The advancement of technology has brought numerous opportunities, but it has also exposed companies to data security and privacy risks. ISO 27701 assumes a critical role by establishing a global framework for organisations to ensure alignment to GDPR and respective privacy laws. It ensures that organisational policies, procedures, and business practices align with privacy regulations through the effective implementation of a PIMS (Privacy Information Management System).
Adhering to ISO 27701 and its guidelines enables businesses to secure confidential information that will foster trust among stakeholders. This demonstrates the organisation's commitment and responsibility in prioritising privacy protection within its operations.
Requirements and Checklist for ISO 27701
A Privacy Information Management System (PIMS) need to be implemented for the protection of personally identifiable information (PII). This is a pre-requisite for implementing the ISO 27701 standard. ISO 27701 is a privacy extension to the data security and information security, standard ISO 27001. It is mandatory for every organisation to have an ISO 27001 Certification prior to applying for an ISO 27701 certification. In the absence of ISO27001 certification, they have to implement both of them simultaneously. ISO 27001 focuses on data security, and while ISO 27701 adds an enhanced layer of protection for PII, and hence these two necessarily co-exist.
ISO 27701 Requirements and Checklist
- Designing, building and implementing a PIMS.
- Ensuring all policies and procedures that are in the scope of PIMS are in place.
- Consent of all the concerned stakeholders before implementation of a PIMS
- Risk assessment is duly performed, and privacy impact assessments are conducted to identify the vulnerable private data points for ensuring proper implementation of controls related to privacy risk management. Justifications for the inclusion and exclusion of the controls are documented in the Statement of Applicability (SOA).
- Controls are implemented to ensure every privacy concern is addressed.
- An internal audit of the PIMS and a management review must be conducted as a pre-requisite to the ISO 27701 certification.
- ISO 27701 certification, once obtained, must be renewed prior to the certification expiry, and continuous improvement should be made to ensure better incident management and privacy control.
Here’s the run down of the Clauses and Annexes as mentioned in ISO 27701:
- Clause 1, Scope: This clause sets the requirements of the management, its systems and the targeted applications that will be in-scope for implementing PIMS. It focuses on scoping in PII Controllers as well as PII Processors responsible for the handling of PII.
- Clause 2, Normative References: Normative references are basically documents that are referred to for easy implementation of a PIMS and its maintenance. Some mandatory documents that must be referred to ensure adherence to the ISO 27701 standard are ISO/IEC 27000 Information security management systems – overview and vocabulary, ISO/IEC 27001 Information security management systems – requirements, ISO/IEC 27002 Code of Practice for Information Security controls and ISO/IEC 29100 Privacy framework.
- Clause 3, Terms and Definitions: This clause contains additional terms and definitions, which are otherwise not mentioned in other normative references.
- Clause 4, General: This clause gives an overview of the documents and also entails the PIMS-specific requirements in relation to other standards, such as ISO 27001 and ISO 27002. It is important to understand this correlation for better integration of privacy protection systems with other data security systems within an organisation.
- Clause 5, PIMS-specific requirements related to ISO/IEC 27001: This clause deals with the extension of information security requirements as per ISO 27001 to correlate with privacy protection. It specifies the data privacy aspect on the context of organisation, leadership responsibilities, risk assessment and treatments, resource requirements, internal audits and management review.
- Clause 6, PIMS-specific guidance related to ISO/IEC 27002: This clause deals with the extension of information security requirements as per ISO 27002 to correlate with the protection of private data. Additional requirements would include data privacy training, information classification of PII, removable media management, logical access control, data backup requirements are some of the requirements defined in the clause.
- Clause 7, Additional guidance for PII controllers: This clause covers particular implementation guidance for PII Controllers and is mostly related to controls mentioned in Annex A. It specifically outlines all the roles and responsibilities of PII controllers regarding the collection, processing, sharing, transfer and disclosure of PII and also requires establishing clear communication regarding the consideration of special category data and consent requirements.
- Clause 8, Additional guidance for PII processors: This clause covers particular implementation guidance for PII Processors and is mostly related to controls mentioned in Annex B. There are detailed recommendations on how to assist the client in responding to individual requests, managing temporary files created during processing, securely returning, transferring, or discarding PII, and implementing proper transmission restrictions.
The core purpose of these Clauses is to ensure that every detail regarding PIMS is considered and made aware to the relevant stakeholders for better implementation of the ISO 27701 standard.
There are various Annexes as well that helps in making the process easier:
- Annex A refer to controls specifically for PII controllers.
- Annex B refers to controls specifically for PII Processors
- Annex C refers to mapping of controls for PII controllers to ISO 29100 privacy principals
- Annex D refers to mapping of ISO 27701 clauses to GDPR articles 5 to 49 (except 43)
- Annex E refers to mapping of ISO 27701 clauses to ISO 27018 requirements for PII processors and ISO 29151 for additional guidance and controls for PII controllers.
- Annex F refers to details on how to apply ISO 27701 to ISO 27001 and ISO 27002.
These Clauses and Annexes fulfil a very important part of addressing the whole process of implementation of a successful PIMS and its integration with various information security systems for better data protection and privacy protection.
While establishing and maintaining a PIMS is a time-consuming procedure, professional support can aid enormously and assure a smooth setup of a PIMS as well as a hassle-free experience attaining ISO 27701 certification. TÜV SÜD's ISO 27701 certification services offer the best experience to organisations seeking ISO 27701 certification. Their years of experience make this process comfortable and informative through their Awareness Training, Implementer Training, Internal Auditor Training, which cater to training the employees of the organisation about the needs and requirements of a PIMS, assists in the implementation of the PIMS, and conduct of internal audits to ensure flawless implementation of a PIMS, respectively, ensuring that there is assistance at all times.