ISO 27701 was published in August 2019. It is the first international standard in the world which specifies requirements for a privacy-specific Information Security Management System (ISMS). It does so as a supplementary standard to others that they have published by extending ISO 27001’s definition of an ISMS. It is meant to help organisations better protect personal data and meet regulatory requirements across multiple jurisdictions. Representatives from the French data protection authority and Microsoft participated in its development.

Background to ISO 27701

The International Standards Organisation (ISO) published ISO/IEC 27701:2019, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines on 6 August 2019 and it:

  • sets out the specifications for a management system for protecting personal data; and
  • supplements ISO 27001 by describing additional necessary privacy requirements.

The ISO working group five technical committee, which includes international specialists from data protection authorities, security agencies, academia and industry, developed it.

ISO 27701 applies to personal data

ISO 27701 is designed to enable personally identifiable information (PII) processing as part of or in addition to the management of information security using an ISMS.

PII is any data that could identify a specific individual, including any information that:

  • distinguishes one person from another; or
  • can be used for de-anonymizing anonymous data;

such as email addresses, medical or financial records or credit card numbers.

It is sufficiently similar to personal data in terms of data protection laws, such as the GDPR in the EU, for us to treat it as the same thing for the purposes of this discussion.

The standard helps with information security in terms of data protection law

Data protection laws generally require those processing personal data to take appropriate and reasonable measures to prevent unauthorised access to that personal data. But, what are appropriate and reasonable measures?

ISO 27001 refers to the information security control measures in ISO 27002 and requires that an organisation implement these as may be appropriate to them by establishing and documenting a ‘Statement of Applicability’ indicating which of the 114 information security control measures the organisation may apply and their reasons for doing or not doing so.

This is in line with the requirement in most data protection laws that those processing personal data should document their processing operations.

Benefits of ISO 27701

ISO 27002 includes among its control measures that organisations must implement: ‘Compliance with legal and contractual obligations’, which would include relevant data protection laws.

ISO 27701 is particularly beneficial for compliance with data protection laws, because:

  • it identifies the issues relevant to data protection and maps them to the information security control measures in ISO 27002;
  • it is useful that a single information security control measure may satisfy multiple data protection law requirements;
  • while there are compliance requirements that do not map directly to ISO 27002’s control measures, they generally relate to the administration of data protection requirement in most data protection laws;
  • the practical controls that promote the confidentiality, integrity and availability of information required to lawfully process personal data are materially similar to those in data protection laws;
  • it provides necessary evidence of compliance from a governance perspective;
  • it helps communicate privacy compliance to customers, suppliers and subcontractors; and
  • ISO designed the standard for all organisations regardless of size.

Reference to the standards referred to above and others forming part of the ISO 27000 suite of standards are of great value to both information security and data protection initiatives because of the close correlation between information security and data protection.

You can purchase ISO 27701 and other information security standards from ISO’s website.

ISO 27701 certification

Many organisations are curious about certification for compliance with the ISO 27701 standard.

While the relevant authorities are discussing the possibility of certified compliance, the fact that standard includes both ‘requirements’ and ‘guidelines’ makes certification difficult because it is not always clear which is which.

An organisation seeking ISO 27701 certification would also have to pursue 27001 and 27002 certification.

How we can help you

Information security is critical to data protection and we can help you establish an ISMS and a combined management system that also incorporates data protection control measures by: