Last Updated on January 15, 2024
ISO/IEC 27701:2019 “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” is a new and (dare we say) exciting international standard that allows you to extend your current ISO 27001 Information Security Management System (ISMS) certification to include a Privacy Information Management System (PIMS).
With data privacy legislation sweeping the planet, the ability to comply with privacy concerns from opt-in/opt-out to “the right to be forgotten” is critical to more and more organizations.
How can you show clients, regulators and other stakeholders that you have a robust privacy program? How do you reduce the complexity of managing compliance with multiple, overlapping privacy regulations like the EU’s GDPR and California’s CCPA (now CPRA)?
To talk about Pivot Point Security’s experience to date with helping clients implement ISO 27701, including why they wanted the certification in the first place, a recent episode of The Virtual CISO Podcast features Andrew Frost and Aurore Watts, two of our GRC Consultants on the front lines of the ISO 27701 audit process. Hosting the episode as usual is John Verry, Pivot Point Security’s CISO and Managing Partner.
By allowing you to add privacy principles to your ISMS, ISO 27701 supports making governance decisions around privacy, which is unique among the growing number of privacy frameworks out there. The ISO 27701 standard also serves as a template that you can follow to implement your privacy program.
As John notes, “ISO 27701 allows you to manage security and privacy in a single construct. That ISMS committee that you’ve already built that’s going to manage information security risk is now also addressing your privacy issues.”
Another unique feature of ISO 27701 is that it’s the first certifiable extension to ISO 27001. “It actually changes the construct of the management system, whereas the other extensions just add either additional Annex A controls or some clarifications to Annex A controls,” says John.
“The great thing about ISO 27701 is it’s a certification in privacy,” Aurore shares. “Before when we were working with clients around their privacy concerns there was nothing to really show, ‘Here it is—you did it!’. And now with ISO 27701 they can actually show the certification.”
“… which is huge,” rejoins John.
What’s Next?
If your business has achieved (or is considering) ISO 27001 certification and also faces privacy compliance challenges, this “ISO 27701 lessons learned” podcast is sure to be helpful.
To listen to the full show, click here. If you don’t use Apple Podcasts, you’ll find all our information security podcast episodes here.