Site icon

ISO 27701 and Conformance with Privacy Information Management (Part 1)

Private security standards like those from the International Organization for Standardization (ISO) generally seek some alignment with major regulations so that certified organizations can effectively adapt to new and rigorous standards. Accordingly, the ISO 27701 standard seeks to refine the standard ISO cybersecurity certifications to match evolving security laws in jurisdictions like the EU. 

In this article, the first of three parts, we will look at ISO 27701, how it impacts ISO 27001 controls, and how certified organizations will deploy their Information Security Management Systems.

 

Privacy Information Management and Regulatory Compliance

Consumer protections and cybersecurity are evolving to meet new challenges and expectations in a data-driven world. There needs to be more than just a checklist of simple controls to protect user data before calling it a day. In modern security, organizations and consumers expect privacy, risk management, and transparency to be paramount.

This evolution is evident in new regulations emerging in more tech-advanced locales. Two of the most notable include:

The most significant components of these regulations focus on data ownership, and the obligations businesses and other organizations have to educate and inform consumers. As such, their overall implementations involve strict privacy and confidentiality controls that are just as robust, if not more so, than specific cybersecurity features. 

 

What Is a Privacy Information management System (PIMS)?

Private organizations will invariably find it desirable to prepare for these more rigorous regulations. Many of these organizations will also have existing standards with which they comply–an excellent opportunity to leverage existing compliance efforts across different standards and regulations. 

Those organizations that adhere to the core cybersecurity requirements under the International Organization for Standardization (ISO) standard may find that regardless of the actual controls they have implemented, they may not align with privacy-focused standards like those listed above. Namely, while thorough, ISO 27001 and ISO 27002 don’t focus on privacy or meeting consumer obligations. 

Thus, ISO 27701 fills the gap. Specifically, this standard defines best practices for businesses large and small to augment their existing Information Security Management System (ISMS, as described in ISO 27001) with a Privacy Information Management System (PIMS).

What is a PIMS? Simply put, it is the collection of technologies, processes, policies, and people that take part in a coordinated infrastructure that ensures that PII remains private, protected, and controlled. Furthermore, PIMS will define how an organization addresses its obligations to data owners–namely, requirements for changing, reporting, updating, or deleting PII.

 

ISO 27701 and PIMS-Related Guidance for ISO 27001

ISO 27701 covers refinements and extensions to the requirements found under both ISO 27001:2013 and ISO 27002:2013. These refinements are relatively extensive, touching most or all of these documents’ control and practice categories.

These refinements fall under two general categories:

 

Organizational Context

Businesses must understand the context in which they hold accountability for the privacy and security of PII, including jurisdictional requirements that might define obligations to consumers or other parties:

 

Leadership

By and large, factors of leadership line up with ISO 27001 Section 5 with the general refinement listed above. These requirements include:

Planning

Planning under ISO 27701 adheres to ISO 27001 Section 6 with some specific refinements:

 

Support

Support controls are aligned with those found in ISO 27001 Section 7, with general refinements required as listed above. These requirements include:

 

Performance Evaluation

Performance evaluation controls will align with those in ISO 27001 Section 9, including requirements for:

 

Improvement

Improvement also follows ISO 27001 requirements (Section 10) with general refinements, specifically those applying the:

 

Stay Ahead of Evolving ISO Requirements with Lazarus Alliance

The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s important to understand how those changes result in a unique PIMS infrastructure. 

Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version