New international standard on privacy management: ISO/IEC 27701

Helping companies meet requirements and manage risks.

The world is becoming increasingly more connected, increasing demand for protection of privacy.  With new privacy regulations, such as the European Union General Data Protection Regulation (GDPR), companies are required to meet regulatory requirements and manage privacy risks related to personally identifiable information (PII).  The right competence, processes and systems can help meet requirements and manage associated risks. In the ViewPoint survey, certified companies to standards such as ISO/IEC 27001 (Information Security) felt they had better control. ISO 27001 contains requirements for an information security management system, while ISO/IEC 27701 provides the requirements for a Privacy Information Management System (PIMS). A PIMS allows organizations to continually improve and demonstrate accountability towards the processing of personal data.

Privacy management standards

ISO has published several information security, cyber-security and privacy standards. Its most applied is the certifiable information security standard ISO/IEC 27001. In August 2019, the privacy management standard ISO/IEC 27701 (previously known as ISO/IEC 27552) was released.  The most prominent additional privacy-related standards are: 

  • ISO/IEC 27018 “Code of practice for PII protection in public clouds acting as PII processors” (can be used as an extension of ISO/IEC 27001)
  • ISO/IEC 29100 “Privacy framework”
  • ISO/IEC 29134 “Guidelines for privacy impact assessment”
Other existing standards provide legislative requirements on topics such as anonymization or de-identification and privacy notices. Certain standards cover privacy in specific sectors (e.g. smart cities) or applications (e.g. biometric).

Certification and privacy management legislation

ISO/IEC 27701 is an add-on to ISO/IEC 27001. The two standards must be implemented together. ISO/IEC 27701 is certifiable, but only in combination with ISO/IEC 27001.  ISO/IEC 27701 can be used to meet requirements, demonstrating compliance and accountability to GDPR. It contains all requirements. An annex cross-references GDPR and ISO/IEC 27701. However, the standard is not GDPR-specific. Covering privacy legislations worldwide, it is useful to companies outside Europe and operating internationally. Currently, ISO/IEC 27701 does not address the certification mechanism promoted by GDPR but. there are study groups, including Data protection authorities (DPAs) representatives, who are working on schemes for so-called GDPR-certification. ISO/IEC 27701 is a possible candidate.

ISO/IEC 27701 standard details 

Since ISO/IEC 27701 includes management system requirements for PII. The standard compliments ISO/IEC 27001’s following parts:

  • the main body of the standard and includes the analysis of the context considering the roles of data controller and processor; the inclusion, among interested parties, of data subjects; and the inclusion of some additional information security controls in the Statement of applicability (or SOA);
  • the controls in ISO/IEC 27001’s Annex A. 

The security controls complimenting the information security standard, can be found in ISO/IEC 27701’s Annex A for data controllers and Annex B for processors.  

Additional controls for data controllers include for example DPIA (Data protection impact assessment), contracts with processors, retention times and several others. 

Additional controls for data processors include for example records of processing activities, data subject rights management as well as ending of processing and others. 

ISO/IEC 27701 is an extension of the ISO/IEC 27002 guidelines, as well.  For each additional security control an implementation guidance is provided. For some of the controls in ISO/IEC 27002, an additional implementation guidance, focused on privacy, is also given.

Why is ISO/IEC 27701 good for my business? 

There are several benefits to a privacy information management systems (PIMS):

  • Builds trust in your company’s ability to manage personal information, both for customers and employees. 
  • Supports in compliance with GDPR and other applicable privacy regulations.
  • Clarifies the roles and responsibilities within your organization.
  • Improves internal competence and processes to avoid breeches. 
  • Provides transparency on established controls for the management of privacy.
  • Facilitates agreements with business partners where the processing of PII is mutually relevant. 
  • Integrates easily with the leading information security standard ISO/IEC 27001. 
The need for trust and accountability for personal information is growing in the minds of customers, consumers and other stakeholders alike.  Business must respond and the risk is broader than regulatory compliance. Companies must have the right competence, processes and systems in place and ISO/IEC 27701 can be a good place to start that journey.