ISO / IEC 27701 – Privacy Information Management Standard. In the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. Requirement and instructions.
The ISO/IEC 27701 standard establishes specific requirements, guidelines, measures for the establishment of information privacy management systems as it upgrades the requirements for development of information security management system – the standards ISO/IEC 27001 and ISO/IEC 27002, by implementing the legal requirements and good practices in relation to information privacy. That is, where ISO/IEC 27001 and ISO/IEC 27002 cover topics expressly connected to information security, ISO/IEC 27701 extends the scope to topics related to information security and information privacy.
The application of the standard ISO/IEC 27701 is international as the requirements of the information derive mainly from General Data Protection Regulation (GDPR), and from the guidelines issued by European Data Protection Board. Having in mind, that GDPR offers the most detailed frame for personal data privacy management, the standard ISO/IEC 27701 can be used from organizations subjected to other legal regimes, such as Health Insurance Portability and Accountability Act (USA), Gramm Leach Bliley Act (USA), California Consumer Privacy Act (USA), etc.
The implementation of ISO/IEC 27701 is carried out according to the methodology of the implementation of ISO/IEC 27001, as the first one determines which of the measures included in Annex “A” of ISO/IEC 27001 have to be modified.
- The standard ISO/IEC 27701 could be generally divided into 3 parts:
- Specific requirements connected to the development of Privacy Information Management System (PIMS), that upgrade the requirements mentioned in ISO/IEC 27001
- Specific guidelines related to the application of measures for development of PIMS, that upgrade the guidelines mentioned in ISO/IEC 27002
- Additional guidelines for organizations, acting as personal data administrator (controller)
- Additional guidelines for organizations, acting as personal data processors
- Specific measures related to the development of PIMS
2. Implementation activities
- The implementation of ISO/IEC 27701 is based on the organization’s performance of risk assessment on the methodology set in ISO/IEC 27001, as this requires the successful completion of a number of steps and measures, including:
- Establishment of the origin, type and purpose of personal data processing
- Determination of the scope of Privacy Information Management System
- Performance of internal audit to establish the level in accordance with the regulatory framework
- Development of a system for constant improvement of the PIMS in accordance with the applicable legal framework
- Full inventory performance for the classes of personal data
- Elaboration of procedures for determination and documentation of the terms for private data collection and processing
- Establishment of an approach for performing employees training
- Implementation of processes for performance of the organization’s obligations toward the data subject
- Defining of an operation for request processing and complaints, received by the data subject, as well as communicating with the regulatory authorities
- Application of measures for providing protection for personal data on the design stage and by default
- Development of processes for assessment on the impact upon data protection
- Implementation of processes for risk removal or risk mitigation upon data protection
- Approval and documentation of sharing processes and private data spread
- Preparation of contracts for defining the terms of information sharing towards organizations, processing personal data, as well as toward third parties
- Management of risk assessment system of partners and contracting parties, that work with personal data and else.
3. Certification process
Having in mind, that ISO/IEC 27701 is not separate, independent standard, and that it only upgrades ISO/IEC 27001, the certifying process is not a separate from the information security management system. For example, if the organization was certified under ISO/IEC 27001, through an inquiry towards the certification body, the organization can extend the scope of the certification audit, to include the measures set in ISO/IEC 27701, and when successfully completing the audit to receive the relevant certificate.