ISO 27701 27001 Information Technology Security Techniques

What exactly is ISO 27701?
ISO/IEC 27701 :2019 is an extension to the international standard for managing information security, ISO/IEC 27001. (ISO/IEC 27701 Security Techniques - Extension to ISO/IEC 27001 or ISO/IEC 27022 Privacy Information Management - Requirements/guidelines). See iso 27701 pdf here.

ISO 27701 outlines the requirements and offers guidelines on how to establish and maintain, establish and enhance the privacy information management system (PIMS).

ISO 27701 follows the requirements as well as the objectives and control of ISO 27001. It also contains privacy-specific requirements.

Our most popular pocket guide ISO/IEC 27701 is brief overview of principles and practices of managing personal data.

What is the reason ISO 27701 get created?
DPA (Data Protection Act) (Data Protection Act), 201, and UK (GDPR General Data Protection Regulation) and the General Data Protection Regulation (GDPR) as the EU GDPR, require businesses to take steps to ensure privacy of personal data they collect.

These laws do not provide any direction on what these measures ought to be.
The new standard was developed by the ISO (International Organization for Standardization), IEC (International Electrotechnical Commission) for guidance.

What is the relation between ISO 27001 & ISO 27701
ISO 27001 specifies the requirements for ISMS (information Security Management System), a risk-based approach that encompasses people and processes as well technology. Accredited by an independent third party, certification to ISO 27001 provides stakeholders with assurance that data is being properly secured.

ISO 27001 is a standard for security management. Organizations that have implemented ISO 27001 can also apply ISO 27701 to enhance their privacy management. Personal information or PII (personally identifiable data) can be used to prove compliance with data protection laws.

Organisations that don't have an ISMS can implement ISO 27001 and IS 27701 in one project.
Download the free pdf on how you can map your way to GDPR & DPA conformity with ISO 27701
Track your way to GDPR and DPA 2018 compliance using ISO 27701

Who should implement ISO 27701
ISO 27701 is intended for all data processors as well as data controllers. It is similar to ISO 27001 and advocates a risk-based approach to ensure that each company is aware of the specific threats it faces as well as those related to privacy and personal data.

What is the main difference between privacy information management systems and personal data management systems?
While ISO 27701 outlines the requirements for privacy information management systems, it is BS 10012 that is the British standard.

There are not many differences between these terms - they both refer to systems of management that safeguard personal information. However, for daily routine activities, the acronym PIMS can refer either of them. However, there are some distinct differences between these two approaches. They are discussed below.

Should I pick ISO 27701 over BS 10012?
Both standards have advantages, but there are certain differences.

BS 10012 aligns with the GDPR 2018 and DPA 2018. ISO 27701 does not align with any particular regulation for data protection. This allows it to be used by more organisations and, consequently, they are able to comply with a variety of privacy laws.

The BS 10012 may be an option for your company if it is required to comply with DPA 2018 and GDPR.

If you need to demonstrate your compliance with different privacy protocols, the standard internationally recognized is better suited to your purposes.

IT Governance can help you choose the best standard suitable for you, and also provide any assistance needed for implementation.

Show that GDPR compliance is met with ISO 27701 & ISO 27001
Implementing ISO 27701 & ISO 27001 will allow you to comply with the privacy and data security requirements of the GDPR. It also shows that you have management procedures for "appropriate technical, organisational measures" that protect personal information and ensure the rights of data subjects in accordance with Article 5(2). Check Guidelines for the assessment of information security controls for info.

Article 42 of GDPR covers the mechanisms for certifying privacy of data and data security seals and marks. There aren't any such mechanisms. If you comply with its controls, however, it is possible for your organisation to be independently accredited according to ISO 27001 and then ISO 27701 certification. This would prove to regulators and stakeholders that it follows international best practice in protecting personal data/PII.