ISO 27701 Overview and Guides

Estimated reading: 7 minutes 1810 views

ISO 27701 Overview and Guides

This article talks about ISO/IEC 27701:2019, the data privacy extension to ISO 27001. ISO 27701 was released in 2019 to provide guidance for establishing, implementing, maintaining, and continually improving a Privacy Management System (PIMS). It provides guidance on how organizations can integrate privacy controls into their existing Information Security Management Systems (ISMS). The framework can help demonstrate that effective systems are in place to support compliance with GDPR, CCPA, and other related privacy legislation.

27701 is designed to help organizations establish a systematic approach to managing privacy risks and complying with privacy regulations. It provides a comprehensive framework for managing personal information that can help organizations build trust with their customers and stakeholders and demonstrate their commitment to protecting personal privacy. 

Learn more about TrustCloud’s continuous ISO 27001 compliance with TrustOps for ISO 27001.

What is a PIMS?

PIMS stands for Privacy Management System and is a collection of documents, including policies, processes, procedures, and security and privacy controls, that together implement an effective process for collecting, processing, storing, and destroying Personally Identifiable Information (PII).

ISO 27701 is composed of 10 sections (referred to as “clauses” in ISO 27701 terminology) that overlap with ISO 27001 and six (6) annexes that are normative (Annexes A to B) and informative (Annexes C to F). The first four clauses are introductory in nature and serve as an overview of the process itself. Clauses 4 to 10 are more intentional, providing guidelines for PII security and privacy. Each clause contains a set of guidelines intended to improve your organization’s data privacy posture. We have outlined these below:

  1. Clause 4: ISMS requirements related to ISO/IEC 27001
    Context of the organization: This clause specifies the requirements for identifying and analyzing the internal and external factors that affect the organization’s privacy management system, including the privacy risks and opportunities.
  2. Clause 5: PIMS-specific requirements related to ISO/IEC 27001
    Leadership: This clause specifies the requirements for the leadership of the organization in establishing and maintaining the PIMS, including the assignment of roles and responsibilities, the development of privacy policies, and the establishment of a privacy culture.
  3. Clause 6: PIMS-specific guidance related to ISO/IEC 27002
    Planning: This clause specifies the requirements for the planning of the PIMS, including the development of a privacy risk management plan, the identification and evaluation of privacy risks, and the development of privacy objectives and targets.
  4. Clause 7: Additional ISO/IEC 27002 guidance for PII controllers
    Support: This clause specifies the requirements for providing the necessary resources, infrastructure, and support for the implementation and maintenance of the PIMS, including training, awareness, and communication.
  5. Clause 8: Additional ISO/IEC 27002 guidance for PII processors
    Operation: This clause specifies the requirements for implementing and operating the PIMS, including the implementation of privacy controls, the management of personal data, the handling of privacy incidents, and the monitoring and measurement of the PIMS.
  6. Clause 9: ISMS requirements related to ISO/IEC 27001
    Performance evaluation: This clause specifies the requirements for monitoring, measuring, analyzing, and evaluating the performance of the PIMS, including the use of internal audits and management reviews.
  7. Clause 10: ISMS requirements related to ISO/IEC 27001
    Improvement: This clause specifies the requirements for continually improving the effectiveness of the PIMS, including the implementation of corrective and preventive actions, the management of nonconformities, and the implementation of improvements based on the results of performance evaluations.

What are the overlap between ISO 27001 and ISO 27701?

ISO 27701 requires an existing ISMS program to attach to. Clauses 5 to 8 within PIMS extend the requirements of ISO 27001 to incorporate PII considerations. The specific PIMS requirements in the clauses are listed below:

  1. PIMS requirements related to ISO 27001 are outlined at clause 5
  2. PIMS requirements related to ISO 27002 are outlined at clause 6
  3. PIMS guidance for PII Controllers are outlined at clause 7
  4. PIMS guidance for PII Processors are outlined at clause 8

It is smart for an organization to combine the ISMS-PIMS programs and extend their ISMS SOA to include the PIMS controls.

  1. Annex A + Clause 6 = 37 enhanced controls
  2. Annex A + Clause 7 = 31 new controls for controllers
  3. Annex A + Clause 8 = 18 new controls for processors

Why should I pursue an ISO 27701 certification?

For organizations that process customer and employee data in multiple jurisdictions, ensuring compliance with several countries’ data governance laws is complex and not always straightforward. ISO 27701 can be a great start.

ISO 27701

Among many benefits, the most notable are the following:

  1. ISO 27701 provides a framework for complying with privacy regulations such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.
  2. ISO 27701 provides a systematic approach to identifying and mitigating privacy risks, helping organizations better protect personal data and reduce the risk of privacy breaches.
  3. ISO 27701 can help organizations streamline their privacy management processes, reduce the cost and complexity of managing personal data and improve overall operational efficiency
  4. ISO 27701 certification can help enhance an organization’s brand reputation by demonstrating a commitment to privacy and data protection, which can be particularly important for organizations that handle sensitive personal data such as healthcare or financial information.

Traditionally, ISO 27701 can cost anywhere between $15,000 and $100,000 when you factor in an ISO 27001 certification, the cost of the audit firm, as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.

At TrustCloud, we believe compliance shouldn’t be expensive. To make the readiness and audit process both affordable and simple, the cost has been broken down into two areas:

  1. A compliance automation platform. By automating much of the process, platforms such as TrustOps help you reduce and better manage your internal costs. We’ve developed a transparent and straightforward pricing structure to make it easier for you to manage the overall cost of the program.
  2. An auditor. We’ve developed strong relationships with a number of audit firms. This means that they are trained on the platform and know how to evaluate your business; they are also able to pass along discounts as a result of a referral from TrustCloud. ISO 27701 audit partners in the TrustCloud network charge between $7,000 and $50,000 for audits, based on the maturity and complexity of the engagement.

ISO 27701 Preparation and tips

TrustCloud takes care of the preparation! However, though you can use a GRC tool for preparation, there are still some important considerations:

  1. Make sure you have a dedicated team to handle the effort that ISMS-PIMS preparation demands. Compliance is a team effort and does require intent and continual effort. Making sure you have a clear goal and drive will help you succeed in this endeavor.
  2. Perform an internal assessment to determine your gaps. This helps you determine how much time is needed. This is also something TrustCloud can help you with.
  3. Document everything! If it is not documented, it is not happening!
  4. Identify your Internal Audit team! A unique characteristic of ISO 27701 and ISO 27001 is the requirement to perform an internal audit. And this activity can be performed by an independent third-party or by employees of your organization, as long as they are qualified (understand the auditing process and requirements) and objective (have no conflict of interest).

Want to learn more about GRC?
Explore our GRC launchpad to gain expertise on numerous compliance standards and topics.

TrustCloud’s platform assesses your current security posture to identify gaps and suggest policies and controls.

Adopt and maintain compliance with ISO 27701 with ease!

TrustCloud has curated a toolkit to help you on your ISO 27701 journey! Follow each article below:

Join the conversation