What ISO/IEC 27701:2019 Means for Your PII Data
Those of us who collect and store Personally Identifiable Information (PII) and associated private information are guardians of very valuable data – data that creates vulnerability for its owner when breached, and data that is highly sought after by people and organizations who leverage that data to commit fraud or to cause harm to the victims. As guardians, we must remain vigilant and up-to-date on the latest best practices that are aimed at protecting private data and the people who own it. If you are not already working towards the new ISO/IEC 27701 guidelines, you are likely not doing everything you can to protect this valuable data. It is vitally important to establish a project charter and begin upgrading your privacy practice to adhere to the much-anticipated ISO/IEC 27701 guidance, which includes approaches for the protection of privacy affected by the collection and processing of personal information including protocols in order to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) controllers and PII processors to manage privacy controls so that risk to individual privacy rights is minimized.
ISO/IEC 27001 offers you a way to demonstrate your organizational commitment to privacy and data protection in a way previously hard to achieve. Now, similarly to the wide array of security standards in the market, certification of 27001 can be used as a business enabler to facilitate agreements with business partners, to assist in relationships with other stakeholders, and provide independent verification of your organization’s protection of privacy. Organizations planning to seek an ISO/IEC 27701 certification will also need an ISO/IEC 27001 certification. This demonstrates a commitment to both information security and privacy management.
The hallmark of 27701 is the recognition of the evolution of PII within contemporary organizations. We all know that the tide of PII truly ebbs and flows within our ever-increasing connected networks and ecosystems, leaving the days of static data flows behind. ISO/IEC 27701 defines processes and provides guidance for protecting PII on an ongoing, ever-evolving basis. Because it is a management system, 27701 defines processes for continuous improvement on data protection, particularly important in a world where technology-related risk management is a moving target.
This new international standard is officially called ISO/IEC 27701 (Security techniques- Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management- Requirements and guidelines). Similar to the other ISO Standards, the ISO 27701 provides a documented holistic basis, following a Recognized International standard, in order to assess the design and effectiveness of controls carried out internally to an organization. Organizations planning to seek an ISO/IEC 27701 certification will also need an ISO/IEC 27001 certification. This demonstrates a commitment to both information security and privacy management.
Notably, 27701 provides delineation between and specific controls for two increasingly common categories in which your organization will find itself: data processor and data controller. In recognition of the prevalence of data protection regulations, and increased overlap between standards one organization may need to abide by, 27701 further provides references and crosswalks between ISO 27701 and GDPR, ISO 27018 (Public Cloud Privacy) and ISO 29151 (Privacy Code of Practice).
Given this integrated and forward-looking perspective, you can use 27701 as a vehicle to
- Demonstrate compliance with data protection laws.
- Enhance stakeholder confidence by validating that you having a PIMS (Personal Information Management System) in place
- Serve as a standardized means to demonstrate GDPR compliance.
- Position the PIMS to provide as evidence for global privacy regulations.
27701 is a direct extension of ISO 27001 and ISO 27002. If you haven’t currently implemented ISO 27001 and ISO 27002, you can apply the data protection sections of the ISO 27701 standard to gain control over PII processes. If you haven’t yet achieved 27001, you will need to first incorporate control frameworks related to ISO 27001 and ISO 27002 into the organization risk framework. If you are already using ISO 27001 and ISO 27002, ISO 27701 will allow you to build bridges between your information security and privacy domains and one cohesive framework to safeguard PII.
Kuma showcases its privacy leadership by helping organizations at all levels by practicing a risk-based approach to handling Personally Identifiable Information (PII). Kuma is on the forefront of ISO certifications by offering managed audit and certification services across multiple sectors and verticals to facilitate your certification journey into a reasonable endeavor. Kuma is the thought-leader in implementing a privacy global standard in a tailored manner to your organization. Contact us at firstname.lastname@example.org to find out how we can assist you with:
- PIMS Gap analysis
- PIMS Only: Implementation of standalone ISO 27701
- PIMS Over ISMS: Implementation of ISO 27701 as an extension to existing ISMS
- PIMS + ISMS: Implementation of ISO 27701 along with ISO 27001
- Manage ISO certification process and liaise with the certification body