Last Updated on June 29, 2021
The new ISO 27701 standard, “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” enables you to extend your ISO 27001 Information Security Management System (ISMS) certification to encompass a Privacy Information Management System (PIMS).
With more and more organizations subject to more and more data privacy laws, ISO 27701 is good news! But as a comparatively new framework, consultants, auditors and their clients all face a “learning curve” on the path to certification.
To share Pivot Point Security’s early experience with helping our clients implement ISO 27701, a recent episode of The Virtual CISO Podcast features Andrew Frost and Aurore Watts, two of our GRC Consultants guiding clients through their ISO 27701 certification audits. John Verry, Pivot Point Security CISO and Managing Partner, hosts the episode as usual.
So… what’s a processor and what’s a controller? It’s critical to know if either or both of these classifications applies to your company because ISO 27701 defines different requirements for processors versus controllers at various points within the framework. This, in turn, will greatly impact the scope of your ISO 27701 PIMS.
“Basically, the bottom line is who’s collecting the PII,” Andrew explains. “If you collect the PII, you’re the controller. If someone else collects the PII and you process it or do work to it, then you’re a processor.”
For example, your HR department is a controller of the data they get from your employees. But if you use a cloud-based HR information system, that SaaS provider would be a processor of your HR data.
And, no surprise, if you’re a controller in a particular context, you’re probably also a processor of that same data—but the controller role takes precedence in terms of applying ISO 27701.
Can your business be a both controller and a processor? Yes, definitely.
As Aurore clarifies: “Any company is usually both. Because you’re always the controller of your own employee information, vendor information, client information… And you’re also a processor if you perform additional data processing activities on behalf of clients or vendors.”
“So you’re the controller on the data that you gather yourself, and you’re also a processor for the data that somebody gives you to work with,” reiterates John.
If your company is looking into ISO 27701 certification, this “ISO 27701 lessons learned” podcast is tailor made for you.