The protection of personal data is a significant element of any information security ecosystem. If this ecosystem is neglected, it can have a significant impact that puts your organisation at risk of increasingly malicious threats which present an increasing risk to your business.
ISO 27701 is a global privacy standard, and it demonstrates the importance of improved personal data protection. Evidencing that your organisation can meet ISO 27701 certification will ensure you have in place the processes and controls to protect your personal data assets and manage the data protection risks posed to your organisation.
Understanding ISO 27701?
ISO 27701 is an extension to ISO 27001 which includes additional requirements, objectives and controls for your Privacy Information Management System (PIMS). The ISO 27701 standard provides guidance to organisations on how to act on data protection and privacy and assist them in protecting personal data enabling them to achieve compliance with regulations such as GDPR or the UK Data Protection Act (2018).
ISO 27701 allows an organisation to establish a set of objectives and set controls to meet these objectives, thereby evidencing that actions are being taken to protect personal data. When an organisation applies ISO 27701 and extends its objectives to cover privacy management, it shows stakeholders that it is taking the protection of personal data seriously. Under revised regulation such as GDPR, data protection by design is a legal requirement. However, many organisations find this difficult to evidence, which is where implementing ISO 27701 provides the guidance and evidence required to achieve compliance.
Who should seek ISO 27701 certification?
Any organisation that handles any form of personal data should be concerned about how it is protected. This means that ISO 27701 could be relevant to all businesses. Where the risk to personal data is more acute, such as large volumes of personal data, sensitive personal data or, where a data breach would have a more serious impact (for example on an organisations reputation) then ISO 27701 would be increasingly important.
Aligning ISO 27701 with a PIMS such as ProvePrivacy will help an organisation to apply and evidence the standard and to encourage continual improvement within their organisation. It is often the case that senior management aren’t clear about what is expected from them regarding protecting personal data, so implementing ISO 27701 would be a clear advantage to them.
Does having ISO 27701 make us GDPR Compliant?
No, you should not expect any system to make you compliant with data protection regulations, because risks and issues can occur at any time. However, ISO 27701 sets objectives and establishes controls which will provide your organisation with an auditable management standard and enable you to build an organisation which is resilient to risks. In doing so you should be able to begin evidencing data protection by design and by default alongside the technical and organisational measures that your organisation has put in place to protect personal data.
What happens if an issue arises such as a data breach?
ISO 27701 would help your organisation to put policies, procedures and processes in place which dictate the response and address crucial questions, for example who to contact. The ProvePrivacy platform will help further with this by allowing the policies and procedures to be distributed annually to all staff, evidencing that they have read and understood them and by providing staff with a Breach and Risk reporting system, which alerts the appropriate response teams within your organisation, enabling them to act quickly and report to the regulators appropriately.
ProvePrivacy can be used without the ISO 27701 module with similar benefits, however, applying ISO 27701 provides more of a guarantee that you’ve implemented adequate processes.
How do we encourage continual improvement?
Continual improvement sits at the heart of both the ISO 27701 standard and the ProvePrivacy platform. The ISO 27701 module within ProvePrivacy is designed not only to evidence that objectives and controls are implemented, but it also provides automated reminders when a control is due to expire, so that appropriate teams can respond in a timely manner. This allows risks to be assessed, improvements to be applied and issues to be avoided.
How does ISO 27701 align with ISO 27001?
ISO 27701 has been developed to be integrated within an ISO 27001 ISMS. In practice if an organisation wishes to be ISO 27701 certified it must also achieve ISO 27001 certification. The design of ProvePrivacy, allows an organisation to set and establish the objectives and controls for ISO 27701 in isolation if required. ProvePrivacy supports ISO 27001 objectives and controls in addition to ISO 27701 and encourages organisations to undertake both. Obtaining certification for both reduces duplication and saves time and enables auditors to perform deeper audits, implementing ProvePrivacy simplifies audits as most of the evidence is maintained within the platform.
How can we evidence we are managing our objectives?
ISO 27001 and ISO 27701 provide the guidance to setting your objectives and establishing your controls and it is up to each organisation to determine which objectives and controls it wishes to implement. ProvePrivacy assists by letting you select your objectives and controls, stating why you have elected to exclude any, you can also use ProvePrivacy to plan the implementation of controls, store supporting evidence that your controls are in place and working, and provide reminders when controls need to be reviewed.
Whilst ProvePrivacy cannot remove the work required to become ISO 27001 or ISO 27701 certified, it can certainly help an organisation achieve certification and assist in preparation for audits. Book a demo to see the platform in action.