Just arrived: The ISO privacy standard

Tuisku Sarrala

Tuisku Sarrala

Senior Privacy Consultant

October 23, 2019 at 09:30

One of the newest standards in the ISO 27k series is ISO 27701, which addresses security techniques for privacy information management. ISO 27701 offers a certification opportunity that cannot be missed for organisations that already align with ISO 27001 and have completed a GDPR (General Data Protection Regulation) compliance project.

Privacy and security are the key in the new ISO 27701 standard.

Organisations can gain this privacy certification as a standalone one or an extension to their ISO 27001 certification. Alternatively, if not looking to get certified, but wishing to improve their privacy management, organisations can mirror their arrangements to the ISO 27701 requirements.

With the right guidance, drawing the lines between the organisation’s current implementation and the new ISO privacy standard should be relatively easy and effortless the organisation. We at Nixu provide this service.

ISO management systems framework

The new privacy standard extends ISO 27001 and ISO 27002, so organisations which have an Information Security Management System (ISMS) aligning with these standards have already completed a large chunk of the required work.

Organisations do not need an existing ISO 27001 certification to certify as ISO 27701 compliant, since the ISO 27701 introduces PIMS, a Privacy Information Management System. This is listed as a Type A MSS (Management System Standard) meaning that it can exist as a standalone certifiable management system. The PIMS is compatible with the other ISO management system standards.

Immediate benefits

Having the ISO 27701 certification means that the organisation’s governance arrangements are top notch not just for privacy but also for information security, since it extends ISO 27001. The privacy certification can also provide a way to avoid cumbersome auditing requirements that personal data controllers place on their processors. In the event of a data breach, the organisation can demonstrate with the certification that it has acted within its duty of care. A clear benefit for organisations is that they will immediately gain a high level of trust from their stakeholders as a result of the certification.

For an organisation where security and privacy squat in separate silos, extending the ISMS with a PIMS will break these silos by establishing better communication, and joining up the risk management, monitoring, measurement and continual improvement of information security and privacy. Leveraging the established ISMS management processes for PIMS helps to overall streamline the information governance structure.

Alignment and compatibility with GDPR

Organisations can get their privacy management certified to the ISO standard, which is exciting, but in the EU it is the GDPR which sets rules and requirements for personal data processing. Readers might ask, could the ISO privacy standard be used the to prove GDPR compliance?

‘Certification’ mentioned in the GDPR and the new ISO privacy standard are two different things, to be clear, but getting certified with the latter brings overall benefits.

The GDPR lists ‘certification’ as one the mechanisms by which companies could prove their personal data processing adheres to the GDPR – if it existed. It is to be seen which bodies will offer it and what will it look like. The EU working group, European Data Protection Board (EDPB), is working on the implementation guidelines. Already published EDPB guidelines state that the GDPR-style certification schemes should be interoperable with other standards, and so we have high hopes that when they materialise, they will be compatible with ISO 27701.

The ISO standard has its place and it answers a current need: the GDPR requires the organisation’s privacy and security management arrangements to be in a good shape and having a certified PIMS can be used to prove this to the organisation’s stakeholders. From this viewpoint, PIMS is an excellent choice for organisations to strengthen their GDPR compliance arrangements.

ISO 27701 is an international standard, and while it aligns with the GDPR, it does not tie itself to it – it can be used in any legislative environment internationally. Therefore, organisations need to actively refer to GDPR when applying the ISO privacy standard if they wish that their PIMS implements it.

How we can help

Almost every organisation processes personal information and we expect ISO 27701 to become an important standard to generate trust amongst stakeholders and to prove good compliance arrangements.

Nixu offers advisory services in ISO 27001 and ISO 27701, in the form of a roadmap and development projects.

Nixu’s independent certification body Nixu Certification Ltd. offers both ISO 27001 and ISO 27701 audits and certifications. Nixu Certification Ltd. will be seeking ISO 27701 accreditation as soon as it becomes possible, but audits and certifications can be provided already.

All our information security and privacy consulting services are delivered by seasoned specialists and auditors who have industry-recognised professional certifications such as CISSP, CISM, CISA, CRISC, CIPP/E and CIPM, and legal expertise.


Related blogs