What is ISO 27701?
ISO/IEC 27701:2019 is a privacy extension to the international information security management standard, ISO/IEC 27001 (ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines).
ISO 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system).
ISO 27701 is based on the requirements, control objectives and controls of ISO 27001, and includes a set of privacy-specific requirements, controls and control objectives.
Why was ISO 27701 developed?
Both the EU GDPR (General Data Protection Regulation) and UK DPA (Data Protection Act) 2018 require organisations to take measures to ensure the privacy of any personal data that they process.
However, neither regulation provides much guidance on what those measures should look like.
The ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) have therefore developed this new standard to provide that guidance.
How do ISO 27001 & ISO 27701 integrate with each other?
ISO 27001 sets out the requirements for an ISMS (information security management system), a risk-based approach that encompasses people, processes and technology. Independently accredited certification to ISO 27001 provides stakeholders with assurance that data is being appropriately secured.
Organisations that have implemented ISO 27001 will be able to use ISO 27701 to extend their security efforts to cover privacy management – including their processing of personal data/PII (personally identifiable information) – which can help them demonstrate that reasonable measures have been taken to comply with data protection laws such as the GDPR.
Organisations without an ISMS can implement ISO 27001 and ISO 27701 together as a single integrated project.