Published on Tuesday, August 20, 2019 - 16:07 by Cameron Troake
ISO 27001, the international standard for information security, has been joined by a companion standard, ISO 27701. This article is an introduction to ISO 27701 which includes the benefits of getting certified and how to get started with this new international standard for privacy management.
The GDPR/DPA 2018 narrative has shifted considerably over the past 12 months.
Prior to its implementation, the focus was very much centered around the eye-watering fines for non-compliance, which sent many organisations panicking, and in some cases scrambling, to demonstrate compliance by the 25th May 2018.
Whilst organisations have since been penalised for GDPR non-compliance, the focus is now on the need for organisations to continuously and actively demonstrate compliance with the regulation.
GDPR’s ‘accountability’ principle requires organisations to have the appropriate measures and records in place in order to demonstrate compliance. This means an organisation must be able to increasingly prove how and why it has set up processes, procedures and policies to comply with the law.
One of the key ways of achieving this is through a certification – which is why one of the most famous international standards has just received a companion standard.
ISO 27701 is the new international standard for privacy. In the same way that ISO 27001 is considered to be the “gold standard” for information security management, ISO 27701 is set to become the “gold standard” for privacy management.
It aligns with GDPR but also allows organisations to use the standard to encompass other privacy laws, regulations and requirements. This makes it an excellent choice for organisations of all sizes looking to demonstrate their compliance with GDPR.
Currently, there is no “official” GDPR certification or seal. ISO 27701 is the closest an organisation can get to attest to it's accountability with the regulation.
This will set the standard for data protection practices and help organisations demonstrate that they have the appropriate control environment in the form of a Privacy Information Management System (PIMS) which integrates with the Information Security Management System (ISMS).
It is applicable to all industries and to organisations of every size, and covers the processing of personal information for all data subjects.
ISO 27701 demonstrates that an organisation has put the appropriate measures in place to protect and manage personal data in way that is fundamentally aligned with what the GDPR mandates.
It provides a recognised certification scheme that offers assurance to both commercial partners and data subjects that personal information is being handled compliantly.
It will also certify compliance in an organisation’s processes and controls which it uses to assess and mitigate risk when transferring personal data between organisations in its supply chain.
This verifies that an organisation will adequately protect personal information and provides assurance between commercial partners, which will improve trading practices.
In the future, it is likely that procurement teams will begin to look to ISO 27701 as a means of selecting suppliers that can demonstrate compliance with what the standard requires.
As an internationally recognised and applicable standard, ISO 27701 is designed to work across all legal jurisdictions and with all applicable legislation.
This gives a level of trust to clients and users well beyond local standards.
Certification with ISO 27701 will:
One of the key factors in developing the ISO 27701 was ensuring it was created through a recognised consensus-driven processes. A whole range of industry and regulatory leaders have provided input and guidance, including the European Data Protection Board and Data Protection Authorities from every EU country.
These Data Protection Authorities are satisfied that the new ISO 27701 sufficiently demonstrates compliance with privacy laws for organisations of all sizes and from all sectors.
The certification also addresses the requirements of both controllers and processors, both of which have numerous controls defined in ISO 27701.
Organisations that have already been certified to ISO 27001 will be able to extend this into ISO 27701.
If your organisation does not currently have a suitable ISO 27001 certification it will be possible (and undoubtedly optimal) to work towards both ISO 27001 and ISO 27701 simultaneously.
An organisation’s ISO 27001 certification will need to be updated so that the existing ISMS includes the additional privacy requirements that can implement and maintain a PIMS.
Organisations that were well prepared for the GDPR will have already completed quite a lot of the initial legwork required for ISO 27701.
One of the key amendments will be to update an organisation’s scope of applicability, and potentially reset the boundaries they are required to be compliant within. This will include identifying other interested parties as well as implementing the necessary controls.
Our 4-step auditing process for ISO 27701
STAGE 1: A typical audit will start by conducting a gap analysis which highlights everything your organisation will need to either change or update in order to achieve certification success.
STAGE 2: From this, we can generate a straightforward action plan that details every step of what needs to happen in order to get your organisation to where it needs to be. You can choose to employ DQM GRC’s support for any stage of the ISO 27701 compliance roadmap, or to utilise your own resources instead.
STAGE 3: At an agreed date, we’ll then conduct an ISO 27701 readiness assessment which aligns with the certification exercise. This will give you a strong indication of whether your organisation is ready for the ISO 27701 assessment from a certified body, and will flag any issues that could potentially stop your organisation from achieving the certification.
STAGE 4: We can then work with you to modify those issues and prepare you for the official assessment.
Organisations can start preparing for an ISO 27701 certification today with DQM GRC’s action plan and assessment process.
Formed in 1996 DQM GRC was one of the first specialist consultancies dedicated to advancing all organisations’ data protection and governance capabilities.
As a wholly owned subsidiary of GRC International Group plc we are part of a leading global supplier that boasts of an extensive one-stop-shop for governance, risk and compliance products and services.
Our award-winning range of services and solutions can give any organisation confidence in their data, from SMEs to multinationals and from finance to publishers or utilities – we understand your specific requirements and can provide bespoke and hands-on support via our specialist group of experts.
Get in touch with one of our expert ISO 27701 consultants today.
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: