The International Organisation for Standardization (ISO) recently published an extension to ISO/IEC 27001 and 27002 for privacy information management. In this post, we’re going to take a closer look at this development.

As regular readers of this blog will know, we at BH Consulting are big supporters of the ISO 27001 information security standard (note: for brevity, we’ll refer to it in this blog and elsewhere on our site only as ISO 27001). We like it because it is internationally recognised and has no ties to any one technology or supplier. It takes a risk-based approach to security, which means it starts with a thought process that’s based on applying the greatest levels of protection to the information that matters most to a business or organisation.

Unlike self-regulated standards, becoming certified to ISO 27001 involves having an external group auditing your security at least once per year to ensure you’re following best practice. Best of all, it’s suitable for organisations and businesses of all sizes, from an SME with five or ten employees right up to a multinational corporation.

Managing compliance with GDPR

We believe that complying with the standard has many business benefits which we’ve previously outlined on this blog. What’s more, the process and rigour that the standard applies to information security means it’s very useful as a way to manage compliance with the General Data Protection Regulation (GDPR). For example, one of the requirements under the regulation is to report breaches within 72 hours of discovering one. The ISO 27001 framework is very useful for helping organisations to develop a solid incident response plan that covers the three pillars of IT, people and processes.

When the ISO announced the ISO 27701 extension, it said it specifies requirements “for establishing, implementing, maintaining and continually improving a privacy-specific information security management system. In other words, a management system for protecting personal data (PIMS).”

Building on the base of ISO 27001

It builds on the information security management system (ISMS) that ISO 27001 needs all certified organisations to put in place. An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes. In effect, 27701 “provides the necessary extra requirements when it comes to privacy”, the ISO said.

Dr Andreas Wolf, who chaired the technical committee that developed the standard, said that almost every organisations handles personally identifiable information, and that protecting it “is not only a legal right but a societal need”.

He added: “ISO/IEC 27701 defines processes and provides guidance for protecting PII on an ongoing, ever evolving basis. Because being a management system, it defines processes for continuous improvement on data protection, particularly important in a world where technology doesn’t stand still.”

How to get certified to the new standard

After the ISO announced the extension to 27001 and 27002, many websites widely reported it as a new or first standard for data privacy. BH Consulting CEO Brian Honan said it was important to clarify that the new addition of 27701 is not a standard by itself but an extension to the existing information security standard. This means organisations cannot get certified to it directly. “You need to get certified to ISO 27001 first and then to this new standard,” he pointed out.

“It is worth noting that ISO 27701 is a privacy standard and is designed to encompass privacy laws and regulations around the world. So it is not specific to GDPR but can be used for it,” Brian added. “Regarding GDPR, the ISO 27701 standard is not yet recognised by the EDPB as a certification standard for GDPR – indeed no certification scheme has yet to be approved – although I expect this to happen at some stage,” he said.

Interestingly, the head of France’s data protection watchdog, the CNIL, put the announcement in context by saying that the new standard was necessary because many organisations aren’t ready to comply with the stringent demands of privacy regulations like the GDPR, and they need guidance. “With the number of complaints and fines related to privacy and data protection on the rise, the need for this standard is now obvious,” he said in a statement.

In summary, it’s a privacy standard designed to enable organisations to meet any and/or all of their privacy obligations including, but not exclusive to GDPR. The ISO has a document with the full requirements and guidelines for the extension on sale via its website for CHF178 (roughly €163). It has also made a free preview available via this link.