December 18, 2019

Last Updated on January 13, 2024

We’re seeing a big uptick in interest in the newly published ISO 27701 data privacy extension to ISO 27001—especially among organizations that are considering ISO 27001 certification (or area already ISO 27001 certified). That makes sense given the high percentage of businesses that handle personal data and need to address emerging data privacy laws like the CCPA.
What is ISO 27701? Briefly, it describes a framework for “controllers” and “processors” of personally identifying information (PII) to manage data privacy and enable regulatory compliance.
The resulting Privacy Information Management System (PIMS) reduces risk to the privacy rights of individuals. Aligning with ISO 27701 is also “silver bullet” to demonstrate to customers, regulators, partners and internal stakeholders worldwide that your business is in compliance with privacy laws and can successfully manage and secure PII.

“There is significant technical, documentation and process overlap between ISMS and PIMS implementations…”

How do you get ISO 27701 “certified”? Because the ISO 27701 standard is an extension to ISO 27001, there is no separate “certification” for ISO 27701. Instead, organizations can implement the ISO 27701 controls together with the ISO 27001 controls and be certified to both standards in a single audit. Alternatively, an organization that is already ISO 27001 certified can extend the scope of its information security management system (ISMS) to encompass the ISO 27701 controls and be audited against both sets of controls.
If your business is considering ISO 27001 certification and you know you must also address privacy and data protection, it could make solid financial and strategic sense to plan the scope of your initial ISO 27001 implementation to encompass the ISO 27701 controls.
There is significant technical, documentation and process overlap between ISMS and PIMS implementations, such that creating them together saves time, cost and effort versus creating them separately. Plus, the sooner you can prove compliance with privacy regulations, the sooner your customers’ peace of mind will start benefitting your company competitively.
Achieving ISO 27001 certification first and then enlarging the scope of your information security management system (ISMS) at a later time to cover ISO 27701 will probably be less cost-efficient. This path would also potentially leave your company exposed to greater privacy-related security and compliance risk for a longer period.
To brainstorm with a privacy expert about implementing ISO 27701, contact Pivot Point Security.