The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are recognized internationally as authorities on management systems and best practice.
ISO/IEC has become a gold standard to satisfy privacy, compliance and security posture especially as it relates to fintechs and healthcare providers. It is a great way to prove your compliance to customers, business partners, and regulators.
ISO 27701 supports compliance with a wider, international range of data protection and privacy legislation, including the Health Information Portability and Accountability Act (HIPAA) and the CCPA.
Related standards to 27701 are ISO 27018 and ISO 29151 that are codes of practice for protecting personally identifiable information (PII). Specifically ISO 27018 is focused on public Clouds acting as data processors, while ISO 29151 takes a more general approach to protecting sensitive customer data.
These standards set out control objectives, controls, and guidelines to protect PII in accordance with an impact and risk assessment. They offer effective guidance, but are not subject to an externally auditable framework that can offer assurance to third parties. ISO 27701 goes beyond this, setting out management systems and control requirements. ISO 27701 can be imagined as a Privacy Information Management System (PIMS) Guideline.
What is lacking in ISO 27001 for privacy protection?
Although a ‘comprehensive’ information security management system (ISMS) aligned to ISO/IEC 27001:2013 addresses privacy issues, this requirement is not instructive for privacy matters.
This means that certificates of conformity with ISO 27001 are issued without a guarantee that data protection needs have been adequately met. While data protection naturally requires a degree of information security (legislation such as the GDPR and CCPA often addresses these as ‘technical and organizational measures’), it goes much further than simply protecting the information – the organization must also protect the rights of the data subjects, which cannot be guaranteed through information security alone.
Global data protection guidelines via ISO 27701
The ISO 27701 controls recognize information security as a key aspect of an effective privacy program. This set of regulations adds a more detailed set of requirements for privacy and processing of PII data.
ISO 27701 is a global standard that sets a framework building upon information security to give organizations the ability to customize their infosec and compliance program for their specific legal and regulatory environment.
Specific data protection guidelines of ISO 27701
Clauses 5 through 8 are additional requirements and amendments to be applied to ISO 27001 that are specifically important for a data protection program.
Clause 5: data protection
This clause addresses every clause in ISO 27001 and identifies where additional content is necessary. The majority of the ISO 27001 clauses remain unchanged, with the caveat that ISO 27701 requires the organization to recognize its need for data protection within its context, and this context informs all the other requirements.
Another notable addition affects the risk assessment, which will need to take into account the organization’s role in relation to PII – that is, whether it is a controller or a processor, and how that might affect the risks to the PII.
Clause 6: PIMS-specific guidance
This section provides additional content for the control guidance set out in ISO 27002. It establishes a top-level amendment that all references to ‘information security’ should be taken as including protection of privacy.
Controls with a potentially significant impact on privacy and data protection are given extensive extra guidance. This includes subjects such as removable media, cryptography, and secure development.
Clause 7: additional guidance for PII controllers
This clause provides guidance on ISO 27701’s Annex A controls, which are specific to privacy for the purposes of PII controllers. These controls address many of the critical areas of data protection and privacy that are not accounted for by the controls provided in ISO 27001.
Clause 8: additional guidance for PII processors
This clause provides guidance on ISO 27701’s Annex B controls, which are specific to privacy for the purposes of PII processors. These controls address many of the critical areas of data protection and privacy that are not accounted for by the controls provided in ISO 27001.
Structure of ISO 27701
ISO 27701 certification will not meet the GDPR’s requirements for a certification scheme. Article 43 of the GDPR requires that any certification scheme be operated under an ISO 17065-accredited scheme. ISO 27701, however, will fall under ISO 17021-1 and therefore not meet the GDPR’s requirements
We think ISO 27701 will become a defacto approach to managing data protection and privacy and demonstrating that to others. This will happen even if certification to the Standard is not formally adopted as a certification mechanism under the GDPR. For organizations bound by other data protection laws – or subject to a number of laws with varying requirements – such a certification mechanism is likely to be accepted as a demonstration of efforts to comply.