ISO 27701 Consulting Services

ISO 27701 As-A-Service – Simplified Privacy Information Management System (PIMS)

Gain Confidence Your Business Can Prove Privacy Compliance with a Certifiable Privacy Information Management System (PIMS)

Organizations increasingly need to prove to potential clients, business partners and regulators they can keep personal information (PI) secure and can comply with laws (e.g., CCPA, GDPR) that specify how PI is stored, handled and managed.

ISO 27701:2019 is a privacy extension to ISO 27001 that adds Privacy Information Management to your 27001 Information Security Management System (ISMS) … and out comes a Information Security & Privacy Management System (ISPMS)… yes, we made that up but it sounds good, right?

With Pivot Point Security as your trusted partner, demonstrating ISO 27001& 27701 conformance year over year is a guaranteed reality. Our clients enjoy enhanced privacy postures, streamlined privacy compliance processes, the ability to adapt to current and future privacy regulations, and the ability to provably demonstrate privacy information security to any stakeholder.


Speak with an ISO 27701 expert

Can You Effectively & Efficiently Address Information Security & Privacy… Together?

We are rapidly approaching a point where information security and privacy become indistinguishable. Moving forward, it may not be possible to be an information security professional without being a data privacy professional as well.

With all the extra work and expertise needed to address privacy concerns it may also not be possible to survive without a trusted system to manage data privacy risk.

How ISO 27701 works with ISO 27001 to Address Privacy Risk

ISO 27701 recognizes that privacy is indeed a different class of information with different treatment requirements, which an ISO 27001 ISMS on its own struggles to fully govern and protect. To address that issue, ISO 27701 updates two of ISO 27001’s seven clauses so the Information Security Management System also becomes a Privacy Information Management System (PIMS)… or as you have learned we have dubbed, an Information Security & Privacy Management System (ISPMS). To ensure you have the required controls to manage privacy-specific risks, ISO 27701 provides updates and additional guidance to the controls for 13 of the 14 Annex A domains.

Our ISO 27001 + ISO 27701 Consulting Solutions

Our ISO 27701 and 27001 consulting services help our clients strategize, build, and certify a robust and effective Information Security & Privacy Management System (ISPMS). Our team of experts brings extensive experience and privacy domain expertise to guarantee your privacy controls conform to the ISO 27701 standard.

  • Save time and money by addressing both standards at once– Completing ISO 27001, then adding 27701 would cost roughly 40% more time and money than doing them at the same time.
  • Achieve conformance at your own pace– Dedicated ISO 27001 & 27701 expertise will ensure you have the information, documentation and staff augmentation you need, when you need them.
  • Chart a roadmap and stay on target– Regular status/coordination meetings between our ISO 27001 & 27701 experts and your project team will keep your project moving forward. Our expertise, proven processes and standard-driven artifacts will streamline your conformance process.
  • Guarantee your business meets ISO 27001 & 27701 requirements– Pivot Point Security ensures your success by validating that all your artifacts conform fully to the ISO 27001 & 27701 guidance.
  • Make sure you pass your ISO 27001 certification audit– We provide on-site support to ensure a smooth and successful certification audit, including privacy controls.
  • Ensure you maintain your ISO 27001 & 27701 conformance from year to year– Pivot Point Security provides whatever ongoing support you need to operate your ISPMS, manage privacy risk, continually improve your privacy posture, implement your Internal Audit Program, and maintain your ISO 27701 conformance within the scope of your ISO 27001 certification.

Our ISO 27001 & 27701 consulting services include:

Privacy Information Management System (PIMS) Strategy/Framework Selection – Defining the ideal approach to PIMS development based on your industry, regulatory compliance and attestation requirements.

PIMS Scope Determination and Optimization – Scope determination is key to the critical task of “data mapping” which forms the basis of a successful ISO 27701 implementation effort. The scope needs to be broad enough to meet the needs key stakeholders (e.g., clients, shareholders) but narrow enough to keep the initial effort manageable.

Risk Assessment/Data Privacy Impact Assessment – Risk Assessment/Management is a cornerstone of every ISPMS. ISO 27701 extends your Risk Assessment methodology to allow it to be used for both Information Security & Privacy Risk Management.

PIMS Gap/Control Maturity Assessment – Understanding the difference between your current privacy posture and the desired state of your ISPMS is a vital starting point for Risk Treatment Plan development and your eventual “Prioritized Roadmap” (Gap Remediation Plan).

 Risk Treatment Plan Development – The Risk Treatment Plan specifies the controls required for your ISPMS, (including the needed extent and rigor of their implementation) to mitigate privacy risk to a level that your organization’s management team considers acceptable.

Gap Remediation Facilitation/Support – Collaboratively, we will execute the Risk Treatment Plan to close identified gaps in your ISPMS to position you for successful certification.

Privacy Metrics – Metrics are central to a robust ISPMS implementation as they are essential to demonstrate continuous improvement (a key tenet of ISO 27001 certification). This service focuses on simplifying the process of measuring, reporting and hence systematically improving your ISPMS’ effectiveness.

Policy, Standards, & Procedure (PSP) Support – PSPs form the mainstay of any ISPMS. But while PSPs are relatively simplistic ISPMS elements, they are not simple to implement well. Important points to consider before implementing PSPs include structure, presentation, audience, version control and more. If the target audience can’t easily find all the information relevant to the specific issue at hand, a nonconformity is likely to be issued.

ISPMS Internal Audit – Integral to the 27001 requirement of validating the effectiveness of the ISPMS is a requirement to conduct an internal audit to establish whether its control objectives, controls, processes and procedure conform to requirements, are effectively implemented and maintained, and perform as expected.

Certification Audit Support – For many clients, having a Pivot Point Security auditor on-site during one or both of the ISO 27001 certification audit phases streamlines the process and reduces the risk of non-conformities.

Ongoing Risk Management Team Membership – Making sure you have the right people on your Risk Management Committee is critical to the ongoing effectiveness of the Risk Management function, which is critical to the ongoing effectiveness of the ISMS and PIMS. Many clients benefit from including an independent, objective third-party member with broad organizational/industry expertise on their Risk Management Committee.

Managing Privacy Risk is Here and Her to Stay

Ignoring privacy risk would be like ignoring an incoming title wave. We can clearly see this coming from far away and deciding not to act would result in certain doom.

ISO 27701 FAQs

What is ISO 27701?

ISO 27701 is a certifiable extension to ISO 27001 that extends the ISO 27001 Information Security Management System to specifically account for Personal Information (PI) and the laws/regulations that apply to it (e.g., CCPA, GDPR, APAC, etc.). Simply put, it is the best way to prove to a key stakeholder that you have a strong Privacy Program.

What is an ISO 27701 Privacy Information Management System (PIMS)?

A PIMS is a systematic, risk-based approach to protecting personal information (PI) so that it remains private and can be managed in line with privacy laws and guidelines.

What is an ISO 27701 Risk Assessment?

An ISO-27701 Risk Assessment is essentially a Data Privacy Impact Analysis and is a requirement of regulations like CCPA and GDPR.

How do you get ISO 27701 Certified?

Because the ISO 27701 standard is an extension to ISO 27001, you need to be ISO 27001 certified in order to be ISO 27701 certified. This allows you to be certified to both standards in a single audit. If your business is considering ISO 27001 certification and you know you must also address privacy and data protection, it makes sense financially and strategically to implement both concurrently.