ISO/IEC 27701:2019 — Information technology — Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Guidelines and requirements
Information security and privacy management do overlap to a large extent, but both fields are much broader and encompass more than what they do. In this standard, it is outlined how to ‘enhance’ (adapt and extend) the ISO/IEC 27001 Information Security Management System as well as the associated ISO/IEC 27002 [or other] controls to ensure both privacy and information security.
The scope of the standard
In the standard, the Privacy Information Management System is defined in terms of ISO/IEC 27001 (ISMS), 27002 (security controls), and 29100 (privacy framework). It applies to both controllers and processors of Personally Identifiable Information.
‘27701 builds and relies on ‘27001: to be certified compliant to ‘27701, organizations must have an ISMS that complies with ‘27001. The addition of ‘27701’s privacy component enhances ‘27001’s focus on information security.
This *70-page standard provides clause-by-clause analyses of the specific aspects of PIMS that differ from the broader ISO/IEC 27001 & 2702 standards.
An example would be:
“ISO/IEC 27001:2013, 6.1.3.c) can be summarized as follows:
To verify that no necessary controls have been omitted, the controls determined in 6.1.3 b) of ISO/IEC 27001:2013 should be compared to those in ISO/IEC 27001:2013, Annex A and/or Annex B of this document.
During the assessment of the applicability of management objectives and controls in ISO/IEC 27001:2013 Annex A for handling risks, the organization shall consider both information security risks as well as processing risks, including PII principal risks.
In 2019, the first edition was published.
Information risk management principles can easily be applied to personal information by practitioners familiar with the ISO27k process:
1. Identify risks related to privacy;
2. Assess them;
3. Decide how to handle them;
4. Apply the decisions – treat them accordingly;
5. Rinse, then repeat.
Clearly describing the requirements in the standard allows others to have a go at it as well.
PIMS conformance audits are guided by an accreditation standard that guides certification auditors in issuing meaningful certificates – be sure to refer to ISO/IEC 27006-2. The emphasis with the ‘27701 ISMS certification is verifying that the management system complies with all the mandatory requirements, which differs subtly from actually ensuring that all the privacy arrangements have been made. The challenge for compliance auditors is that “appropriate” is not spelt out in 27701, but is determined by the organization itself.