Last Updated on April 15, 2020
A healthy level of skepticism seems to be an occupational hazard of working in information security. Hence, my hopes were not all that high when I recently sat down with a Boulevardier and the new ISO 27701 standard (“Security techniques – Extension to ISO 27001 for Privacy Information Management”).
To be clear, I am a huge fan of ISO 27001 and many other members of the ISO 27000 family. But privacy and security are a lot like vanilla ice cream and smoked salmon. I really enjoy eating both, just not at the same time. (Full disclosure: I stole that from Colin Cowherd, who of course was talking about sports not ISO 27001… So there is a tad of originality I deserve a bit of credit for.)
But wow, my skepticism was unwarranted. ISO 27701 is an impressive and timely effort.
Anyone who has been in the information security business as long as I have (I’m approaching my 30th birthday again this year) has lived through the whole “Privacy is Privacy and it’s the domain of the lawyers in the Compliance department and Information Security is Information Security and it’s the domain of the guys that talk in acronyms that the lawyers in Compliance (and the rest of the C-Suite) don’t really want to talk to” thing.
Oh, how the (information security) world has changed over the last 10 years.
First, breaches of note helped to bridge the divide between information security and the C-Suite. ISO 27001 played an instrumental role in that movement, as it required information security folks to speak about risk in ways meaningful to the C-Suite.
Now, GDPR and CCPA have completely altered the relationship between the Compliance Officer and Information Security. We are rapidly approaching a point where information security and privacy become indistinguishable. Moving forward, it may not be possible to be an information security professional without being a data privacy professional.
That is why the timing of ISO 27701 is so perfect. It provides a mechanism to seamlessly blend privacy and information security so you can manage those risks as one. It’s smoked salmon ice cream that’s delicious—even with the capers and onions.
What ISO 27701 does so well is to recognize that privacy is indeed a sufficiently different class of information
As you likely know, ISO 27001 is the world’s most comprehensive and widely leveraged standard to manage information security risk. It includes seven Clauses that define an optimized construct (a set of processes, if you will) for an organization to understand the information it needs to protect, what it needs to protect it from, and the process to determine which technical and operational controls it needs to implement to manage those risks. The 114 controls are grouped into 14 domains and referred to as ISO 27001 Annex A controls. Cumulatively, we refer to the Clauses and Annex A as an ISO 27001 Information Security Management System (ISMS).
What ISO 27701 does so well is to recognize that privacy is indeed a sufficiently different class of information with very different regulatory requirements, which an ISO 27001 ISMS struggles to fully govern and protect. To address that issue, it updates two of the seven clauses of the ISMS so that the Information Security Management System also becomes a Privacy Information Management System (PIMS). Then, to ensure that you have the required controls to manage privacy-specific risks, it provides updates and additional guidance to the controls for 13 of the 14 Annex A domains.
I’ve often referred to ISO 27001 as a “recipe” for Information Security Risk Management. Forgive me in advance if we are on a call together and I refer to ISO 27001 + ISO 27701 as a recipe for Smoked Salmon Ice Cream… because it’s actually a near-perfect recipe for information security and privacy risk management.