ISO 27701, a new International recognised Standard and what you need to know about it!


November 22, 2021

ISO 27701, a new International recognised Standard and what you need to know about it!

MAPS recently became amongst the first ISO 27701 certificated Organisations in Ireland and I can say with certainty that the experience was a very positive one for us! We already had firm understanding of Information security best practice but wanted to take our game to the next level and 27701 helped up get there.
In 2019 the International Standards Organisation (ISO) launched the 27701 standard, a Privacy extension to ISO 27001 Information Security Management (ISMS). The idea behind 27701 is to extended an Organisation’s existing ISMS with applicable privacy controls and activities, which in turn lead to the establishment, implementation, management and improvement cycle of a Privacy Information Management System (PIMS).
A PIMS requires than an Organisation determine its role as a data controller, processor and/or joint controller. A PIMS enables an Organisation to demonstrate its commitment to ensuring a robust PII privacy policy is in place. Your internal Data Protection Officer’s roles is called out clearly and system is put in place to help them fulfil their obligations. Internal audit programs and management reviews will also updated to ensure continuous evaluation and improvement of the PIMS effectives.
But how did 27701 help MAPS grow as an Organisation?
It is important to be able to demonstrate how Organisational policies, operating procedures and records protect Personally Identifiable Information (PII). 27701 provides clear guidance on the protection of PII including how organisations should manage PII and assists in demonstrating compliance with privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).
GDPR Article 42 encourages, in particular at an EU level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the Regulation of processing operations by controllers and processors.
27701 It is not recognised under GDPR Article 42. In fact, the EU Council has not yet recognised any official certification mechanism under GDPR though deliberations are going on this matter. I do believe that ISO 27701 could fit this slot comfortably for small, medium and large scale enterprises and is very well positioned to do so. Watch this space.
Privacy and information security have a very strong connection. It is true that there can be no Privacy without Information Security. However, an organisation’s information security activities also can create risks to privacy if mismanaged. For this reason, it is not possible to get ISO 27701 certification without ISO 27001 certification, as it is an extension to the ISMS. If you have not read my blog on 27001 and the ISMS, you can find a link to it: here!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Do you have any projects?
Contact us.

ISO 27701, a new International recognised Standard and what you need to know about it!

ISO 27701, a new International recognised Standard and what you need to know about it!

img

MAPS recently became amongst the first ISO 27701 certificated Organisations in Ireland and I can say with certainty that the experience was a very positive one for us! We already had firm understanding of Information security best practice but wanted to take our game to the next level and 27701 helped up get there.
In 2019 the International Standards Organisation (ISO) launched the 27701 standard, a Privacy extension to ISO 27001 Information Security Management (ISMS). The idea behind 27701 is to extended an Organisation’s existing ISMS with applicable privacy controls and activities, which in turn lead to the establishment, implementation, management and improvement cycle of a Privacy Information Management System (PIMS).
A PIMS requires than an Organisation determine its role as a data controller, processor and/or joint controller. A PIMS enables an Organisation to demonstrate its commitment to ensuring a robust PII privacy policy is in place. Your internal Data Protection Officer’s roles is called out clearly and system is put in place to help them fulfil their obligations. Internal audit programs and management reviews will also updated to ensure continuous evaluation and improvement of the PIMS effectives.
But how did 27701 help MAPS grow as an Organisation?
It is important to be able to demonstrate how Organisational policies, operating procedures and records protect Personally Identifiable Information (PII). 27701 provides clear guidance on the protection of PII including how organisations should manage PII and assists in demonstrating compliance with privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).
GDPR Article 42 encourages, in particular at an EU level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the Regulation of processing operations by controllers and processors.
27701 It is not recognised under GDPR Article 42. In fact, the EU Council has not yet recognised any official certification mechanism under GDPR though deliberations are going on this matter. I do believe that ISO 27701 could fit this slot comfortably for small, medium and large scale enterprises and is very well positioned to do so. Watch this space.
Privacy and information security have a very strong connection. It is true that there can be no Privacy without Information Security. However, an organisation’s information security activities also can create risks to privacy if mismanaged. For this reason, it is not possible to get ISO 27701 certification without ISO 27001 certification, as it is an extension to the ISMS. If you have not read my blog on 27001 and the ISMS, you can find a link to it: here!

CLIENT NAME


PROJECT TYPE

                       


Do you have any projects?
Contact us.

'