Last Updated on June 29, 2021
The new ISO 27701 standard enables organizations to add a “certifiable extension” for privacy information management to an existing ISO 27001 certified Information Security Management System. With data privacy requirements becoming business-critical across all sectors and geographies, an ISO 27701 certification can be an ideal way to prove to customers, prospects, regulators, your Board and other stakeholders that you have a handle on privacy.
But, as you might expect, everyone from the firms seeking ISO 27701 certification to the consultants supporting them to the auditors and registrars certifying them all face a bit of a “learning curve” with this comprehensive new privacy framework.
To share insights and experiences from Pivot Point Security’s early work with ISO 27701 clients, a recent episode of The Virtual CISO Podcast features Aurore Watts and Andrew Frost, two of our GRC Consultants on the leading edge of the ISO 27701 audit process. Hosting the show as always is John Verry, Pivot Point Security’s CISO and Managing Partner.
As with information security, correctly defining the scope of your ISO 27701 Privacy Information Management System (PIMS) is the linchpin of your initiative. John likens it to “getting the ladder against the right wall before we climb it.”
What’s new and different about scoping with the ISO 27701 privacy extension? What key factors should you keep in mind from the start?
“We originally thought that the ISO 27001 and ISO 27701 management systems would have to have the exact same scope,” notes Andrew. “But that’s not the case. Basically, your ISO 27701 scope has to be a subset of the ISO 27001 scope. If you have anything in the ISO 27701 scope that’s not included [in your ISO 27001 ISMS], you basically have to add it to your ISO 27001 scope. That’s the key.”
“Everything [privacy related] has to be covered by security controls, which are the ISO 27001 scope,” Andrew clarifies.
Another key question for many organizations is whether employees’ and/or vendors’ personal data would be in scope for their ISO 27701 PIMS. Many privacy regulations, like the EU’s GDPR and California’s CCPA, focus strongly on personal data. But ISO 27701 doesn’t mandate covering personal data within your privacy scope.
“With GDPR and CCPA, we really have to look at any personal data,” says Aurore. “So, a mistake we made when we approached ISO 27701 was, we were saying, ‘Talk to me about all your personal data.’ Therefore, we were focused on too large of a scope.”
If you’re wondering what path your business should take towards privacy compliance, don’t miss this candid conversation with Aurore Watts and Andrew Frost.