ISO 27701 - The ISO standard for Data Protection & Privacy

ISO 27701 is an international standard by ISO that defines the management system and requirements for the processing of personal data i.e. Personally identifiable information (PII).

ISO 27701 is not a standalone standard, it's an extension of the immensely popular ISO 27001 standard and is part of the ISO 27000 series. ISO/IEC 27701 is an addendum of "Privacy" to the ISO's information security management standard, ISO 27001

Here is how ISO 27001, ISO 27002 and ISO 27701 are defined:-

ISO 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements

ISO 27002:2022 - Information security, cybersecurity and privacy protection — Information security controls

ISO 27701:2019 - Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

The current version of ISO 27701 was released in 2019 which is aligned to ISO 27001:2013 & ISO 27002:2013, with the release of 2022 versions of ISO 27001 & ISO 27002, a new version of ISO 27701 is under development.

The definition of the standard itself is described as an extension of ISO 27001 & ISO 27002. ISO 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining, and continually improving – a PIMS (privacy information management system). ISO 27701 is based on the requirements, controls, and control objectives of ISO 27001, and includes a set of privacy-specific requirements, controls, and control objectives.

Whereas the ISO 27001 standard establishes a framework for an organization’s Information Security Management (ISMS), ISO 27701 expands the ISMS and creates a Privacy Information Management (PIMS). This document expands the requirements of ISO 27001 to take into account the additional protection of privacy of personal data (PII), in addition to information security. This standard was released after European Union's GDPR was enforced in an attempt to expand to regions outside EU.

ISO 27701 is the standard for the development and management of a privacy information management system (PIMS), rather than an information security management system (ISMS) as in ISO 27001. Organizations that have implemented ISO 27001 will be able to use ISO 27701 to extend their security efforts to cover privacy management – including their processing of personal data/PII. ISO 27701 has been designed to be used by all data controllers and data processors. Just like ISO 27001, it advocates a risk-based approach so that each conforming organization addresses the specific risks it faces, as well as the risks to personal data and privacy. ISO 27001 requires organizations to include privacy-specific risks in ISMS Risk Management.

ISO 27701 was released in August of 2019 and seeks to provide a truly international approach to privacy protection as a component of information security thereby expanding GDPR internationally.

Implementing ISO 27701 and ISO 27001 will enable you to meet the privacy and information security requirements of the GDPR. ISO 27701 contains clauses that relate to the following standards:

ISO 29100 covers the privacy framework for Information technology.

ISO 29151 covers the code of practice for the security of personally identifiable information

A data(PII) controller controls the procedures and purpose of data usage, while a data(PII) processor processes any data that the data controller gives them.

ISO 27701 - How the standard is structured.

The standard consists of eight main sections or clauses and six annexures.

Clause 5 - gives PIMS-specific requirements and other information regarding the information security requirements in ISO/IEC 27001 appropriate to an organization acting as either a PII controller or a PII processor. This section describes how privacy management can be included in the management clauses of ISO 27001.

Statement:- The requirements of ISO/IEC 27001:2013 mentioning " information security" shall be extended to the protection of privacy as potentially affected by the processing of PII.

As an example, we can compare clause 4.1 of ISO 27001 vs clause 5.2.1 of ISO 27701

Clause 6 - gives PIMS-specific guidance and other information regarding the information security controls in ISO/IEC 27002 and PIMS-specific guidance for an organization acting as either a PII controller or a PII processor. So this section how privacy management can be included in the 15 domains of the Annex A Controls via guidelines specified in ISO 27002.

Statement:- The guidelines in ISO/IEC 27002:2013 mentioning " information security" should be extended to the protection of privacy as potentially affected by the processing of PII.

As an example, we can consider two controls i)Classification of Information & ii)Labelling of Information

PIMS Specific Controls & Guidelines

In addition to extending the existing controls of ISO 27001 to a PIMS environment please note that PIMS requires additional dedicated controls for personal data. These additional controls are documented in Annex A & and Annex B.

Unlike ISMS where controls & and implementation guidelines for controls are stated separately in ISO 27001 (Annex A) and ISO 27002 respectively the controls & and guidelines for PIMS are stated in ISO 27701 itself.

These controls can be included in the existing ISMS Statement of Applicability (SoA)

Clause 7 - gives additional ISO/IEC 27002 guidance for PII controllers for controls mentioned in Annex A of ISO 27701. (4 domains and 31 controls)

Clause 8 - gives additional ISO/IEC 27002 guidance for PII processors for controls mentioned in Annex B of ISO 27701. (4 domains and 18 controls)

Annex A - lists the PIMS-specific control objectives and controls for an organization acting as a PII controller, (whether it employs a PII processor or not, and whether acting jointly with another PII controller or not) .

It has 4 domains and 31 controls. It's just like Annex A of ISO 27001 for PII Controllers

Annex B - lists the PIMS-specific control objectives and controls for an organization acting as a PII processor (whether it subcontracts the processing of PII to a separate PII processor or not, and including those processing PII as subcontractors to PII processors) .

It has 4 domains and 18 controls. It's just like Annex A of ISO 27001 for PII Processors.

Annex C - contains a mapping to ISO/IEC 29100.

Annex D - contains a mapping of the controls in this document to the European Union General Data Protection Regulation.

Annex E - contains a mapping to ISO/IEC 27018 and ISO/IEC 29151.

Annex F - explains how ISO IEC 27001 and ISO/IEC 27002 are extended to the protection of privacy when processing PII.