Achieving regulatory compliance with ISO 27701

We’re your all-in-one platform for an integrated PIMS

ISO 27701 shows you how to build a Privacy Information Management System (PIMS) to comply with any privacy regulation, including the EU’s GDPR and South Africa’s POPIA. Our simplified, secure, sustainable platform helps you follow the standard’s structured approach.

ISO 27701 or BS 10012?

ISO 27701 and BS 10012 can both help you comply with GDPR and other privacy regulations by creating a PIMS. But there are important differences between them.

• ISO 27701 is an extension to ISO 27001. So to create an ISO 27701-based PIMS, you need to have or create an ISO 27001-based information security management system, or ISMS. With the stand-alone BS 10012 you can build a stand-alone PIMS.
• ISO 27701 is regulation-agnostic so it’ll help you with all privacy regulations, of course including GDPR and GDPR-based ones. BS 10012 is GDPR based so it’ll help you meet GDPR or GDPR-based regulations.

ISO 27701 could be a better option if:

• You need or already have an ISO 27001-based ISMS
• Your organisation has to follow a wide range of regulations

The rest of this page explains how to achieve ISO 27701.

BS 10012 could be a better option if:

• You don’t need or already have an ISO 27001-based ISMS
• Your organisation needs to comply with the GDPR or a GDPR-based regulation

To find out how to achieve it, visit our Achieve BS 10012 page.

Creating an ISO 27701-based PIMS to achieve privacy regulation compliance

Our ISO 27701 solution is a pre-configured PIMS. It’ll make sure that your privacy work aligns with and meets the needs of each section of the standard. And because it’s regulation agnostic, you can map it onto any regulation or regulations you need to.

Your PIMS will follow ISO 27701 and help you achieve GDPR compliance by:

Responding to the big picture

You’ll start the PIMS development process by understanding the context your PIMS will work in. You’ll define whether your organisation’s a PII controller, PII processor or both. And you’ll make sure you’re aware of:

• Legal factors, like privacy legislation, regulations or judicial decisions
• Organisational factors, like its context, governance, policies and procedures
• Practical factors, like any administrative decisions and contractual requirements

Then you’ll make sure you understand and take into account the needs and expectations of anyone with an interest in how you process PII. That can be a long list, including everyone from your customers and suppliers to regulators and trade bodies.

Once you’ve worked through all that, you’ll be able to scope out your PIMS. If you’re extending your existing ISMS to also address PIMS requirements you might need to rethink your ISMS’ scope too. And if you’re implementing both at the same time, then you’ll make sure they’ll work together.

Getting your leadership on board

Your whole organisation needs to understand and comply with your PIMS. To achieve that, you’ll need to have your senior leadership fully on board. ISO 27701 points you back to ISO 27001 for guidance. If you’ve already created an ISO 27001 ISMS, it’ll be a familiar process.

• You’ll need to make sure your top management shows leadership of and commitment to your PIMS by: Setting clear privacy goals, making sure your PIMS achieves them, allocating resources to create and maintain it, integrating it with broader organisational processes and helping it continually improve

They’ll also set your broader privacy policies. They should:

• Support and contribute to your organisation’s broader strategy and purpose, set clear privacy objectives or describe how to create them and include a commitment to both meeting its privacy needs and continually improving your PIMS

And of course you’ll need to document them, and make sure anyone who needs to understand them can quickly and easily access them.

Finally, your top managers will need to appoint the people who’ll be responsible for and in charge of your PIMS. They’ll keep it in line with the standard and report back on its status, progress and achievements as and when needed.

Being carefully planned

Once you’ve understood the context you’re working in and have senior management completely behind you, you can start planning your PIMS. Here too ISO 27701 sends you back to ISO 27001 for guidance, but it adds in some privacy-specific refinements of its own.

You’ll need to:

• Assess the risks your PII faces, set out clear policies and controls for dealing with some or all of those risks and justify why you’ve chosen to ignore any of them
• Document your policies, controls and any decisions about them in an easy to access, read way, and make sure any updates are accurate and timely

Again, if you’ve already created an ISO 27001-based ISMS it’ll be a very familiar process. And if you’re developing a PIMS and an ISMS together you’ll probably be able to merge your workstreams.

Having all the support it needs

Here too ISO 27001 and ISO 27701 are very closely allied. ISO 27701 asks you to follow ISO 27001’s support guidance.

• You should make sure you’ve got all the resources you need to set up, implement, maintain and continually evolve your PIMS available when you need them
• The people working on your PIMS should have all the competencies their roles demand – if they don’t, you should set up training or education for them
• You’ll need to make sure that everyone affected by your PIMS understands why it’s so important, what it protects and how to comply with it
• You’ll have to fully document your PIMS (exactly what that means depends on your organisation’s size and type), and plan how you’ll update your documentation

Undergoing regular evaluation

An unexamined PIMS is not worth having. You’ll need to be clear how you’ll monitor, measure, analyse and evaluate your PIMS to make sure it’s achieving everything it should. The standard refers you to ISO 27001 for guidance on how to do that.

It specifies that you should carry out regular internal audits and management reviews. Both should happen at planned intervals, and follow rigorously documented processes. You’ll also need a clear plan for responding to non-conformities and taking corrective actions.

You’ll evaluate your ISO 27701-based PIMS and ISO 27001-based ISMS in very similar ways. As ever, if you already have an ISO 27001 ISMS you’ll find the whole process very familiar.

Constantly evolving and improving

You’ll follow ISO 27001-based processes for evolving and improving your PIMS. That means you’ll swiftly and effectively react to any non-conformities. And you’ll document both the non-conformities themselves and the actions you took to fix them.

You’ll also look to continuously improve your PIMS. That’s a very important point to remember. A PIMS isn’t a fire-and-forget set of documents that – once created – can be left mouldering on a hard drive somewhere.

It’s a dynamic protective system that will evolve with any changes to your organisation and the environment it works in. So you’ll need to make sure you’re taking continuous steps to boost the suitability, adequacy and effectiveness of your PIMS.