December 26, 2023

[Complete Guide] Everything about ISO/IEC 27701:2019

Published in 2019, ISO/IEC 27701 is a recent standard and emerges as a response to the growing concern about data privacy in the current context.

What is ISO/IEC 27701?

ISO/IEC 27701 – Privacy Information Management System (Requirements and Guidelines) is an extension standard of ISO/IEC 27001 – Information Security Management System Requirements. We will detail this explanation for you.

Being an extension standard means that it is implemented along with ISO/IEC 27001; without it, its requirements are not valid for certification purposes. It is also an extension of ISO/IEC 27002; however, this is a guideline standard, meaning it is not certifiable but provides suggestions for managing information security controls.

By adopting ISO/IEC 27701, a company demonstrates a commitment to privacy and information security, an important issue considering the increasing leakage of organizational information.

Read de complete guide about ISO 27001:2022.

Does ISO/IEC 27701 comply with GDPR?

Not entirely. The ISO/IEC 27701 standard can help meet the European Union’s General Data Protection Regulation (GDPR). However, it was not developed with this specific purpose in mind, and therefore, it does not cover all legislative aspects.

ISO/IEC 27701 was developed to provide a framework for the management of privacy information, but you can adapt it to comply with the laws.

What are the benefits of ISO/IEC 27701?

The implementation of ISO/IEC 27701 brings several benefits to organizations, among them:

Improvement in Privacy Management

Through its structure, ISO/IEC 27701 aims to establish, implement, maintain, and continuously improve an information privacy system, assisting organizations in managing and reducing risks associated with data breaches.

Compliance with Privacy Regulations

As mentioned earlier, although it does not fully meet the requirements of the LGPD and GDPR, the standard provides a good framework for most of what is requested by legislation, facilitating implementation for organizations that already possess it, a crucial situation for companies operating in multiple jurisdictions.

Stakeholder Trust

With the increasing concern over potential information and data leaks, it is essential for organizations to demonstrate effective actions to reduce this risk. ISO/IEC 27701 is an excellent resource for this purpose, both for stakeholders involved in contracting and for society.

Who can implement ISO/IEC 27701?

As ISO/IEC 27701 is an extension standard, those aiming to implement it should also be familiar with ISO/IEC 27001. Moreover, both standards require extensive specific IT knowledge for implementation.

We suggest that those who wish to implement the standard have prior IT knowledge and take an Internal Auditor or Lead Auditor course for ISO/IEC 27001 and ISO/IEC 27701, or take these courses and then a basic IT course. In the latter case, it will be necessary during audits to have the support of a company specialist to assist with the implementation itself, and the auditor will guide the standard’s adherence.

It is also common in the market for those responsible for ISO/IEC 27701 to implement the GDPR. You could undertake training for Understanding GDPR immediately or later for customer service.

Is ISO/IEC 27701 Certifiable?

Since it is an extension standard, ISO/IEC 27701 cannot be certified in isolation. For certification, it is necessary to include the process of ISO/IEC 27001. Therefore, the same certifying body must handle the certification of both standards; it is not feasible to maintain ISO/IEC 27001 certification and request another body to process the ISO/IEC 27701 certification.

What is the Certification Process for ISO/IEC 27701?

As an extension of ISO/IEC 27001, the certification process for ISO/IEC 27701 differs slightly from others.

Decide if your company will start with ISO/IEC 27001 and then implement ISO/IEC 27701, or if it will begin the process for both at the same time.

Here at QMS, we always suggest that if you know you want certification in more than one standard, implement them all at once in an integrated manner. It might seem more laborious at the beginning, but it is easier than making adaptations later.

If your company already has ISO/IEC 27001 implemented, conduct a Gap Analysis.

The Gap Analysis is essential to identify what is missing in your already implemented management system to meet the requirements of ISO/IEC 27701. With the identification of gaps, the company can make the necessary changes and implementations.

Decide whether to hire a consultancy.

If your organization has not implemented any standard, hiring a consultancy will bring greater confidence, as this external expertise aggregates experience from various other organizations. However, hiring a consultancy is not mandatory; you may choose to leave the responsibility of implementation to an internal auditor or leader within your company.

Conduct an internal audit

Internal auditing is a part of management systems, and its importance should always be emphasized. Internal auditing is the process in which the implementer simulates a certification body’s audit, assessing all processes to verify compliance with the requirements of both ISO/IEC 27001 and ISO/IEC 27701.

Hire a certifier for the certification audit.

Once your management system is in order, it is time to seek an ISO certifier. Remember that the certifier will handle the certification of both standards, ISO/IEC 27001 and ISO/IEC 27701, in an integrated manner.

The certifier will send one or more auditors to rigorously verify whether the organization meets the normative requirements and thus can be certified.

After certification, the company will undergo an annual audit process to assess the continuity and improvement of the management system.

How to Choose an ISO/IEC 27701 Certifier?

Choosing a certifier is an important process for valuing your work in implementing the standards, as it’s necessary to ensure that the certification is indeed valid and internationally recognized.

When contacting a certifier, you should inquire about the accreditor of the certifier and whether ISO/IEC 27001 and ISO/IEC 27701 are within its accreditation scope. How will you validate this?

You can check internationally recognized accreditors on the IAF website.

Found the accreditor mentioned by the certifier? Verify on their website if your certifier’s name is listed.

Finally, ask for proof of the standard’s accreditation from the certifier.

We hope to have assisted you in understanding ISO/IEC 27701. If you have further questions, feel free to contact QMS 😉

QMS Certification

QMS is an accredited third party certification body, it is currently present in 33 countries and focuses on the certification of management systems. QMS America is managed by the US office and has consistently grown in market recognition by technical level, customer satisfaction and competitive pricing.

How to Engage Employees in ISO Implementation

Learn how to engage employees in ISO implementation in 4 fundamental steps and achieve superior results.

Understand the Importance of Process Mapping

Understand why Process Mapping is crucial for your company’s performance and for the continuous improvement of your QMS. Read now!

3 Essential Indicators for an Effective Quality Management System

3 Essential Indicators for a Quality Management System

There are 3 indicators for a Quality Management System that are essential for any organization, regardless of the field of activity, check which ones they are and if they match what your company has today.

What are the changed requirements in ISO 27001:2022?

Discover the changed requirements in ISO 27001:2022 and make the transition to the standard in a much simpler and result-focused way!

Non-Conformity Management: Root Cause Analysis

In the world of quality management, one of the most crucial aspects is the effective management of non-conformities. Root cause analysis is an indispensable procedure in this context, providing a path to prevent their recurrence. Learn more!

Greenwashing and Social Washing

The terms “Greenwashing” and “Social Washing” are interconnected, as both involve deceptive practices adopted by companies aiming to give the impression that they are committed to environmental and social sustainability when, in reality, their actions are not as beneficial as they appear.

ISO and Climate Change: How Standards Can Save Our Planet

Every day, the evidence of climate change in the world becomes more apparent, a clear result of environmental challenges, and with that, the search for sustainable solutions has become essential. This is how ISO and Climate Change are related, understand.

Transition to ISO 27001:2022 – Information

Understand the main factors that led to the transition of ISO 27001:2022 and how to carry out the transition!

Whistleblowing in Compliance Programs

The so-called “Whistleblowers” are aimed at promoting transparency, and their disclosures often have significant implications for the organization, helping to expose unethical, illegal, or harmful practices.