What is ISO/IEC 27701?
ISO/IEC 27701 – Privacy Information Management System (Requirements and Guidelines) is an extension standard of ISO/IEC 27001 – Information Security Management System Requirements. We will detail this explanation for you.
Being an extension standard means that it is implemented along with ISO/IEC 27001; without it, its requirements are not valid for certification purposes. It is also an extension of ISO/IEC 27002; however, this is a guideline standard, meaning it is not certifiable but provides suggestions for managing information security controls.
By adopting ISO/IEC 27701, a company demonstrates a commitment to privacy and information security, an important issue considering the increasing leakage of organizational information.
Does ISO/IEC 27701 comply with GDPR?
Not entirely. The ISO/IEC 27701 standard can help meet the European Union’s General Data Protection Regulation (GDPR). However, it was not developed with this specific purpose in mind, and therefore, it does not cover all legislative aspects.
ISO/IEC 27701 was developed to provide a framework for the management of privacy information, but you can adapt it to comply with the laws.
What are the benefits of ISO/IEC 27701?
The implementation of ISO/IEC 27701 brings several benefits to organizations, among them:
Improvement in Privacy Management
Through its structure, ISO/IEC 27701 aims to establish, implement, maintain, and continuously improve an information privacy system, assisting organizations in managing and reducing risks associated with data breaches.
Compliance with Privacy Regulations
As mentioned earlier, although it does not fully meet the requirements of the LGPD and GDPR, the standard provides a good framework for most of what is requested by legislation, facilitating implementation for organizations that already possess it, a crucial situation for companies operating in multiple jurisdictions.
With the increasing concern over potential information and data leaks, it is essential for organizations to demonstrate effective actions to reduce this risk. ISO/IEC 27701 is an excellent resource for this purpose, both for stakeholders involved in contracting and for society.
Who can implement ISO/IEC 27701?
As ISO/IEC 27701 is an extension standard, those aiming to implement it should also be familiar with ISO/IEC 27001. Moreover, both standards require extensive specific IT knowledge for implementation.
We suggest that those who wish to implement the standard have prior IT knowledge and take an Internal Auditor or Lead Auditor course for ISO/IEC 27001 and ISO/IEC 27701, or take these courses and then a basic IT course. In the latter case, it will be necessary during audits to have the support of a company specialist to assist with the implementation itself, and the auditor will guide the standard’s adherence.
It is also common in the market for those responsible for ISO/IEC 27701 to implement the GDPR. You could undertake training for Understanding GDPR immediately or later for customer service.
Is ISO/IEC 27701 Certifiable?
Since it is an extension standard, ISO/IEC 27701 cannot be certified in isolation. For certification, it is necessary to include the process of ISO/IEC 27001. Therefore, the same certifying body must handle the certification of both standards; it is not feasible to maintain ISO/IEC 27001 certification and request another body to process the ISO/IEC 27701 certification.
What is the Certification Process for ISO/IEC 27701?
As an extension of ISO/IEC 27001, the certification process for ISO/IEC 27701 differs slightly from others.
Decide if your company will start with ISO/IEC 27001 and then implement ISO/IEC 27701, or if it will begin the process for both at the same time.
Here at QMS, we always suggest that if you know you want certification in more than one standard, implement them all at once in an integrated manner. It might seem more laborious at the beginning, but it is easier than making adaptations later.
If your company already has ISO/IEC 27001 implemented, conduct a Gap Analysis.
The Gap Analysis is essential to identify what is missing in your already implemented management system to meet the requirements of ISO/IEC 27701. With the identification of gaps, the company can make the necessary changes and implementations.
Decide whether to hire a consultancy.
If your organization has not implemented any standard, hiring a consultancy will bring greater confidence, as this external expertise aggregates experience from various other organizations. However, hiring a consultancy is not mandatory; you may choose to leave the responsibility of implementation to an internal auditor or leader within your company.
Conduct an internal audit
Internal auditing is a part of management systems, and its importance should always be emphasized. Internal auditing is the process in which the implementer simulates a certification body’s audit, assessing all processes to verify compliance with the requirements of both ISO/IEC 27001 and ISO/IEC 27701.
Hire a certifier for the certification audit.
Once your management system is in order, it is time to seek an ISO certifier. Remember that the certifier will handle the certification of both standards, ISO/IEC 27001 and ISO/IEC 27701, in an integrated manner.
The certifier will send one or more auditors to rigorously verify whether the organization meets the normative requirements and thus can be certified.
After certification, the company will undergo an annual audit process to assess the continuity and improvement of the management system.
How to Choose an ISO/IEC 27701 Certifier?
Choosing a certifier is an important process for valuing your work in implementing the standards, as it’s necessary to ensure that the certification is indeed valid and internationally recognized.
When contacting a certifier, you should inquire about the accreditor of the certifier and whether ISO/IEC 27001 and ISO/IEC 27701 are within its accreditation scope. How will you validate this?
You can check internationally recognized accreditors on the IAF website.
Found the accreditor mentioned by the certifier? Verify on their website if your certifier’s name is listed.
Finally, ask for proof of the standard’s accreditation from the certifier.
We hope to have assisted you in understanding ISO/IEC 27701. If you have further questions, feel free to contact QMS 😉