS. Organisations can integrate ISO 27701 requirements into their existing ISO 27001 ISMS or implement it as a standalone standard.

Latest News

Want to become ISO 27701 certified?

Get on your way to obtain the IEC 27701 certification today. 

Scroll to Top