ISO 27701 PRIVACY INFORMATION MANAGEMENT Flashcards
ISO/IEC 27701
covers management of risks related to Personally Identifiable Information (PII) and aids compliance with GDPR regulations.
ISO 27701 provides a framework for management of data privacy.
Privacy information management systems are sometimes referred to as
personal information management systems.
What is ISO/IEC 27701?
ISO/IEC 27701 is a data privacy extension to ISO 27001.
It assists organizations to establish systems to support compliance with the European Union General Data Protection Regulation (GDPR) and other data privacy requirements but as a global standard it is not GDPR specific.
It allows an organization to manage and to regularly check the compliance status. This permits a _______ __________ of the system to ensure confidentiality protection and address vulnerabilities.
continual improvement
ISO 27701 is designed as an extension of ISO 27001 and can be implemented
simultaneously or at a later stage than ISO 27001.
Benefits of becoming certified
The standard takes a comprehensive approach to privacy information management and permits organizations to meet personal information protection requirements.
ISO/IEC 27701 will help:
1) Clarify the roles and responsibilities within your organization.
2) Build trust in your company’s ability to manage personal information, both for customers and employees.
3) Support compliance with GDPR and other applicable privacy regulations.
4) Facilitate agreements with business partners where the processing of PII is mutually relevant.
Getting started
To obtain certification, you need to implement an effective privacy information management system complying with the requirements of the standard.
Whether certification of a management system, product or a project, it provides evidence of your compliance according to national or international standards.
The road to certification process will
vary slightly for different services, such as certification of management systems or products.
How do I prepare for accredited certification?
After having decided on the management system you wish to implement, there are certain steps to get you started. Some simple tips have proven invaluable to companies seeking certification. As you set out, keep these in mind:
1) Make sure you begin the process with the right attitude.
2) Have a complete understanding of the concept set forth in the standard and use it as a guide to define your management system.
3) Know what application and implications of the standard will mean to your company.
4) Use the standard as a tool for improvement.
5) Have an understanding of the risks and processes that affect your organisation’s ability to realise its business strategy.
6) Select your partner (certification body/registrar) carefully.
10 general steps that will take you down the road to certification:
Obtain the standard
Obtain and read a copy of the standard to familiarize yourself with the requirements and decide if certification/registration to this standard makes good sense for your organization.
Review literature and software
There is a large amount of published information available that is designed to assist you in understanding and implementing a standard. Note also that for some standards there are guidelines developed for how to implement the requirements within an organization (e.g. ISO/TS 9002 covering ISO 9001 and ISO 14004 covering ISO 14001). Use some time to investigate what is available and identify which could be of support for your implementation process.
Assemble a team and define your strategy
The adoption of a management system needs to be the strategic decision of the whole organisation. It is vital that your senior management is involved in the decision and creation process. They decide the business strategy that an efficient management system should support. In addition, you need a dedicated team to develop and implement your management system.
Determine training needs
Your team members responsible for implementing and maintaining the management system(s) will need to know the full details of the applicable standard(s). There is a wide range of training, workshops, and seminars available designed to meet these needs. We provide a number of public courses around the world. Contact your local DNV office for more information.
Review consultant options
Independent consultants will be able to advise you of a workable, realistic, and cost-effective strategy plan for implementation.
Develop your management system documentation
Decide an appropriate platform for your management system documentation (e.g. specific software, process-map based, sharepoint-based). The right platform is important to ensure effective management, communication and implementation. Your management system should describe the policies and operations of your company. The documentation includes relevant processes and other documented information needed to support you in meeting your intended outcomes and the requirements of the applicable standard.
Determine, manage and document your processes
An important step in establishing your management system is to determine the needed processes and their interactions in accordance with your policies, strategy and objectives. These processes should cover areas such as:
Product and service realization (operational processes)
Meeting relevant needs and expectations of customers and other stakeholders
Management processes, including measurement, analysis, improvement and innovation
Implement your management system
Communication and training are key to a successful implementation. During the implementation phase, your organisation will be working according to the established processes and connected criteria to document and demonstrate the effectiveness of the management system.
Consider a pre-assessment
You can choose to have a preliminary evaluation of the implementation of your management system by a certification body/registrar. The purpose is to identify areas of non-conformance or weaknesses and allow you to correct these areas before you begin the accredited certification process. Receiving a non-conformance means that a particular area of your management systems is not compliant with the requirements of the standard.
Select a certification body/registrar
Your business relationship with the certification body/registrar will exist for many years, as your certification has to be maintained. To have an efficient management system, continual improvement is key. DNV will help you get maximum value through the certification journey with a partnership approach, risk-based auditing and digital tools driving efficiency and improvement.
ISO/IEC 27701 Released as
a New Standard for Privacy Compliance
ISO/IEC 27701 At-A-Glance
1) ISO/IEC 27701 is a new, privacy-oriented standard that builds upon the well-known ISO/IEC 27001 security standard.
2) Certification to ISO/IEC 27701 (when available) will require certification to ISO/IEC 27001 first.
3) While ISO/IEC 27001 provides controls for general security measures, ISO/IEC 27701 focuses on new requirements and controls, along with implementation guidance, directed specifically at protecting personal information.
4) ISO/IEC 27701 may be used to demonstrate compliance and accountability with various privacy regimes throughout the world, including the GDPR.
5) Businesses may want to include contractual obligations requiring vendors who handle sensitive personal information to comply with or, where appropriate, become certified under ISO/IEC 27701.
6) Vendors handling personal information may want to proactively begin efforts to build on ISO/IEC 27001 compliance and become compliant with and/or certified under ISO/IEC 27701.
On August 6, 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701, a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 designed to
help organizations protect and control the personal information they handle.
Similar to the existing ISO standards that ISO/IEC 27701 supplements, this new ISO standard may become the de facto standard of care for organizations to protect _______ _______ _______ and may be used to demonstrate compliance with privacy regulations around the globe, including the General Data Protection Regulation (EU) 2016/679 (GDPR).
personally identifiable information (PII)
What is ISO/IEC 27701?
Originally developed as ISO/IEC 27552, ISO/IEC 27701 provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension of the flexible Information Security Management System (ISMS) defined in ISO/IEC 27001 to take into account the privacy protections required for processing PII in addition to information security.
Does an organization have to adopt all the standards in ISO/IEC 27701?
Like the ISO/IEC 27001 standard, ISO/IEC 27701 does not expect organizations to adopt each and every control in all situations.
Instead, it requires organizations to understand the particular context in which they process PII and adjust the particular set of controls and related implementation of those controls in a way that is appropriate to their processing activities.
To better understand the new standard, which key terms should be understood?
1) controllers,
2) joint controllers,
3) processors, and
4) sub-processors.
These or similar terms are found in many privacy laws and regulations, including the GDPR.
A “controller” is
the entity that directs the reason why PII is collected and processed in the first place.
“Joint controllers” are
two or more entities that jointly provide this direction.
A “processor” is a
separate legal entity (i.e., not an employee) responsible for processing such data on behalf of that controller.
The newly published standard applies to both controllers (as well as joint controllers) and processors (including sub-processors) of PII, regardless of the jurisdictions and sectors in which they operate, and also includes mappings to the GDPR and to the ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151 security frameworks. Mappings of the ISO/IEC 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), should be expected and will likely aid organizations by providing a common standard for demonstrating compliance with these regulatory regimes
A high-level overview of certain key ISO/IEC 27701 requirements applicable to controllers and processors:
Requirements Applicable to Controllers and Processors
Confidentiality. Individuals authorized to access PII must execute a confidentiality agreement.
Analyze Risk. A privacy risk assessment must be conducted to identify PII processing risks.
Oversight. Organizations must appoint an individual who is responsible for developing, implementing, maintaining, and monitoring their governance and privacy program.
Training. Privacy awareness training for personnel that have access to PII is required.
Internal Processes. Organizations must adopt various policies and procedures, such as incident response plans for breaches of PII.
Record Keeping. ISO/IEC 27701 requires organizations to maintain a record of all PII processing activities, including PII transfers between jurisdictions and disclosures to third parties.
Processor-Specific Requirements
Processing Limitations. Organizations must process PII only on the documented instructions of the controller or processor (depending on the role of the customer).
Assist with Individuals’ Rights. ISO/IEC 27701 requires processors to implement measures that assist the customer in complying with the rights of individuals.
Transfers and Disclosures. Processors must inform the customer in advance of PII transfers between jurisdictions or any intended changes thereof.
Subcontractors. ISO/IEC 27701 requires processors to only engage a subcontractor for processing PII pursuant to the terms of the customer contract.
Controller-Specific Requirements
Privacy Notices. Organizations must provide a privacy policy containing specific information regarding the collection, use, and processing of PII.
Processor Contract Requirements. Organizations must have a written contract in place with their processors that addresses specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.
Individuals’ Rights. ISO/IEC 27701 requires organizations to implement mechanisms to accommodate individuals’ rights to access, correct, and erase their PII, as well as object to, or restrict, the processing of PII, among others.
Privacy by Design and Default. Organizations must adopt measures that operationalize the principles of privacy by design and default.
Benefits of ISO/IEC 27701
Compliance with ISO/IEC 27701 first requires compliance with the requirements of ISO/IEC 27001. They are intended to complement each other. Organizations that follow the requirements of ISO/IEC 27701 will create documentary evidence of how they handle the processing of PII, which may be used to facilitate agreements with business partners where the processing of PII is relevant and to clarify the organization’s processing of PII with other stakeholders. Although the GDPR does not yet have an accredited certification method, according to recent reports, ISO/IEC 27701 could change that in the very near future.
What Should You Do?
Customers engaging vendors to process and maintain PII on their behalf should consider contractually requiring those vendors to comply not only with ISO/IEC 27001, but also with ISO/IEC 27701 or to become certified under this standard if appropriate to the sensitivity of the data. Even if the customer does not require vendors to be certified by an independent third party as compliant with the new standard, they may still want to update their contracts to ensure the vendor can comply with requirements of ISO/IEC 27701. Since ISO/IEC 27701 is still very new, a reasonable time delay for vendors t
Organizations that are ISO/IEC 27001 certified and looking to implement the requirements of ISO/IEC 27701 should consider taking the following steps:
Perform a gap assessment of the existing ISMS to the requirements of ISO/IEC 27701 and produce an action plan on how to address those gaps.
Conduct a data mapping of the PII collected by the organization to understand the scope of PII collected and how it is used and shared with processors.
Determine the organization’s role as a controller and/or processor based on internal or external factors that are relevant to its context, such as applicable privacy legislation, regulations, judicial decisions, or contractual requirements (among others).
Review and update privacy policies to ensure they contain the required information.
Develop policies and procedures applicable to the organization’s role.
Begin the planning and implementation of the privacy by design and default principles.
How do I implement ISO/IEC 27701?
Secure commitment across your organization, including your leadership team, employees and supply chain
Regularly engage with your leadership team and key stakeholders
Clearly define your role as a data processor, controller or both
Compare your existing privacy processes and controls with ISO/IEC 27701 requirements
Get supply chain and stakeholder feedback on your current privacy processes and controls
Establish an implementation team to get the best results
Map out and share roles, responsibilities and timescales
Adapt the basic principles of the ISO/IEC 27701 standard to your organization
Motivate and support your staff through training courses
Create a more consistent approach throughout the data processing supply chain by encouraging others to implement ISO/IEC 27701
Consider BSI software to help capture and manage your ISO/IEC 27701 audits, findings, incidents and risks more effectively
Regularly review your ISO/IEC 27701 system to make sure it remains effective and that you are continually improving it
Step 3 Certification
Once you have implemented the requirements you are ready to begin the certification process for ISO/IEC 27701.
Do you have an ISO/IEC 27001 Information Security Management System already in place?
If yes, you’re ready to get started with ISO/IEC 27701.
The guidance and requirements for ISO/IEC 27701 Privacy Information Management System (PIMS) go across 8 different clauses and 6 annexes, which include personally identifiable information (PII) controls and mappings to related standards and the GDPR.
It’s vital you understand all the guidance, requirements and controls and ensure they are appropriately implemented across your organization. Here is how you can get started with ISO/IEC 27701.
The ISO/IEC 27701:2019 standard
is the first international privacy standard, which outlines the requirements for implementing a Privacy Information Management System (PIMS), to govern the handling of personal data, called Personally Identifiable Information (PII) in ISO 27701.
Who should implement ISO 27701?
ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.
GDPR certification
While ISO 27701 is not yet governed by accreditation bodies, it is expected that certification bodies will begin to audit against this new ISO standard despite no established scheme has yet been defined at the International Accreditation Forum (IAF) level.
ISO 27701 - an extension to ISO 27001
Since many organisations already have an ISO 27001 ISMS, it reduces the complexities around establishing a Privacy Information Management System (PIMS), since the ground has already been laid. Those organisations familiar with ISO 27001 will be able to extend their ISMS to address privacy and support them in GDPR compliance by providing a means to demonstrate commitment to privacy information management.
Terminology differences between GDPR and ISO 27701
ISO/IEC 27701:2019 uses the vocabulary common to the suite of ISO 2700x standards that cover information security and associated controls. It uses the term Personally Identifiable Information (PII) to describe the information assets that must be protected and managed when providing security and privacy for a data subject, called PII principal.