What is ISO/IEC 27701, and do I need a privacy extension?

As the digital world transforms before our eyes, so are the ways companies are operating and conducting business. As times change and technology is developed, more and more companies are inquiring about additions to their Information security management system (ISMS) to ensure optimum security of their customers data.

As protecting data is at the forefront of most businesses, ISO/IEC 27001 has gained lots of interest in recent years. Seen as a “gold standard” for security frameworks, ISO/IEC 27001 is an excellent foundation for creating an ISMS. However, lately we have seen clients wanting to go a step further and invest in enhanced privacy by adding a privacy extension through ISO/IEC 27701.

ISO/IEC 27701 was published in 2019 and is a privacy extension that allows you to extend your current system to include a privacy information management system (PIMS).

Do I need a Privacy Information Management System (PIMS)?

A survey by Acquia discovered that: “65% of respondents would cease using a company that was dishonest about how it was using their data“.

With so many data breaches and hacker attacks in the news, it’s no wonder customers are growing more aware and concerned about how their personal data is being used. Not to mention with mandatory requirements, such as GDPR, protecting personally identifiable information (PII) has never been more critical.

Adding a privacy extension is the most appropriate way to show clients, regulators and other stakeholders that you have a robust privacy programme. Demonstrating compliance with privacy regulations may boost revenue and increase trust within consumers.

Why was ISO/IEC 27701 developed?

As a type of privacy information management system (PIMS), ISO/IEC 27701 creates a framework for privacy controls. This PIMS is an extension to ISO/IEC 27001 and can be implemented alongside the 27001 standard or after you are ISO/IEC 27001 certified.

The primary purpose of ISO/IEC 27701 is to:

• Strengthen your existing information security management system (ISMS) with privacy-related controls through a PIMS
• Reduce the complexity of managing compliance with multiple, overlapping privacy regulations like the EU’s GDPR and California’s CCPA
• Build a privacy programme that’s internationally recognised
• Assist with GDPR compliance, and serve as a foundation for efficiently managing privacy
• Detail required functions and define the privacy controls for PIMS data processors and controllers

The Data Protection Act 2018 and the General Data Protection Regulation require organisations to ensure the privacy of any personal information they process. However, none of these laws provide sufficient guidance on what those measures should look like.

Therefore, The International Organization for Standardization and the International Electrotechnical Commission developed ISO/IEC 27701 as the new standard to provide that guidance. Having ISO/IEC 27001 certification with the ISO/IEC 27701 privacy extension demonstrates your commitment to data privacy.

What are the benefits of a privacy extension?

A privacy extension provides guidance and requirements regarding protection for PII controllers and processors. The scope of the standard covers all types and sizes of businesses, public and private companies, government entities and not-for-profit organisations processing PII within an ISMS.

Benefits of ISO/IEC 27701 include:

1. International recognition of your business: Allowing your business to grow and enter new markets. Implementing an internationally recognised standard and an acknowledged framework to your organisation will enable a mature organisational privacy programme.
2. Global privacy compliance made easy: Complying with this standard enables the processing carried out by your organisation to be compliant with all legal and regulatory requirements. The standard also maps out how to comply with GDPR requirements, which can further help organisations demonstrate accountability while managing PII and instill trust and confidence in their stakeholders. Using this standard can be a good privacy metric.
3. It helps identify risks: Businesses process personal information about individuals, including sensitive information, posing security risks. This gives precise requirements on what actions should be taken and how to protect assets and personal data.

When you look at all of the benefits of the privacy extension, adopting these clauses will allow you to establish an excellent privacy policy. A PIMS is extremely useful, either presently to upgrade your regulatory compliance levels or to tap into future business opportunities.

How does ISO/IEC 27701 relate to ISO/IEC 27001?

As ISO/IEC 27001 is a prerequisite for ISO/IEC 27701, the privacy extension is specifically designed for your ISMS. Therefore, if ISO/IEC 27001 is considered the “gold standard” for an information security management system, then ISO 27701 aims to become the “go-to standard” for implementing a privacy information management system.

These standards share a significant overlap in requirements, making the adoption of ISO/IEC 27701 a smooth addition to your ISO/IEC 27001 ISMS. Talk to one of our local experts today and learn how implementing an ISO/IEC 27701 privacy extension could benefit your company today.