ISO 27701 27001 Information Technology Security Techniques

What is ISO 27701?
ISO/IEC 27701 :2019 is an extension to the international standard for management of information security, ISO/IEC 27001. (ISO/IEC 27701 Security Techniques - Extension to ISO/IEC 27001 or ISO/IEC 27022 Privacy Information Management - Requirements/Guidelines). See Security techniques for privacy information management here.

ISO 27701 defines the requirements for a PIMS and provides guidelines on how to set up, maintain, improving, and continuing to improve it.

ISO 27701 is built on the standards of ISO 27001. It includes specific privacy requirements, controls and control goals.

If you want a concise and concise overview of the basic principles of managing personal information and ISO/IEC 27701, read our bestseller pocket guide ISO/IEC 27701:2019: A brief introduction to privacy information management.

What was the reason behind ISO 27701 created?
DPA (Data Protection Act) DPA (Data Protection Act), DPA201 (Data Protection Act), UK (GDPR General Data Protection Regulation), EU GDPR(General Data Protection Regulation), all require companies to take measures to protect the privacy of all personal information they handle.

However, the laws do not provide any guidance on what the measures should look.
This new standard was developed by the ISO (International Organization for Standardization), and IEC (International Electrotechnical Commission).

What's the difference between ISO 27701 and ISO 27001? ISO 27001 work with ISO 27701?
ISO 27001 defines the requirements for an ISMS. It is a risk-based system that encompasses processes, people, and technology. ISO 27001 certification can be independently accredited to give stakeholders assurance that the data has been appropriately secured.

Organisations that have implemented ISO 27001 will be able to utilize ISO 27701 to extend their security efforts to encompass privacy management, including the processing of personal data/PII (personally identifiable data) which will assist them in proving that reasonable measures were taken to be in compliance with data protection laws such as the GDPR.

Organisations that don't have an ISMS can implement ISO 27001/IS 27701 in one project.
Download a free PDF: How to get your business on the right track to GDPR and DPA conformity with ISO 27701
Your path to GDPR & DPA 2018 compliance with ISO 27701

Who should implement ISO 27701
ISO 27701 has been designed to be used by all data controllers and data processors. As with ISO 27001, this standard advocates a risk-based approach to ensure that each company is aware of the threats and the risk to privacy and personal information.

What is the main difference between privacy information management systems and personal information management systems?
ISO 27701 outlines what is needed for a privacy management system. The BS 10012 standard however is the British standard.

There are few differences between the terms - both are management systems designed to protect personal information - so for day-today activities you can take the acronym PIMS as being referring to or. However, there are some significant differences between these two approaches, which are described below.

What should I consider when choosing ISO 27701 over BS 10012?
While there are benefits to both standards, they differ in certain areas.

BS 10012 aligns with the GDPR 2018 and DPA 2018. ISO 27701 does not conform to any specific privacy regime. This gives it broader application that allows organizations that are conformant to adhere to a range of privacy regulations.

BS 10012 is a good option if you want your business to be in compliance with the GDPR and DPA 2018.

If you must demonstrate compliance with several regulations on data protection an international standard might be the best choice for you.

IT Governance can help you determine the appropriate standard to meet your needs and will offer the support for your implementation you need.

Prove that GDPR is compliant with ISO 27701/ISO 27001
Implementing ISO 27701 and ISO 27001 will help you meet the privacy and security requirements of GDPR and other data protection regulations and prove that you have management plans that are in place for "appropriate organisational and technical measures" to safeguard the personal data you collect and ensure data subjects' rights, in line with the principle of accountability in the GDPR (Article 5(2)). Check Information security management systems for info.

Article 42 (GDPR) covers certification systems for data protection and seals for data protection, as well as marks. The mechanisms currently do not exist. It is possible to obtain ISO 27001 certification (and by extension ISO 27701) if your company implements security measures. This certification can prove to stakeholders or regulators that you follow the best practices of international standards for securing personal information/PII.