July 29, 2020

Last Updated on January 12, 2024

Data privacy regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are impacting more and more businesses in all sectors. Not only do many companies need to comply with these laws, but also clients and other stakeholders are increasingly asking for proof that they can keep personal information (PI) secure.

How can you demonstrate to customers, auditors, your Board, etc. that you have robust security and privacy controls in place that comply with diverse regulatory guidance?

The ISO 27001 information security standard and the newly released ISO 27701 privacy extension are a holistic one-stop shop that can greatly reduce the complexity of managing security and privacy—especially as these two disciplines continue to merge.
To give business leaders an easily digestible deep-dive into ISO 27701, we talked with special guest Debbie Zaller on a recent episode of The Virtual CISO Podcast. Debbie is Principal and co-owner at Schellman & Company, a top IT audit and certification firm that is sanctioned to certify both ISO 27701 and ISO 27001 compliance. As Pivot Point Security’s CISO and Managing Partner, host John Verry also has a strong background in helping SMBs achieve privacy compliance.
A concept that is common to most data privacy guidance is the data controller and data processor roles. Is your company neither, either or both?
Debbie explains: “Essentially a controller is an organization that would collect data directly from an individual. So it’s an organization that determines the purpose and means of processing that personal information. Whereas a processor actually processes data on behalf of a controller.”
“If an organization has a contract with a customer to process their information (and that could mean just storage…) then they know they’re in the processor role,” continues Debbie, “If they don’t, they may be in that controller role, actually collecting the information directly from the individuals.”

Can an organization be both a controller and a processor?

Yes, but it’s rare—at least from the viewpoint of ISO 27701 and ISO 27001 scope. As Debbie notes, it all comes down to the scope of your ISO 27001 information security management system (ISMS):
“You have to look at the scope of the ISO [27001] certification. With ISO 27701 being an extension of ISO 27001, the scopes have to match. Meaning that if you’ve defined your scope for ISO 27001 as being a specific service or business unit, and then you add on ISO 27701, you can’t extend that scope further beyond what the ISMS is. And if you do, that does change the ISMS scope as well.”
In most cases, a firm’s ISO 27001 certification is for a business unit or a service. Thus their ISO 27701 scope would put them in a processor role most of the time. The company may also be a data controller regarding their own employee data or marketing data, for example, but this would be outside the scope of the ISMS or associated Privacy Information Management System (PIMS). A bit nuanced, for sure.
“So in those cases, if you are both a controller and a processor, you may not be both for the scope of the certification,” Debbie clarifies.
What if an organization that is acting as a processor on behalf of a controller decides to use some of the data for its own direct advertising or other internal purpose? That would most likely violate basic privacy guidelines and also ISO 27701 requirements regarding the need for individuals’ consent, as well as client/controller agreements.
“So I would caution that area,” asserts Debbie. “But in some cases it may change the role of an organization to a controller role again, for a different dataset. So it may not necessarily apply to the ISO certification. You have to be careful what’s in your agreements as well as making sure you get that consent.”
If your company is weighing its options for managing security and privacy, Debbie and John’s conversation on ISO 27701 offers unique insights on everything from terminology to costs to compliance with specific privacy regulations.
To listen to the complete episode of The Virtual CISO Podcast featuring Debbie Zaller, click here. If you don’t want to use Apple Podcasts, click here.