On August 6, 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701 (ISO 27701), a privacy extension to ISO/IEC 27001 and ISO/IEC 27002, designed to help organizations protect and control the personal information they handle. Similar to the existing ISO standards ISO 27701 supplements, this new ISO standard may become the de facto standard of care for organizations to protect personally identifiable information (PII) and may be used to demonstrate compliance with privacy regulations around the globe, including the General Data Protection Regulation (EU) 2016/679 (GDPR).
This new standard is the “icing on the cake” for security compliance. The well-known ISO 27001 forms the foundation and the new ISO 27701 builds on that foundation to provide a comprehensive set of controls for information security and the protection of personal information.
Originally developed as ISO/IEC 27552, ISO 27701 provides specific requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) as an extension of the flexible Information Security Management System (ISMS) defined in ISO 27001 to take into account the privacy protections required for processing PII in addition to information security. Like the ISO 27001 standard, ISO 27701 does not expect organizations to adopt each and every control in all situations. Instead, it requires organizations to understand the particular context in which they process PII and adjust the particular set of controls and related implementation of those controls in a way that is appropriate to their processing activities.
To better understand the new standard, two key terms should be understood: controllers and processors. These terms are found in many privacy laws and regulations, including the GDPR. Generally, a “controller” is the entity that directs the reason why PII is collected and processed in the first place, and the “processor” is a separate legal entity (i.e., not an employee) responsible for processing such data on behalf of that controller.
The newly published standard applies to both controllers (as well as joint controllers) and processors (including sub-processors) of PII, regardless of the jurisdictions and sectors in which they operate, and also includes mappings to the GDPR and to the ISO/IEC 29100, ISO/IEC 27018 and ISO/IEC 29151 security frameworks. Mappings of the ISO 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), GLBA and HIPAA, should be expected and will likely aid organizations by providing a common standard for demonstrating compliance with these regulatory regimes.
A high-level overview of certain key ISO 27701 requirements applicable to controllers and processors is provided below.
Compliance with ISO 27701 first requires compliance with the requirements of ISO 27001. They are intended to complement each other. Organizations that follow the requirements of ISO 27701 will create documentary evidence of how they handle processing of PII, which may be used to facilitate agreements with business partners where the processing of PII is relevant and to clarify the organization’s processing of PII with other stakeholders. Although the GDPR does not yet have an accredited certification method, according to recent reports, ISO 27701 could change that in the very near future.
Customers engaging vendors to process and maintain PII on their behalf should consider contractually requiring those vendors to comply not only with ISO 27001, but also ISO 27701 or to become certified under this standard if appropriate to the sensitivity of the data. Even if the customer doesn’t require vendors to be certified by an independent third party as compliant with the new standard, they may still want to update their contracts to ensure the vendor can comply with requirements of ISO 27701. Since ISO 27701 is still very new, a reasonable time delay for vendors to comply with the requirements of this new standard would be appropriate to include in these contracts.
Organizations that are ISO 27001 certified and looking to implement the requirements of ISO 27701 should consider taking the following steps:
All around the world, lawmakers and regulators are introducing new laws governing the use of data, especially PII. Most recently, the advent of the GDPR has caused many businesses, but customers and vendors, to scramble to achieve compliance. This changing legal environment raises challenges for all businesses, but especially those that must comply with regulations in multiple jurisdictions. Rather than trying to deal with each new law individually and locally, the new ISO 27701 standard will provide a harmonized way to decide, plan, implement, and document an organization’s approach to data privacy worldwide.
No matter the size of an organization and whether it is a controller or processor of PII, businesses should consider pursuing an ISO 27701 certification, either for their own organization, or requesting certification from their vendors. This is especially true for processors, sub-processors and joint controllers that are processing sensitive or high volumes of PII.
This article was originally published at CSOOnline.com.