ISO 27701 Privacy Information Management: an introduction

Published on Tuesday, August 20, 2019 - 16:07 by Cameron Troake

ISO 27001, the international standard for information security, has been joined by a companion standard, ISO 27701. This article is an introduction to ISO 27701 which includes the benefits of getting certified and how to get started with this new international standard for privacy management.

An introduction to ISO 27701

The GDPR/DPA 2018 narrative has shifted considerably over the past 12 months.

Prior to its implementation, the focus was very much centered around the eye-watering fines for non-compliance, which sent many organisations panicking, and in some cases scrambling, to demonstrate compliance by the 25th May 2018.

Whilst organisations have since been penalised for GDPR non-compliance, the focus is now on the need for organisations to continuously and actively demonstrate compliance with the regulation.

GDPR’s ‘accountability’ principle requires organisations to have the appropriate measures and records in place in order to demonstrate compliance. This means an organisation must be able to increasingly prove how and why it has set up processes, procedures and policies to comply with the law.

One of the key ways of achieving this is through a certification – which is why one of the most famous international standards has just received a companion standard. 

ISO 27701 is the new international standard for privacy. In the same way that ISO 27001 is considered to be the “gold standard” for information security management, ISO 27701 is set to become the “gold standard” for privacy management.

It aligns with GDPR but also allows organisations to use the standard to encompass other privacy laws, regulations and requirements. This makes it an excellent choice for organisations of all sizes looking to demonstrate their compliance with GDPR.

The importance of ISO 27701

Currently, there is no “official” GDPR certification or seal. ISO 27701 is the closest an organisation can get to attest to it's accountability with the regulation.

This will set the standard for data protection practices and help organisations demonstrate that they have the appropriate control environment in the form of a Privacy Information Management System (PIMS) which integrates with the Information Security Management System (ISMS).

It is applicable to all industries and to organisations of every size, and covers the processing of personal information for all data subjects.

ISO 27701 demonstrates that an organisation has put the appropriate measures in place to protect and manage personal data in way that is fundamentally aligned with what the GDPR mandates.

It provides a recognised certification scheme that offers assurance to both commercial partners and data subjects that personal information is being handled compliantly.

It will also certify compliance in an organisation’s processes and controls which it uses to assess and mitigate risk when transferring personal data between organisations in its supply chain.

This verifies that an organisation will adequately protect personal information and provides assurance between commercial partners, which will improve trading practices.

In the future, it is likely that procurement teams will begin to look to ISO 27701 as a means of selecting suppliers that can demonstrate compliance with what the standard requires.

The benefits of ISO 27701

As an internationally recognised and applicable standard, ISO 27701 is designed to work across all legal jurisdictions and with all applicable legislation.

This gives a level of trust to clients and users well beyond local standards.

Certification with ISO 27701 will:

  • Reduce workloads by removing an organisation’s need to demonstrate compliance with multiple certifications.
  • Generate more trust between an organisation and its interested parties through a global recognition that it complies with privacy laws.
  • Provide Data Protection Officers with the evidence they need to share with senior management and board members to prove that the applicable privacy requirements are being met.
  • Depending on the outcomes of Brexit and an organisation’s Statement of Applicability, this certification could grow opportunities for organisations through the EU Digital Single Market and cross-border data flows.
  • Provide transparency and enable organisations to collaborate more effectively.
  • Reduce complications through integrating the certification with the leading information security standard ISO 27001.
  • Enhance the current ISMS with privacy-specific controls that creates a PIMS which ensures effective privacy management within an organisation.

One of the key factors in developing the ISO 27701 was ensuring it was created through a recognised consensus-driven processes. A whole range of industry and regulatory leaders have provided input and guidance, including the European Data Protection Board and Data Protection Authorities from every EU country.

These Data Protection Authorities are satisfied that the new ISO 27701 sufficiently demonstrates compliance with privacy laws for organisations of all sizes and from all sectors.

The certification also addresses the requirements of both controllers and processors, both of which have numerous controls defined in ISO 27701.

Getting ISO 27701 certified

Organisations that have already been certified to ISO 27001 will be able to extend this into ISO 27701.

If your organisation does not currently have a suitable ISO 27001 certification it will be possible (and undoubtedly optimal) to work towards both ISO 27001 and ISO 27701 simultaneously.

An organisation’s ISO 27001 certification will need to be updated so that the existing ISMS includes the additional privacy requirements that can implement and maintain a PIMS.

Organisations that were well prepared for the GDPR will have already completed quite a lot of the initial legwork required for ISO 27701.

One of the key amendments will be to update an organisation’s scope of applicability, and potentially reset the boundaries they are required to be compliant within. This will include identifying other interested parties as well as implementing the necessary controls.

Our 4-step auditing process for ISO 27701

STAGE 1: A typical audit will start by conducting a gap analysis which highlights everything your organisation will need to either change or update in order to achieve certification success.

STAGE 2: From this, we can generate a straightforward action plan that details every step of what needs to happen in order to get your organisation to where it needs to be. You can choose to employ DQM GRC’s support for any stage of the ISO 27701 compliance roadmap, or to utilise your own resources instead.

STAGE 3: At an agreed date, we’ll then conduct an ISO 27701 readiness assessment which aligns with the certification exercise. This will give you a strong indication of whether your organisation is ready for the ISO 27701 assessment from a certified body, and will flag any issues that could potentially stop your organisation from achieving the certification.

STAGE 4: We can then work with you to modify those issues and prepare you for the official assessment.

ISO 27701 compliance auditing with DQM GRC

Organisations can start preparing for an ISO 27701 certification today with DQM GRC’s action plan and assessment process.

Formed in 1996 DQM GRC was one of the first specialist consultancies dedicated to advancing all organisations’ data protection and governance capabilities.

As a wholly owned subsidiary of GRC International Group plc we are part of a leading global supplier that boasts of an extensive one-stop-shop for governance, risk and compliance products and services.

Our award-winning range of services and solutions can give any organisation confidence in their data, from SMEs to multinationals and from finance to publishers or utilities – we understand your specific requirements and can provide bespoke and hands-on support via our specialist group of experts.

Get in touch with one of our expert ISO 27701 consultants today.

ISO 27701 Privacy Information Management Summary

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900