Polymer

Download free DLP for AI whitepaper

Summary

  • The major difference between ISO 27001 and ISO 27701 is the emphasis on privacy. 
  • Think of ISO 27701 as the standard for the development and management of a privacy information management system (PIMS), rather than an information security management system (ISMS) as in ISO 27001. 
  • ISO 27701 supports compliance with a wider, international range of data protection and privacy legislation like HIPAA and CCPA. 
  • ISO 27701 provides a framework for organizations to customize their compliance programs to meet specific legal and regulatory requirements. 

 

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are recognized internationally as authorities on management systems and best practice. 

ISO/IEC has become a gold standard to satisfy privacy, compliance and security posture especially as it relates to fintechs and healthcare providers. It is a great way to prove your compliance to customers, business partners, and regulators.

ISO 27701 supports compliance with a wider, international range of data protection and privacy legislation, including the Health Information Portability and Accountability Act (HIPAA) and the CCPA.

Related standards to 27701 are ISO 27018 and ISO 29151 that are codes of practice for protecting personally identifiable information (PII). Specifically ISO 27018 is focused on public Clouds acting as data processors, while ISO 29151 takes a more general approach to protecting sensitive customer data. 

These standards set out control objectives, controls, and guidelines to protect PII in accordance with an impact and risk assessment. They offer effective guidance, but are not subject to an externally auditable framework that can offer assurance to third parties. ISO 27701 goes beyond this, setting out management systems and control requirements. ISO 27701 can be imagined as a Privacy Information Management System (PIMS) Guideline.

What is lacking in ISO 27001 for privacy protection?

Although a ‘comprehensive’ information security management system (ISMS) aligned to ISO/IEC 27001:2013 addresses privacy issues, this requirement is not instructive for privacy matters.

This means that certificates of conformity with ISO 27001 are issued without a guarantee that data protection needs have been adequately met. While data protection naturally requires a degree of information security (legislation such as the GDPR and CCPA often addresses these as ‘technical and organizational measures’), it goes much further than simply protecting the information – the organization must also protect the rights of the data subjects, which cannot be guaranteed through information security alone.

Global data protection guidelines via ISO 27701

The ISO 27701 controls recognize information security as a key aspect of an effective privacy program. This set of regulations adds a more detailed set of requirements for privacy and processing of PII data.

ISO 27701 is a global standard that sets a framework building upon information security to give organizations the ability to customize their infosec and compliance program for their specific legal and regulatory environment. 

Specific data protection guidelines of ISO 27701

Clauses 5 through 8 are additional requirements and amendments to be applied to ISO 27001 that are specifically important for a data protection program.

Clause 5: data protection

This clause addresses every clause in ISO 27001 and identifies where additional content is necessary. The majority of the ISO 27001 clauses remain unchanged, with the caveat that ISO 27701 requires the organization to recognize its need for data protection within its context, and this context informs all the other requirements.

Another notable addition affects the risk assessment, which will need to take into account the organization’s role in relation to PII – that is, whether it is a controller or a processor, and how that might affect the risks to the PII.

Clause 6: PIMS-specific guidance

This section provides additional content for the control guidance set out in ISO 27002. It establishes a top-level amendment that all references to ‘information security’ should be taken as including protection of privacy.

Controls with a potentially significant impact on privacy and data protection are given extensive extra guidance. This includes subjects such as removable media, cryptography, and secure development.

Clause 7: additional guidance for PII controllers

This clause provides guidance on ISO 27701’s Annex A controls, which are specific to privacy for the purposes of PII controllers. These controls address many of the critical areas of data protection and privacy that are not accounted for by the controls provided in ISO 27001.

Clause 8: additional guidance for PII processors

This clause provides guidance on ISO 27701’s Annex B controls, which are specific to privacy for the purposes of PII processors. These controls address many of the critical areas of data protection and privacy that are not accounted for by the controls provided in ISO 27001.

Structure of ISO 27701

Certification consideration

ISO 27701 certification will not meet the GDPR’s requirements for a certification scheme. Article 43 of the GDPR requires that any certification scheme be operated under an ISO 17065-accredited scheme. ISO 27701, however, will fall under ISO 17021-1 and therefore not meet the GDPR’s requirements

We think ISO 27701 will become a defacto approach to managing data protection and privacy and demonstrating that to others. This will happen even if certification to the Standard is not formally adopted as a certification mechanism under the GDPR. For organizations bound by other data protection laws – or subject to a number of laws with varying requirements – such a certification mechanism is likely to be accepted as a demonstration of efforts to comply.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.