Published on Wednesday, July 31, 2019 - 16:52 by Camilla Winlo
One of the most famous international standards has just got an update. ISO 27001, the international standard for information security management systems, has been joined by companion standard ISO 27701.
ISO 27701 is set to be the international standard for Privacy Information Management Systems (PIMS). It allows organisations that have already achieved ISO 27001 to align their privacy and Information Security Management Systems (ISMS) and demonstrate an appropriate control environment.
In the same way that ISO 27001 is considered to be the ‘gold standard’ for information security management, ISO 27701 will become the ‘gold standard’ for privacy management.
It aligns to GDPR but also allows organisations to use the standard to encompass other privacy laws, regulations and requirements. This makes it an excellent choice for organisations of all sizes looking to demonstrate their compliance with the ‘accountability’ principle of GDPR.
What do organisations need to do to achieve ISO 27701?
Organisations that already have ISO 27001, that ran an effective GDPR compliance project and that have incorporated Privacy by Design and Default into their project management process will find achieving ISO 27701 relatively straightforward.
The standard first requires that organisations uplift their ISO 27001 controls to include privacy management. This means reviewing the organisation’s contextual analysis, risk assessment and control environment to ensure that privacy management is incorporated.
The privacy management system then needs to be documented. This is a good opportunity for organisations to confirm the effectiveness of their GDPR programmes and to remind themselves of any areas that may still need to be brought within risk tolerance.
Organisations that are less confident in their GDPR compliance will find ISO 27701 particularly helpful as it provides specific recommendations for actions to comply with the regulation.
What are the benefits of uplifting to ISO 27701 compliance?
Many organisations choose to achieve ISO 27001 certification to demonstrate their commitment to information security to their customers, suppliers and other interested parties. These third parties are likely to be equally as interested in the treatment of personal data, and therefore the same business case that applies to ISO 27001 also applies to ISO 27701.
ISO 27701 will make it easier for organisations to respond to security questionnaires, to demonstrate compliance with contractual and regulatory obligations, and to assure individuals that their data is protected. It will also assure Boards that their personal data risks are appropriately managed.
When should organisations start working towards ISO 27701?
Organisations can start preparing for certification today.
DQM GRC has produced an action plan and assessment process that will help organisations get ready to go for their certification audit in Q3. For more details, get in touch with our team today on 01494 442900 or complete our enquiry form: