Volg ICTI

Privacy management with ISO 27701

| Jelle Hoekstra | Privacy

Accountability is a central principle in the General Data Protection Regulation (GDPR). This data protection principle creates the obligation to be able to demonstrate compliance. Simply doing your best to comply isn’t enough, but ‘appropriate technical and organizational measures’ have to be taken. Some form a privacy management system has to be in place to demonstrate compliance. In this article we introduce you to the international standard ISO 27701 for privacy information management.

ISMS & PIMS

The ISO 27701 standard was released in summer 2019. In essence it is an extension to the well known ISO 27001 norm, which provides the requirements for an information security management system (ISMS). With the released ISO 27701 standard it is possible to extend an already existing ISMS with privacy components and therefore creating a privacy information management system (PIMS). Please pay attention to the fact that ISO 27701 doesn’t offer a standalone certification framework for privacy management. You can consider it a plugin for a pre-existing ISMS on the basis of 27001 and ISO 27002. If you’re new to the ISO 27000-series, please read our blog with a summary of ISO 27001 first.

Structure of ISO 27701

The requirements of the standard can be separated in the following groups:

  • PIMS requirements related to ISO 27001 are outlined in chapter 5.
  • PIMS requirements related to ISO 27002 are outlined in chapter 6.
  • PIMS guidance for Controllers are outlined in chapter 7.
  • PIMS guidance for Processors are outlined in chapter 8.

Chapter 5: PIMS requirements related to ISO 27001

This chapter contains many references to ISO 27001 and in essence aims to upgrade an already existing ISMS with privacy related requirements. In general this means that everywhere in ISO 27001 ‘information security’ is mentioned one should read or replace this with ‘information security and privacy’ instead (see also paragraph 5.1). Applying these changes is no rocket science as is illustrated with some examples in the table below:

Apart from applying this general change, all the chapters of ISO 27001 all covered as well. Below the most important changes will be discussed with reference to the ISO 27701 paragraph numbers (in brackets).

The organisational context (5.2)
The first topic to assess is whether your organisation is a Controller and/or a Processor of personal data. Furthermore it is important to check relevant legislation and regulations concerning privacy. An overview should be made of relevant internal and external factors which can affect the intended outcome of a PIMS. Other examples include contractual requirements, but also the role of partners and other relevant parties.

Involvement of the leadership (5.3)
There are no privacy specific requirements concerning the involvement of leadership.

Planning and objectives (5.4)
Privacy risks are handled the same way as information security risks in ISO 27001. It is possible to apply integrated information security and privacy risk assessments or to create two separate processes. With regard to risk treatment it is mandatory to take the privacy controls into account which are mentioned in Annex A and B of ISO 27701.

Support including resources and communication (5.5)
This paragraph only contains references to chapter 7 of ISO 27001.

Operational aspects (5.6)
This paragraph only contains references to chapter 8 of ISO 27001.

Evaluation of performance (5.7)
This paragraph only contains references to chapter 9 of ISO 27001.

Continuous improvement (5.8)
This paragraph only contains references to chapter 10 of ISO 27001.

Adding the above privacy related requirements will provide the basis for a Privacy Information Management System or PIMS.

Chapter 6: PIMS requirements related to ISO 27002

In this section specific privacy requirements are added to existing information security controls in ISO 27002. Two controls stated in chapter 6 are worth mentioning here, because they illustrate the intersection between the privacy & security programs:

  • Protection of test data
    This control states that in addition to the ISO 27002 control 14.3.1 personal identifiable information shouldn’t be used for testing purposes. It is good practice to use dummy data for testing purposes, because testing environments are vulnerable.
  • Information security incident management
    Security related incidents can lead to breaches of personal data. In several countries legislation for breach reporting applies. Internal responsibilities to manage such incidents, not only on a technical level, but also procedures to notify relevant authorities or data subjects are required.

Chapter 7: GDPR guidance for Controllers

This chapter contains several GDPR compliance checks for Controllers of personal information. Most of these controls are mandatory on the basis of the GDPR however. Themes covered are:

  • Lawful basis for the processing of personal data
  • Consent management
  • Data Protection Impact Assessments (DPIA)
  • Data Processing Agreements
  • Facilitating data subjects rights
  • Implementing privacy by design and default principles
  • Data export to third countries

Chapter 8: GDPR guidance for Processors

This chapter contains several GDPR compliance checks for Processors of personal information. Most of these controls are mandatory on the basis of the GDPR however. Themes covered are:

  • Conditions for processing
  • Data protection principles
  • Implementing privacy by design and default principles
  • Data export to third countries

Conclusions

It is possible to get ISO 27701 certified, but only if you combine it with an ISO 27001 audit. Because of this ‘extension model’ the ISO 27701 will not be suited for every organisation. If, however, your organisation is already certified for ISO 27001, the PIMS-standard might be interesting to add. If you want to assess for yourself where you stand with regard to ISO 27001, see our checklist for an information security audit.

Image credit: Sincerely Media via Unsplash

Jelle Hoekstra
Author: Jelle Hoekstra
Jelle Hoekstra LLM is consultant and mediator at ICT Institute. He is a certified privacy professional (CIPP/E & CIPM), security consultant (ISO27001 Lead Auditor) and Qualified Mediator & Negotiator (Toolkit Company). Before he worked at several organisations as legal advisor and Privacy & Security Officer. Jelle is member of the International Association for Privacy Professionals (IAPP), the Dutch association for Data Protection Officers (NGFG, Nederlands Genootschap voor Functionarissen van Gegevensbescherming) and YMI-member at the International Mediation Institute (IMI).