ISO 27701 FAQ

Estimated reading: 3 minutes 2240 views

The standard requires an Internal Audit to be carried out before an external audit can be performed.

The Internal Audit must be carried out by a competent and objective auditor.

The auditor can be in-house (from the organization’s own staff) or an external consultant. If in-house, it is important that the auditor is independent and has no prior or current involvement in the development and implementation of the PIMS.

The Internal Audit review includes:

A documentation review of policies and procedures to confirm they adhere to the standards requirements
An evidence review through sampling and analysis to determine that the policies are being adhered to

Any findings from the Internal Audit must be tracked to resolution.

The Internal Audit is meant to be continuous throughout the certification period (3 years).

What are Stage 1 and Stage 2 in ISO 27701?

An external audit is as essential as an internal audit, except that the outcome is the acquisition of a certification!

The external audit starts with stages 1 and 2.

Stage 1: This consists of an extensive documentation review of your PIMS program. This typically lasts a couple of hours to a day.

The outcome of Stage 1 is a list of findings (non-conformities) that need to be remediated before moving to Stage 2.

Stage 2: This consists of an extensive review of evidence that supports the documentation provided during Stage 1 to confirm that the controls operate according to the ISO 27701 requirements. This takes a bit more time than Stage 1 and can last a couple of days to a week.

The outcome of stage 2 is a list of findings (non-conformities) that need to be remediated before being recommended for certification.

I got my certification; now what?

An ISO 27701 certification is valid for three years.

This doesn’t mean that you do nothing for 3 years, no!

ISO requires surveillance audits to be performed each year to ensure the PIMS program and controls continue to operate effectively.

What is the difference between ISO 27001 and ISO 27002?

It is simple!

ISO 27701 defines the requirements for PIMS and can be certified against them.

ISO 27702 provides guidance on how to implement the ISO 27701 requirements. It cannot be certified against.

How Does ISO 27701 Relate To GDPR?

Organizations are required to secure and maintain the integrity of all sensitive data that they process under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA). However, while these regulations provide a framework for data protection, they do not provide specific guidance on the actions that organizations should take to ensure data privacy. This is where ISO 27701 is beneficial.

ISO 27701 provides a comprehensive set of requirements and guidelines for implementing a best-practice process for managing a Privacy Information Management System (PIMS) that includes effective data security and privacy capabilities. By following the guidelines set out in ISO 27701, organizations can establish a systematic approach to identifying and mitigating privacy risks, handling personal data, and complying with applicable regulations. This helps improve data protection and privacy, enhance stakeholder trust, and promote operational efficiency.

Tagged:
GRCLaunchpad

Learning

Platform Overview

TrustOps

TrustShare

TrustRegister

TrustLens

AuditLens

Changelogs

TrustCloud API

GRC Launchpad

Videos

TrustTalks

Forums

Welcome

TrustCloud Q&A

GRC Q&A

Champions

Companies

Resources

Trusted Partners

Articles

Glossary

Code of Conduct

Support

Report a bug

TrustCloud Blog

Go to TrustCloud.ai

ISO 27701 FAQ

Join the conversation Cancel reply

You might also be interested in

Want to see how to turn security into a profit center?

Resources

Platform

TOPICS

ABOUT US