Table of Contents
ToggleWhat is Privacy Information Management and ISO/IEC 27701?
The European Union’s GDPR [General Data Protection Regulation] has guided us in a new era of privacy regulatory and compliance. More privacy regulations have been enacted in different jurisdictions. This requires organizations to implement policies and procedures in order to assure compliance with the growing list of privacy regulations.
Additionally, we are amidst a rapid digital transformation, where data collection and processing are dramatically increasing. The simultaneous growth in data volume and regulatory requirements pertaining to that data makes compliance increasingly complex for organizations.
The new international standard ISO/IEC 27701 Privacy Information Management System [PIMS] helps organizations reconcile privacy regulatory requirements. Formerly known as ISO/IEC 27552 [during drafting period], ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls. An international management system standard that outlines a comprehensive set of operational controls can be mapped to various regulations, including the GDPR.
Once it is mapped, the Privacy Information Management System operational controls are implemented by privacy professionals and audited by internal or third-party auditors. This facilitates in a certification and comprehensive evidence of conformity. This standard provides guidance on the protection of privacy, including how organizations should manage personal information.
Compliance Challenges
Vendors need to certify against PIMS. This will be effective for establishing responsible privacy practices by suppliers and partners, irrespective of the size of your organization. ISO/IEC 27701 will help address three key compliance challenges:
- Multiple Regulatory Requirements: Reconciling multiple regulatory requirements through the use of a universal set of operational controls will enable consistent and efficient implementation.
- Auditing Regulation-by-Regulation: Auditors, both internal and third party, will be able to assess regulatory compliance using a universal operational control set within a single audit cycle.
- Certificate of Compliance: Commercial agreements involving movement of personal information may warrant certification of compliance.
Building Blocks Of The Standard
PIMS is built on top of the most widely adopted international standards for information security management, ISO/IEC 27001. If your business is already familiar with ISO/IEC 27001, it will be more efficient to integrate the new privacy controls of PIMS. This means implementation and audit of both will be less expensive and easier to achieve.
PIMS has new controller and processor-specific controls, which help in bridging gaps between security and privacy. It also provides a point of integration between what may be two separate functions in organizations. ISO/IEC 27701 helps organisations with :
- Building trust in managing personal information
- Maintaining transparency between stakeholders
- Facilitating effective business agreements
- Defining roles and responsibilities
- Supporting compliance with privacy regulations
- Reducing complexity
Does Your Organisation Need ISO/IEC 27701?
ISO/IEC 27001 is one of the most used ISO standards across the globe. Many companies are already certified to it. It is applicable to all types and sizes of organizations, including government entities, public and private companies and non-profit organizations.
So, whether your organization is a controller or a processor, it should consider pursuing certification, either for your own organization, or requesting it from vendors or suppliers based on your business requirements. This applies especially to co-controllers, processors and sub-processors along with those who are processing sensitive or high volumes of personal data.
It provides guidance for organizations who are responsible for PII processing within an Information Security Management System [ISMS], specifically:
- PII controllers [including those who are joint PII controllers]
- PII processors
ISO/IEC 27701 Requirements
To gain an introduction to ISO/IEC 27701 requirements and privacy information management certification, just follow 3 steps.
Step 1: Requirements
Step 2: Implementation
Step 3: Certification
Privacy depends on security and similarly, PIMS depends on ISO/IEC 27001 for security management. For obtaining Certification for PIMS, it should be done as an extension of an ISO/IEC 27001 certification, instead of obtaining it independently.
If you have an ISO/IEC 27001 Information Security Management System already in place, you are ready to get started with ISO/IEC 27701. The guidance and requirements for ISO/IEC 27701 Privacy Information Management System [PIMS] go across 8 different clauses and 6 annexes, which include personally identifiable information [PII] controls and mappings to related standards and the GDPR.
Therefore, it is crucial that you understand all the guidance, requirements & controls and ensure they are appropriately implemented across your organization.
Neumetric is a cyber security Advisory and Consulting organization that can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security in multiple industries make it easier for us to quickly execute security activities that add value to you, while you continue focusing on the business objectives of the Organization.