Last Updated on July 8, 2020
As US states and nations around the globe rapidly institute privacy laws, the time has come for businesses to demonstrate compliance—but how? Which regulations apply, and what controls are needed to comply with them?
For many organizations, the best way to meet the growing privacy compliance challenge will be to achieve certification to the ISO 27701 privacy extension to the ISO 27001 information security standard.
To illuminate today’s data privacy landscape and how ISO 27701 can help you navigate it, a recent episode of The Virtual CISO Podcast from Pivot Point Security features Debbie Zaller, Principal and co-owner at Schellman & Company, a top IT certification and audit firm. Hosting the episode is Pivot Point’s CISO and Managing Partner, John Verry, who helps clients implement the privacy controls that auditors like Debbie evaluate.
ISO 27701 just came out in August 2019. Unlike related standards like ISO 27017 and ISO 27018, which extend ISO 27001 by adding additional controls, ISO 27701 extends a firm’s ISO 27001 information security management system (ISMS) to include an entire privacy information management system (PIMS). As such, it provides additional guidance that extends the ISO 27001 clauses, modifies some ISO 27001’s Annex A controls, as well as adding new privacy-related controls.
“It adds on to those Annex A controls. So while those controls are still there, it does have some additional implementation guidance that needs to be in place for processing personal information… but then also specific controller and processor controls,” Debbie explains.
Another distinguishing feature of ISO 27701 is that your business can be certified by a third-party auditor as compliant with ISO 27701. However, because ISO 27701 is an extension to ISO 27001, there is no separate certification for ISO 27701 alone.
A company that is already ISO 27001 certified can extend its ISMS to support a PIMS that covers the same scope; e.g., a specific service or business unit. Or organizations can implement an ISO 27701 PIMS together with an ISO 27001 ISMS.
In fact, a company that is considering ISO 27001 certification and also needs to address privacy and data protection can save considerable cost and effort by achieving certification to both standards in a single effort & audit. This is because, as you would expect, there is considerable technical, process and documentation-related overlap between the ISMS and PSMS. As Debbie and John discuss, most companies will want to effectively merge the two systems and manage them together.
If your business processes personal information for its own use or on behalf of others, you don’t want to miss this in-depth discussion by two leading data privacy practitioners.