Last Updated on July 31, 2020
The new ISO 27701 privacy extension to the ISO 27001 information security standard can be a “one stop shop” to holistically manage compliance and attestation for both cybersecurity and data privacy. Leveraging these internationally trusted standards in tandem helps drive competitive advantage externally and streamlines cost and complexity internally.
To give business and technical leaders clear guidance on ISO 27701, The Virtual CISO Podcast recently featured special guest Debbie Zaller. Debbie is Principal and co-owner at Schellman & Company, a leading IT certification and audit firm. Host John Verry, Pivot Point’s CISO and Managing Partner, also has extensive experience with real-world privacy compliance initiatives.
For organizations looking to add ISO 27701 to a current ISO 27001 certification, versus pursuing a dual ISO 27001/27701 certification, what are the costs and considerations for each option?
Debbie and John address this question from the audit and implementation “sides of the aisle,” respectively.
John frames a hypothetical scenario: “If you’re a 500-person SaaS operation… you’re probably looking, from a high-quality registrar like Schellman, at $30,000 as a rough approximation of what your first-year [ISO 27001 certification] audit costs would be; and let’s say $15,000 and $15,000 in the next two years [for surveillance audits]. How much will it cost to add ISO 27701?
“It goes back to scope, right?” Debbie explains. “For a 500-person organization that utilizes a third-party, the processor controls are about $18,000; controller are about $31,000. So if you think about your role as a processor, it’s not going to be as much as if you were a controller.”
“It also depends on how you want to add it in,” Debbie continues. “You can do a scope expansion in the middle of your certification year. So you don’t necessarily have to wait until your next surveillance review or recertification. And then the other option, obviously, is to wait until your surveillance [audit] or the recertification.”
“But if you’re looking at your total initial certification or recertification, the cost to add on a processor [privacy certification] is probably going to be somewhere between $10,000 to $20,000 at the most,” sums up Debbie. “A scope expansion may be less, because you’re really just looking at ISO 27701 and how that combines with the management system.”
John adds: “Right, but your net cost would end up being more because in your next surveillance cycle you’d poke again at the privacy stuff. Which, while it cost you a little bit more, the nice thing is that it’s probably going to be an immature privacy program anyway, and having that secondary look at it is probably a good idea.”
A clear advantage of moving to ISO 27701 certification sooner is achieving provable compliance ahead of competitors + some efficiency gains.
As John notes: “If you can do ISO 27001 and ISO 27701 at the same time, your net cost is going to be a little bit lower because you can touch things once. As an example, the scoping conversations that you have can become scoping and data mapping conversations. The initial risk assessment becomes an initial risk assessment and data privacy impact assessment.”
“If we do it over a two-year cycle, … you’ve got to have those conversations again, and then you’ve got to update all the documentation… It cascades through the whole management system,” John points out.
Both these experts acknowledge that, as John says, “It’s not cheap to become provably secure and privacy compliant.”
“True,” Debbie replies. “It is a bit of an undertaking for organizations. But doing it at one time will save you some cost and effort for sure.”
If your firm needs demonstrable proof of both security and privacy compliance, you’ll want to hear all of Debbie and John’s conversation.