Safely move on from COVID-19

Understanding ISO 27701: Privacy Information Management System (PIMS)

ISO 27701 is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. We’re going to explain what that means.

What’s ISO 27701?

ISO/IEC 27701 will help you manage Personally Identifiable Information (PII) within your organisation. It’s a new standard, designed for use by anyone responsible for PII in any sort of organisation.

The standard shows you how to design, set up, manage and continually improve a Privacy Information Management System (PIMS).  It gives you a lot of flexibility in how you create and run your PIMS. ISO 27701’s flexibility will help you follow any relevant local PII regulations too.

ISO 27701 builds on ISO/IEC 27001. That means you can either:

  • Achieve ISO 27001 compliance or certification before you go for ISO
  • 27701Implement ISO 27001 and 27701 together as a single project

ISO 27701 came into being on the 6th August 2019. Because the standard is so new, very few organisations have adopted it. If you choose to go for ISO 27701 certification, you’ll find yourself ahead of the infosec pack.

What are the benefits of ISO 27701?

Almost every organisation holds detailed Personally Identifiable Information (PII) about individual people. If PII leaks, it can be very damaging. An ISO/IEC 27701 compliant Privacy Information Management System (PIMS) will protect your PII.

It’ll help you avoid the negative outcomes of PII breaches, which can include:

  • Fines of up to €20 million (under the EU’s GDPR regulations)
  • Substantial brand and reputational damage
  • Personal privacy issues for any compromised individuals

Achieving ISO 22701 certification can also have many positive impacts, including:

  • Making it easy to prove that you’re serious about information security
  • Speeding up your sales process and opening up new marketplaces
  • Strengthening relationships with existing customers and stakeholders

What’s the history of ISO/IEC 27701?

ISO 27001 is the most popular security standard in the world, but it has some gaps. In particular, it doesn’t tell you how to set up Personally Identifiable Information (PII) security measures.

The EU’s General Data Protection Regulation (GDPR) brought ISO 27001’s lack of clear PII guidance into focus. GDPR asks for PII security measures, but it doesn’t give any implementation guidance or requirements.

So work began on the standard that would become ISO 27701. The new PII management standard was first developed as ISO/IEC 27522. Technical work on ISO 27522 ended in 2019, leading to publication of the new standard on 6th August 2019. It’s an extension to ISO/IEC 27001.

Before publication, ISO/IEC 27522 became ISO/IEC 27701. That’s because any standard describing how to create a management system should end with 01.

Introducing privacy information management

Most organisations need to hold and process information about some or all of their:

  • Customers
  • Employees
  • Suppliers
  • Other stakeholders

Those people rely on data-gathering organisations to keep that information private. The risk of and potential damage from a privacy information, or Personally Identifiable Information (PII), breach is increasing fast. Issues can include:

  • Fines of up to €20 million (under the EU’s GDPR regulations)
  • Substantial brand and reputational damage
  • Personal privacy issues for any compromised individuals

So, more and more organisations are creating privacy information management systems (or PIMS). An effective, ISO 27701 compliant or certified PIMS has many potential benefits. It can:

  • Ease the compliance burden by making privacy information security easy to manage and possibly meeting several regulatory needs at once
  • Boost management, regulator and other stakeholder confidence by creating transparent, easy-to-demonstrate security measures
  • Quickly, easily meet and even exceed the privacy needs of your customers and other commercial partners
  • Set clear conditions for sharing and monetising the valuable data your organisation’s built up
  • Send a strong, brand-building signal that your organisation takes security very seriously indeed

What’s personally identifiable information?

Personally identifiable information (PII) is information that gives away someone’s identity. PII reveals identities either on its own or in combination with other data.

Some categories of PII are very sensitive. For example, you can only hold and process data about criminal convictions and offences in very limited circumstances.

To increase security, you can pseudonymise or anonymise your PII. The GDPR definitions of those two ways of managing your personal data are:

  • To pseudonymise personal data you need to process it “in such a way that the data can no longer be attributed to a specific data subject without the use of additional information” (GDPR Article 3)
  • To anonymise personal data you need to make sure that you process it “in such a way that the data subject is not or no longer identifiable” (GDPR Recital 26) under any circumstances

Pseudonymised data can still be subject to PII regulations and requirements. Most regulatory regimes probably won’t apply to anonymised data.

The difference between pseudonymised and anonymised data can be quite subtle and complex. It can vary in different jurisdictions. You’ll need to check carefully to make sure you’re applying all relevant regulations to your PII.

Oh, and if you hold information on someone who has (very sadly) died, then it probably won’t be PII. Information about the deceased isn’t generally classed as personal. Details of companies, public authorities or other organisations probably aren’t PII either.

What’s a PIMS?

A PIMS is a Personal Information Management System. It combines

  • clearly-defined and widely-understood policies and procedures
  • effective privacy management technology
  • well-trained people

to protect the Personally Identifiable Information (PII) your organisation holds and uses. An effective PIMS will reassure your organisation’s

  • employees
  • customers
  • contacts
  • other stakeholders
  • that you’re managing their personal information in a secure and responsible way.

 Your PIMS will help you store and share PII, both internally and externally. The right PIMS will also make it easy for people to update and correct any data you hold on them.

Getting ISO 27701 certified

Who can implement ISO 27701?

To implement ISO 27701, your organisation needs to:

  • Process and / or manage Personally Identifiable Information (PII)
  • Have an ISO 27001-certified information security management system (ISMS)

It doesn’t matter what type or size of organisation you are. ISO 27701’s requirements flex to cover all all types and sizes of organizations. That includes (but isn’t limited to):

  • Public and private companies
  • Government entities
  • Not-for-profit organizations

How do you get started with ISO 27701?

Get to know the ISO 27701 standard. It’ll help you define your privacy management strategy and plan your PIMS. Next build your PIMS, creating its systems and tactical controls. Then implement your PIMS, making sure you follow all the ISO 27701 requirements.

You’ll be ready for your audit once full ISO 27701 certification becomes possible. At the moment the standard is so new that nobody’s accredited to certify you for it.

Oh, and to achieve ISO 27001 you’ll need to be either ISO 27001 compliant or certified. If you don’t have ISO 27001, you’ll need to plan how to implement it too.

What do you need to get ISO/IEC 27701:2019 certified?

ISO/IEC 27701:2019 is so new that it doesn’t have any accredited certification bodies. So, at time of writing, you can’t actually get ISO 27701 certified.

We recommend achieving ISO 27001 compliance, so you’re ready when certification becomes possible. It looks like you’ll be able to get ISO 27701 certified from mid-2021 on.

To achieve ISO/IEC 27701:2019 compliance, you need to

  • design
  • build
  • implement

a Personal Information Management System (PIMS) for your organisation.

Your new PIMS should follow:

  • The ISO 27701 standard in all relevant ways
  • Any national or international regulations that apply to your organisation

ISO 27701 assumes you’ve already achieved ISO 27001 compliance or certification. That means creating an information security management system (ISMS). You can set up your ISMS ahead of or alongside your ISO 27701 implementation.

How do you show good practice for ISO 27701?

When you go for ISO 27701 certification, your auditors will assess your PIMS by:

  • Reading through your PIMS’ documentation
  • Interviewing your people to make sure they understand it and use it
  • Carrying out tests to see how well it works in practice

To show good ISO 27701 practice, you’ll need:

  • Comprehensive PIMS documentation
  • Well-trained staff
  • Widely-understood and followed policies and procedures

How do you get ISO 27701 certified?

ISO/IEC 27701:2019 is so new that it doesn’t have any accredited certification bodies. So, at time of writing, you can’t actually get ISO 27701 certified. When ISO 27701 certification does become possible, it’ll follow a similar process to ISO 27001 certification.

First you’ll need to design, build and implement your Personal Information Management System (PIMS). Make sure you follow the requirements given in the ISO 27701 standard. Then sign up with a recognised independent certification body, who will audit your PIMS.

Your certification body’s auditors will assess your PIMS documentation. Then they’ll test your PIMS, usually through on-site interviews and sampling.  If you pass your audit, you’re certified. You’ll then have two annual surveillance audits. After three years, you’ll need to get re-certified.

How ISO 27701 relates to other standards

How does ISO 27701 relate to ISO 27001?

ISO 27701 fills in some Personally Identifiable Information gaps in ISO 27001. So you can implement it either alongside or after ISO 27001.

Which other standards does ISO 27701 map onto?

As well as ISO 27001, ISO 27701 maps onto:

  • The privacy framework and principles defined in ISO/IEC 29100
  • ISO/IEC 27018
  • ISO/IEC 29151
  • GDPR

Bear in mind that you’ll also need to follow any local regulations if you map ISO 27701 onto any other standard.

How does ISO 27701 relate to GDPR?

ISO 27701 is separate from GDPR. But if you’re ISO 27701 compliant or certified, your Personal Information Management System will be GDPR compliant.

How does ISO 27701 relate to ISO 27552?

ISO 27701 was first developed as ISO/IEC 27522. The standard’s name changed to ISO 27701 before its 2019 launch. ISO 27522 became ISO 27701 because any standard that tells you how to set up a management system must end with 01.

What’s the ISO 27000 family of standards?

The ISO 27000 family of standards focuses on information security. Each ISO 27000 standard has a different infosec emphasis and requirements. Organisations of any size or type can use them.

Key family members include:

  • ISO 27000 introduces the family and explains basic terms and definitions
  • ISO 27001 tells you how to create an Information Security Management System
  • ISO 27017 and 27018 show you how to protect sensitive data held in the cloud
  • ISO 27031 focuses on maintaining business continuity when challenges or crises hit
  • ISO 27701 shows you how to create a Personal Information Management System

Key details of ISO 27701 annexes

What does Annex D cover?

Annex D of the ISO 27701 standard tells you how to map its controls on to the EU’s General Data Protection Regulation (GDPR).

What does Annex F cover?

Annex F of the ISO 27701 standard explains how to extend ISO IEC 27001 and ISO/IEC 27002 to protect Personally Identifiable Information (PII).

GET IN TOUCH

Phone:   +44 (0)1273 041140
Email:    enquiries@isms.online