IT GOVERNANCE | GREEN PAPER

ISO 27701

Privacy information
management systems

Protec Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | JULY 2020 2

Introduction Why an ISO/IEC privacy management system?

Since the introduction of the EU’s General Data Protection Regulation (GDPR), and The International Organization for Standardization (ISO) and the International
the ongoing growth in comparable data protection laws around the world, there Electrotechnical Commission (IEC) are recognised internationally as authorities on
has been an increasing need for a standard or code of conduct to support management systems and best practice. ISO/IEC publications carry a great deal of
compliance. A small number have arisen, but they lack the international recognition weight, and certification to their management system standards through
necessary to truly act as an effective mark of assurance. recognised certification schemes is an extremely effective way of both meeting
compliance demands and proving your compliance to customers, business partners
ISO/IEC 27701 (Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 and regulators.
for privacy information management – Requirements and guidelines), published in
August 2019, aims to fill the assurance gap and provide a genuinely international While there are already some publications and standards that discuss data
approach to data protection as an extension of information security. protection, many are not international, primarily focusing on data protection
requirements and good practice in specific jurisdictions. The UK’s BS 10012 draws
This paper provides information about the Standard so that organisations with a solely from the GDPR and the UK’s Data Protection Act 2018, for instance, which
desire to meet their compliance challenges head-on can take advantage of it. has limited value outside the UK. An approach based on international best practice
Organisations examining information security and data protection more broadly must be capable of adapting to other regimes and not impose requirements that
can also see how the new standard’s approach might meet their needs. hinge on specific legislation.

Beyond these local initiatives, there is also ISO 29151, a code of practice for
protecting personally identifiable information (PII). This standard sets out control
objectives, controls and guidelines to protect PII in accordance with an impact and
risk assessment. This is an effective set of guidance, but it does not offer an
externally auditable framework that can offer assurance to third parties. ISO 27701
goes beyond this, setting out management system and control requirements.

While ISO 27701 does not yet have a certification scheme, this is really only a
matter of time. Furthermore, there are interim options for asserting compliance, as
we discuss later in this paper.
IT GOVERNANCE GREEN PAPER | JULY 2020 3

What about ISO 27001? scalable and flexible it is, and how the most common block is the implementer’s
mindset rather than the requirements of the Standard. The risk assessment process
Even though a ‘comprehensive’ information security management system (ISMS) in particular ensures that security controls are chosen on the basis of need and
aligned to ISO/IEC 27001:2013 might already address privacy issues, the requirements suitability, helping the organisation build a cost-effective and practical ISMS.
can be met without fully addressing privacy. This means that certificates of conformity
with ISO 27001 are issued without a guarantee that data protection needs have been Second, a BS 10012 personal information management system’s primary concern is
adequately met. While data protection naturally requires a degree of information data protection. As such, it is not an ideal framework for developing effective
security (the GDPR addresses these as “technical and organisational measures”), it information security measures. It is also of little use if you want to extend your
goes much further than simply protecting the information – the organisation must information security to all of your organisation’s information, not just personal data.
also protect the rights of the data subjects, which cannot be guaranteed through
information security alone.
The ISO 27701 approach
Having a standard that ensures all the relevant privacy issues are factored into a
management system means that the resulting certificate must, by default, cover all A privacy management system is different from an ISMS, but they are closely related.
of those relevant aspects. This also means that a certificate of conformity (when a ISO 27701’s approach recognises that information security (the preservation of the
scheme to provide this is available) gives external stakeholders greater confidence confidentiality, integrity and availability of information) is a key aspect of effective
in your privacy management. privacy management, and that the ISMS requirements documented in ISO 27001 can
support adding sector-specific requirements onto the ISMS without the need for a
new management system specification.
What does this mean for BS 10012?
BS 10012 is still an effective management system standard, especially for ISO 27701 defines the extra requirements for an ISMS to cover privacy and the
organisations in the UK, as it takes into account not only the GDPR but also the UK’s processing of PII. These are supported by additional controls that relate specifically
Data Protection Act and guidance from the Information Commissioner’s Office. This to data protection and privacy. As a new whole, this creates what the Standard calls
may have limited value for external stakeholders, however, especially those outside a privacy information management system (PIMS).
the UK.

Despite this, there is a line of thinking that any organisation that requires privacy ISO 27701
ISO 27001 requirements
assurance will opt for a BS 10012-type solution on the basis that a full ISO 27001 ISMS amendments
is overkill. At IT Governance, we do not subscribe to this view for two key reasons.
ISO 27701 control
ISO 27001 controls
amendments
First, we do not see an ISO 27001-conforming ISMS as burdensome. Through our
many successful engagements to implement ISO 27001, we have demonstrated how
ISO 27701 controls

Figure 1: Depiction of the ISO 27001–ISO 27701 relationship

IT GOVERNANCE GREEN PAPER | JULY 2020 4

The ISO 27701 standard Definitions

ISO 27701 takes some of its key definitions from ISO 29100, which uses
ISO 27701 was developed by ISO technical committee SC27 with input from 25 terms that differ from some other sources. It is useful to understand these
external bodies, including the European Data Protection Board (EDPB). and how they relate to your legal and regulatory environment.

As already described, the new standard bolts privacy processing requirements Personally identifiable information (PII): ‘personal data’ in the GDPR. ISO
onto an ISMS. Part of this requires that anywhere ISO 27001 says “information 29100 defines this as “information that (a) can be used to identify the PII
security” you instead read “information security and privacy” in all instances. For principal to whom such information relates, or (b) is or might be directly or
example, where ISO 27001 uses “information security performance”, ISO 27701 indirectly linked to a PII principal” (Clause 2.9).
requires you to read it as “information security and privacy performance”.
PII principal: ‘data subject’ in the GDPR. ISO 29100 defines this as a “natural
The Standard then goes on to add privacy-specific requirements to some of the person to whom the personally identifiable information (PII) relates”
clauses in ISO 27001 and the controls in Annex A, and adds some privacy-specific (Clause 2.11).
controls over and above the existing information security (and now privacy)
controls. Finally, it offers guidance that builds on that available in ISO 27002 PII controller: ‘data controller’ in the GDPR. ISO 29100 defines this as the
subject to whether the organisation in question is a data controller and/or data “privacy stakeholder (or privacy stakeholders) that determines the
processor. purposes and means for processing personally identifiable information (PII)
other than natural persons who use data for personal purposes” (Clause
ISO 27701 also builds on the principle of information security by directing the 2.10).
reader to the more expansive privacy principles in ISO/IEC 29100. These cover
a wider range of privacy concerns, including those espoused in data protection PII processor: ‘data processor’ in the GDPR. ISO 29100 defines this as the
regulations internationally. “privacy stakeholder that processes personally identifiable information (PII)
on behalf of and in accordance with the instructions of a PII controller”
(Clause 2.12).
IT GOVERNANCE GREEN PAPER | JULY 2020 5

Structure of ISO 27701 Clause 7: Additional guidance for controllers

This clause provides guidance on ISO 27701’s Annex A controls, which are specific to
Much like other ISO standards, ISO 27701 divides its content by clause, of which privacy for the purposes of PII controllers. These controls address many of the critical
Clauses 5–8 set out the additional requirements and amendments to be applied to areas of data protection and privacy that are not accounted for by the controls
ISO 27001, and warrant particular attention. provided in ISO 27001.

Clause 5: PIMS-specific requirements Clause 8: Additional guidance for processors

This clause addresses every clause in ISO 27001 and identifies where additional This clause provides guidance on ISO 27701’s Annex B controls, which are specific to
content is necessary. The majority of the ISO 27001 clauses remain unchanged, with privacy for the purposes of PII processors. These controls address many of the critical
the caveat that ISO 27701 requires the organisation to recognise its need for data areas of data protection and privacy that are not accounted for by the controls
protection within its context, and this context informs all the other requirements. provided in ISO 27001.

Another notable addition affects the risk assessment, which will need to take into
account the organisation’s role in relation to PII – that is, whether it is a controller
or a processor, and how that might affect the risks to the PII. Another entry
recognises the existence of the new control sets and allows the organisation to
reconcile its controls against a wider range of controls, including those from ISO
27701.

Clause 6: PIMS-specific guidance

This section provides additional content for the control guidance set out in ISO
27002. It establishes a top-level amendment that all references to ‘information
security’ should be taken as including protection of privacy.

Controls with a potentially significant impact on privacy and data protection are
given extensive extra guidance. This includes subjects such as removable media,
cryptography and secure development.
IT GOVERNANCE GREEN PAPER | JULY 2020 6

Accredited certification There is a good chance that some ISO 17065-accredited GDPR schemes will include
ISO 27701 certification, but overall they will be more robust and hence more
Article 42 of the GDPR addresses certification schemes, stating that member states, expensive. Those organisations that want to demonstrate a degree of assurance
supervisory authorities, the EDPB and the European Commission should encourage without the expense of an ISO 17065-accredited scheme – even when they become
schemes that demonstrate compliance with the Regulation. available – might opt for ISO 27701 certification as an economical compromise.

ISO 27701 certification will not meet the GDPR’s requirements for a certification Whether accredited certification to ISO 27701 alone will suffice for many
scheme. Article 43 of the GDPR requires that any certification scheme be operated organisations and their interested parties will likely be decided by the market and
under an ISO 17065-accredited scheme. ISO 27701, however, will fall under ISO regulators. Given the broad acceptance of ISO 27001 as a model for information
17021-1 and therefore not meet the GDPR’s requirements. security, it is likely that many markets will accept ISO 27701 certification as adequate
proof that the organisation has taken appropriate steps to meet its data protection
obligations.

Either way, the options for ISO 17021-1-accredited certification to ISO 27701 will
need to evolve, with national accreditation bodies accrediting certification bodies
locally while an international standard that specifies accreditation requirements is
being developed. In the meantime, ISO 27701 can be referenced as a source of
controls in a Statement of Applicability (SoA) and cited as such in an accredited
certificate for ISO 27001 conformance.

This approach can be used to reference sector-specific standards on certificates.

The latest amendment to ISO 27006 (which sets out the accreditation requirements
for certification bodies offering certification to ISO 27001) states that this reference
can only relate to the source of controls detailed in the SoA; it should not imply
conformity to a set of management system requirements.

Regardless of the timescales for internationally recognised accredited certification,

demonstrating conformity with ISO 27701 is likely to become a popular approach to
Speak to an expert
managing data protection and privacy through the supply chain and demonstrating
that to others.
IT GOVERNANCE GREEN PAPER | JULY 2020 7

Useful ISO 27701 resources

IT Governance offers a unique range of ISO 27701 products and services, including standards, books and training courses.

ISO/IEC 27701:2019 Standard Certified ISO 27701 PIMS Lead Implementer

Training Course
ISO/IEC 27701:2019 is the international standard
that specifies the requirements for Discover the key steps involved in planning,
implementing, maintaining and continually implementing, maintaining and continually
improving a best-practice PIMS as an extension improving an ISO 27701-compliant PIMS in this
to an ISO 27001 ISMS. practical two-day course, delivered by an
experienced data privacy trainer and consultant.

ISO/IEC 27701:2019 – An introduction to privacy Certified ISO 27701 PIMS Lead Auditor Training
information management Course
This book is the ideal guide for anyone This fully accredited, practitioner-led course will
considering a PIMS and wanting to understand teach you how to extend an ISO 27001 audit
how it can benefit their organisation. Get a clear programme and conduct PIMS audits against
and concise overview of the principles of personal ISO/IEC 27701, in line with international data
information management and ISO 27701. protection regimes such as the GDPR.

ISO 27701 Gap Analysis Tool ISO 27701 Starter Bundle

This gap analysis tool, which lists all the Get all the practical resources and easy-to-use
requirements of ISO/IEC 27701:2019, is designed tools you need to kick-start your ISO 27701
to help organisations establish whether they are project and accelerate your journey to compliance
meeting the Standard’s requirements, and in one handy bundle. The bundle comprises the
prioritise work areas where they might be falling ISO 27701 standard, pocket guide and gap
short. analysis tool.
IT GOVERNANCE GREEN PAPER | JULY 2020 8

Other papers you may be interested in

IT GOVERNANCE | GREEN PAPER IT GOVERNANCE | GREEN PAPER

Conducting a A Concise Guide to

Data Flow Mapping Data Protection
Exercise Under Impact Assessments
the GDPR (DPIAs)
February 2019

Protect Comply Thrive Protect Comply Thrive

Conducting a Data Flow Mapping Exercise Under the GDPR A Concise Guide to Data Protection Impact Assessments (DPIAs)
IT GOVERNANCE GREEN PAPER | JULY 2020 9

IT Governance solutions

IT Governance is your one-stop shop for cyber security and IT governance, risk Training
management and compliance (GRC) information, books, tools, training and
We offer training courses from staff awareness and foundation courses, through to
consultancy.
advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our products and services are designed to work harmoniously together so you can
benefit from them individually or use different elements to build something bigger
Our training team organises and runs in-house and public training courses all year
and better.
round, as well as Live Online and self-paced online training courses, covering a
growing number of IT GRC topics.
Books
Visit www.itgovernance.eu/en-ie/training-ie for more information.
We sell sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide practical Consultancy
advice for staff taking part in IT governance projects, suitable for all levels of
knowledge, responsibility and experience. We are an acknowledged world leader in our field. Our experienced consultants, with
multi-sector and multi-standard knowledge and experience, can help you accelerate
Visit www.itgovernance.eu/en-ie/shop/category/it-governance-eu-books to view our your IT GRC projects.
full catalogue.
Visit www.itgovernance.eu/en-ie/consulting-ie for more information.

Toolkits Software
Our unique documentation toolkits are designed to help organisations adapt quickly Our industry-leading software tools, developed with your needs and requirements in
and adopt best practice using customisable template policies, procedures, forms and mind, make information security risk and compliance management straightforward
records. and affordable for all, enabling organisations worldwide to be ISO 27001-compliant.

Visit www.itgovernance.eu/en-ie/documentation-toolkits-ie to view our toolkits. Visit www.itgovernance.eu/en-ie/shop/category/software for more information.
IT Governance is the one-stop shop for cyber security, cyber risk
and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training or software.

t: 00 800 48 484 484

e: [email protected]
w: www.itgovernance.eu

A GRC International Group plc subsidiary

Third Floor, The Boyne Tower

Bull Ring, Lagavooren, Drogheda
Co. Louth, A92 F682, Ireland

IT Governance Europe Ltd

@ITGovernanceEU

/it-governance-europe-ltd

@ITGovernanceEU

© 2003–2020 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification