ISO 27701 PRIVACY INFORMATION MANAGEMENT SYSTEM (PIMS) CERTIFICATION

What is ISO/IEC 27701?

ISO 27701 of ISO/IEC 27701 is a Privacy Information Management System (PIMS) standard that is designed to help organisations comply with privacy laws around the world. In recent years, new data protection laws have been introduced in multiple countries that establish requirements for securing and processing Personally Identifiable Information (PII). However, it is not always clear how organisations should comply with these laws. ISO 27701 was introduced in 2019 and provides actionable guidance to help organisations conform to these varied regulations.

ISO/IEC 27701:2019 is an extension of ISO/IEC 27001, the information security management system (ISMS) standard. Where ISO/IEC 27001 sets a standard for secure IT governance in the broadest sense, ISO/IEC 27701 focuses specifically on protecting personal data.

ISO/IEC 27701 is the first standard of its type in the world and is applicable to public and private companies, government entities and not-for-profit organisations. It supports compliance with the EU’s GDPR, but is also applicable to personal data governance laws in all other geographies.

Why is ISO 27701 certification important?

Following several high-profile data breaches, national governments and organisations like the EU have introduced strict new laws around private data protection. These data protection laws aim to protect the PII of citizens, such as their names, addresses, age, bank account details and more.

However, understanding how to apply these regulations to your organisation’s ISMS can be very challenging. Furthermore, for organisations that process customer and employee data in multiple jurisdictions, ensuring compliance with several countries’ data governance laws is complex and time-consuming. ISO/IEC 27701 supports you by providing a standardised way of complying with all these laws.

Benefits of ISO 27701 certification include:

• Compliance with all relevant data protection laws and clarification of the roles and responsibilities of PII controllers and processors.
• Gain a competitive edge – ISO/IEC 27701 certification demonstrates strong IT governance and increases stakeholder trust in your privacy and data protection practices.
• Achieve world-class standards – a rigorous risk and compliance driven approach meets the requirements of global data governance laws.
• Improve transparency – measure and report data privacy improvements using detailed security and privacy controls.
• Minimise PII related risk by keeping track of evolving privacy threats and the regulatory landscape.
• Supports business relationships with your customers and suppliers by demonstrating you meet PII protection standards worldwide.

TÜV SÜD supports businesses through the ISO/IEC 27701 certification process

TÜV SÜD’s experienced ISMS teams possess the accreditation and expertise to conduct ISO/IEC 27001 and ISO/IEC 27701 audits across industries. Through our worldwide network of IT governance professionals, we can provide information security certification services no matter where you are. We have an in-depth understanding of the standard and have extensive experience helping organisations implement this kind of IT governance regulation.

Furthermore, TÜV SÜD’s experts actively participate in international standardisation committees and we have a complete understanding of the latest PII regulatory developments around the world. And because we are vendor agnostic, our third-party audits are both impartial and independent, meaning your organisation gains valuable insights from an unbiased expert.

TÜV SÜD’s ISO/IEC 27701 certification process

TÜV SÜD has developed an efficient five-step process to support your ISO/IEC 27701 certification:

1. Readiness Review
   We help you understand the standard’s objectives and informational requirements for the audit.
2.  Audit on-site
   Our experts conduct audits of your PII protection activities, assessing how you store and process customer information.
3. Non-conformance resolution
   After the audit, your organisation implements measures to correct any non-conformances that the audit identified.
4. Issuance of audit report and certificate
   TÜV SÜD issues you with your ISO 27701 certificate, which you can use to demonstrate your compliance.
5. Annual surveillance
   To maintain the certificate, we conduct annual surveillance to ensure ISO data management standards continue to be met.

Complying with new privacy regulations such as the EU’s GDPR, California’s Consumer Privacy Act, India’s Personal Data Protection Bill or Brazil’s General Data Protection Law can be very challenging. However, by becoming ISO/IEC 27701 certified, your organisation can indicate compliance with all these (and similar) requirements.

To find out more about the standard or to begin the ISO/IEC 27701 certification process, contact us today.