Last Updated on March 16, 2023
More and more organizations need to prove to clients, regulators, partners, investors, etc. that they’re secure and compliant. Often this takes the form of a certification/attestation against ISO 27001, SOC 2, CMMC or a similar cybersecurity framework.
Increasingly, there is also a parallel requirement to comply with privacy legislation like the EU’s GDPR and/or one of the US state-level consumer privacy laws (California’s CCPA, Virginia’s VCDPA, Colorado’s ColoPA). In this scenario, many firms consider going for ISO 27001 certification plus the ISO 27701 “privacy extension” to cover all the bases.
Is that the best option for your business? To explore all the angles on privacy certifications, we invited Jason Powell, GRC and Privacy Consultant at Pivot Point Security, to join a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
ISO 27701 certification doesn’t automatically equal legal compliance
The ISO 27701 standard enables companies to extend their ISO 27001 certified information security management system (ISMS) to cover privacy. Beyond doubt, this can be a great way to demonstrate that you have a robust privacy program. But does it “automatically” mean you’re compliant with specific privacy laws, especially GDPR?
“I would take a wild guess and say that the majority of ISO 27701 certified entities that are not obligated to follow GDPR under law are probably not even close to being GDPR compliant,” says Jason. “That’s because GDPR is so much more comprehensive and in-depth. Which is why so many other countries use GDPR as the foundation for their privacy legislation.”
Is putting GDPR/CCPA in your ISO 27701 scope the right idea?
Businesses that need to comply with specific laws like GDPR or CCPA can explicitly specify those compliance requirements as within the scope of their ISO 27701 privacy information management system (PIMS). That way, the ISO 27701 certification will demonstrate appropriate legal compliance to stakeholders.
But is that the most efficient approach to achieve the cybersecurity and privacy compliance you need? Or is it better to target compliance with specific privacy laws first, and then pursue ISO 27701 certification?
“I’m going to go out on a limb and suggest that [pursuing ISO 27701] not necessarily the best idea, depending on the resources you have available,” advises Jason. “If a company is pursuing ISO 27001, and they want to pursue GDPR and ISO 27701 at the same time, and they have a common, largely merged security and privacy program and a single security stakeholder that also oversees privacy, everything’s going to get muddied, first of all. The terminology between GDPR and ISO 27701 is slightly different; it’s enough to be confusing.”
“I think it’s also possible, especially in some smaller organizations, that the ISO 27701 framework is going to get in the way of getting GDPR done,” adds Jason. “It’s an extra thing you have to continually distinguish between. Are we talking about GDPR when we talk about this control? Or are we talking about ISO 27701? Which one are we working on?”
“For organizations that have a hard requirement to do GDPR, I think the best of both worlds would be to get GDPR compliant, maybe referring to ISO 27701 occasionally, if you need a little bit more context of how privacy works,” Jason asserts. “If you want to demonstrate additionally that you are, in fact, compliant beyond GDPR, you’ve got 98% of what you need to get ISO 27701 compliant, assuming you’re ISO 27001 certified.”
Factors to consider
“I agree with you,” offers John. “And I think you’re coming down to some fundamental stuff. Should I align with GDPR? Should I align with GDPR and ISO 27701 at the same time? Should I do GDPR first, then ISO 27701? Should I do ISO 27701 first, then go to GDPR?”
“If it’s a legal compliance issue and time to being legally is important, then going straight to GDPR is the most direct path to getting there,” John validates.
“It’s the best use of your resources,” Jason highlights.
In the end, it’s a balance of timeframes, budgets and quality. The more you try to accomplish all at once, the heavier the lift and the more resources you’ll need. Extending timelines and cost structures becomes an increasing danger. But some organizations choose to optimize longer-term costs by pursing ISO 27001, ISO 27701 and GDPR/CCPA all at once, to avoid reworking artifacts and controls down the line.
“You’ve got to look at the money that’s available over a multi-year period sometimes to figure out what’s the best way to get where you need to go from a dollars and cents perspective,” summarizes John.
To listen to this podcast with Jason Powell in its entirety, click here: https://pivotpointsecurity.com/podcasts/ep66-jason-powell-private-practices-how-to-prioritize-privacy-in-your-organization/
Interested in learning more about ISO 27701 certification? Check out this podcast episode: https://pivotpointsecurity.com/podcasts/ep48-john-verry-lessons-learned-in-our-initial-27701-certification-audits/