MAPS recently became amongst the first ISO 27701 certificated Organisations in Ireland and I can say with certainty that the experience was a very positive one for us! We already had firm understanding of Information security best practice but wanted to take our game to the next level and 27701 helped up get there.
In 2019 the International Standards Organisation (ISO) launched the 27701 standard, a Privacy extension to ISO 27001 Information Security Management (ISMS). The idea behind 27701 is to extended an Organisation’s existing ISMS with applicable privacy controls and activities, which in turn lead to the establishment, implementation, management and improvement cycle of a Privacy Information Management System (PIMS).
A PIMS requires than an Organisation determine its role as a data controller, processor and/or joint controller. A PIMS enables an Organisation to demonstrate its commitment to ensuring a robust PII privacy policy is in place. Your internal Data Protection Officer’s roles is called out clearly and system is put in place to help them fulfil their obligations. Internal audit programs and management reviews will also updated to ensure continuous evaluation and improvement of the PIMS effectives.
But how did 27701 help MAPS grow as an Organisation?
It is important to be able to demonstrate how Organisational policies, operating procedures and records protect Personally Identifiable Information (PII). 27701 provides clear guidance on the protection of PII including how organisations should manage PII and assists in demonstrating compliance with privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).
GDPR Article 42 encourages, in particular at an EU level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the Regulation of processing operations by controllers and processors.
27701 It is not recognised under GDPR Article 42. In fact, the EU Council has not yet recognised any official certification mechanism under GDPR though deliberations are going on this matter. I do believe that ISO 27701 could fit this slot comfortably for small, medium and large scale enterprises and is very well positioned to do so. Watch this space.
Privacy and information security have a very strong connection. It is true that there can be no Privacy without Information Security. However, an organisation’s information security activities also can create risks to privacy if mismanaged. For this reason, it is not possible to get ISO 27701 certification without ISO 27001 certification, as it is an extension to the ISMS. If you have not read my blog on 27001 and the ISMS, you can find a link to it: here!
