ISO 27701 GDPR Compliance Program
A privacy management system is different from an ISMS, but they are closely related. ISO 27701’s approach recognizes that information security (the preservation of the confidentiality, integrity and availability of information) is a key aspect of effective privacy management and that the ISMS requirements documented in ISO 27001 can support adding sector-specific requirements onto the ISMS without the need for a new manage ent system specification.
ISO 27701 defines the extra requirements for an ISMS to cover the privacy and the processing
of PII. These are supported by additional controls that relate specifically
to data protection and privacy. As a new whole, this creates what the Standard calls
a privacy information management system (PIMS).
This new standard is a critical milestone for the ongoing management of privacy-related
risks and an alternative normative reference that promotes the need for mature processes
as the context of the organization evolves. Conformity assessment bodies will likely be
leveraged for the immediate audits and assessments of this new standard due to
overlapping existing accreditation requirements with those provisions detailed for bodies
providing certification within the GDPR.
Structure of ISO 27701
Much like other ISO standards, ISO 27701 divides its content by clause, of which
Clauses 5–8 set out the additional requirements and amendments to be applied to
ISO 27001, and warrant particular attention.
Clause 5: PIMS-specific requirements
This clause addresses every clause in ISO 27001 and identifies where additional
content is necessary. The majority of the ISO 27001 clauses remain unchanged, with
the caveat that ISO 27701 requires the organization to recognize its need for data
protection within its context and this context informs all the other requirements.
Another notable addition affects the risk assessment, which will need to take into
account the organization’s role in relation to PII – that is, whether it is a controller or
a processor, and how that might affect the risks to the PII. Another entry recognizes
the existence of the new control sets and allows the organization to reconcile its
controls against a wider range of controls, including those from ISO 27701.
Yucca IT Consulting can help you
We can assist you throughout your preparation process for the ISO 27701 compliance program, from the gap analysis to the independent audit. With the help of your in-house pilot, a realistic timetable will be documented and accepted by your management.