The standardization can help you manage the personally identifiable information within the organization. This is the new standard that is being adopted by the companies to use for identifying the personal information of any employee or person.
The standard helps you in designing, setting up, managing and improving the Privacy Management System (PIMS). Moreover, this standard provides flexibility to the companies in the creation and running of their PIMS. This ISO 27701 is built on ISO 27001 which is the base and this means; you have to achieve certification in ISO 27001 and also you need to implement ISO 27001 along with the 27701 single projects.
What is the difference between ISO 27001 and ISO 27701
ISO 27001 is also known as a information security management systems (ISMS). ISO 27001 is defined as a management system over “the preservation of confidentiality, integrity and/or availability” for information in any form. ISO 27001 certification is a prerequisite for ISO 27701 certification meaning you must be ISO 27001 Certified first before you can proceed to ISO 27701 certification.
ISO 27701 privacy management system (PIMS) is a management system over “data privacy controls”. Privacy is considered one component of a larger Confidentiality definition. This is the reason ISO 27001 certification is a prerequisite for ISO 27701 certification.
Confidentiality and privacy are often used interchangeably, however, although they are related, they are very different from a legal perspective. Confidentiality is often an ethical duty or legal duty (fiduciary duty) that prevents certain people and/or organizations from sharing information with third parties. Confidentiality is often legally restricted through a Non-Disclosure Agreement (NDA) between two parties. Privacy on the other hand, is the right to freedom from intrusion into one’s personal matters, personal information and/or personal identifiable information (PII).
How to get certified to ISO 27701
If you have the accredited certification to ISO 27001, you will find applying the information risk management principles to ISO 27701 privacy fairly straightforward. To ensure that privacy management risks are incorporated into the organization, a review of privacy assets, related threats and vulnerability risks should be performed through a risk assessment process including determining risk treatment options. The risk assessment process for ISO 27701 will ultimately change the existing ISO 27001 Statement of Applicability (SOA) to include the new ISO 27701 privacy risk applicability to the generic Annex A controls.
The privacy information management system then needs to be documented. Organizations that are less confident in their GDPR compliance will find ISO 27701 particularly helpful as it provides specific recommendations for actions to comply with the regulation.
Steps to get ISO 27701 Certification
- Get certified to ISO 27001 (a prerequisite)
- Implement ISO 27701 Privacy Management System requirements
- Perform a ISO 27001 and 27701 internal audit (typically performed together).
- Get a certification quote from a certification body (registrar). ISO 27001 and ISO 27701 can be audited together as long as the context of the organization (scope) covers the same business process, business unit and/or assets, etc.
- Perform a ISO 27001 and 27701 certification audit from a certification body (registrar).
Following a successful two-stage audit, a certification decision is made and if positive, then certification to the required standard is issued by the certification body. Your organization will get both a hard and soft copy of the certification and it is valid for three years. This certification is also maintained through annual surveillance audits and a three yearly recertification audit.
Who can implement ISO 27701?
ISO Certification is applicable to any type, size of organization anywhere in the world including (but not limited to):
- Non Profit Organizations
- Government Entities
- Public and Private Companies
Benefits of ISO 27701
Almost every company and organization have detailed Personally Identifiable Information (PII) about their employees and the customers. If that information gets leaked, it can become seriously damaging. The ISO 27701 standard will help your organization understand and protect its risks and fiduciary duty to protect its interested parties.
- Reduce the likelihood of Legal, regulatory and/or contractual litigation and liability.
- Substantial brand and reputation damage.
- Personal Privacy issues for any compromised individuals.
- Lower insurance premiums
- Reasonable assurance you are protecting your clients information in any form
- Meeting product or service requirements from your clients in RFP’s, Sales process and legal agreements such as Master Service Agreements, insurance application requirements
- Be the first in your industry to be certified!
- Strengthening relationships with existing customers internal and external stakeholders, shareholders, board of directors, etc.