Differences between ISO 27701 and ISO 27018

The treatment of personal information is not something new nowadays, but the exponential use that is taking place due to the need for exchange between departments within the same company or even more so, between different organizations, for the proper provision of services. Additionally, there is a proliferation in the use of storing this type of information in the cloud, which makes it necessary to verify that this information is properly managed and protected under the scope of ISO standards specifically developed for this purpose, such as ISO 27701 and ISO 27018.

ISO 27701 is a security standard that emerged in response to the publication of the General Data Protection Regulation (GDPR) in 2018. Its primary objective is to establish an Information Privacy Management System (IPMS) for implementing policies and controls to protect the personal data of the company in accordance with the specific legislation and regulations of each country. This applies whether the organization is acting as a Data Controller or a Data Processor.

The ISO 27701 standard requires that companies seeking certification must already be certified under ISO 27001.Its main objective is to help organizations integrate an Information Privacy Management System (IPMS) into the existing Information Security Management System (ISMS) of ISO 27001, thereby reducing the risk to individuals’ privacy rights and enhancing the existing information security management system. ISO 27701 extends the requirements of ISO 27001, specifically in clauses 4 to 10, to address the protection of individuals’ privacy potentially affected by the processing of Personally Identifiable Information (PII), in addition to information security.

The standard expands the requirements on information protection in sections 4 to 10 of ISO 27001, specifically for section 4 on the organizational context and section 6 on risk management planning, not providing additional needs in the rest of the sections. The standard expands requirements in the ISO 27002 best practices guide for some specific controls, particularly 31*¹, which includes additional guidance for their implementation.

Additionally, it introduces specific IPMS requirements in the annexes of ISO 27701, specifically Annex A (31 controls for Data Controllers) and Annex B (18 controls for Data Processors). These controls are divided into the following areas:

• Conditions for the collection and processing of PII.
• Obligations towards individuals.
• Privacy by design and default.
• Sharing, transfer, and communication of PII.

Confidentiality is a critical aspect in cloud environments, which is why ISO 27018 provides a set of best practices for the protection of Personally Identifiable Information (PII) in the cloud for organizations acting as data processors, known as ‘Data Processors’.

The implementation of this standard is closely related to ISO 27001, which serves as the foundation for specifying the requirements unique to ISO 27018. Building upon the security controls established in Annex A of ISO 27001, namely ISO 27002, ISO 27018 adds security requirements for PII on specific controls. Specifically, out of the 114 controls*¹ proposed in ISO 27002, ISO 27018 establishes additional requirements for 15 of these controls.

Unlike ISO 27701, ISO 27018 does not provide any additions to the controls of ISO 27001, meaning it does not have requirements related to the management system itself.

Additionally, ISO 27018 establishes 25 controls divided into the following 8 privacy principles, which sets forth a set of requirements for the protection of Personally Identifiable Information (PII) in the cloud:

• Consent and choice.
• Legitimacy and specification of purpose.
• Data minimization.
• Limitation of use, retention, and disclosure.
• Transparency, openness, and notification.
• Accountability.
• Information security.
• Privacy compliance.

The ISO 27018 standard focuses on data privacy in cloud environments, being relevant for companies acting as ‘Data Processors’ and handling Personally Identifiable Information (PII) in the cloud. This standard establishes specific controls and guidelines to ensure the protection of PII in the cloud, adding additional security requirements to the controls already established by ISO 27001.

On the other hand, the ISO 27701 standard expands the privacy requirements of ISO 27001, with the aim of assisting organizations, whether they are ‘Data Controllers’ or ‘Data Processors’, in managing and protecting personal data more effectively. This standard is not limited to a specific cloud environment but applies to any organization handling personal data, providing a framework to implement an Information Privacy Management System (IPMS) that integrates into the existing Information Security Management System (ISMS).

At GlobalSuite Solutions, we offer the necessary assistance and support for the complete adaptation of your organization to both ISO 27701 and ISO 27018 standards. Our experts will guide you, identifying your specific needs, and providing you with the best practices for privacy management and data protection. Our GlobalSuite® software, on the other hand, facilitates process automation, offering an intuitive platform that allows you to integrate and manage all your information security and privacy management systems efficiently and effectively. In this way, we help your organization ensure compliance with the standards, minimize risks, and optimize your resources to assist you in obtaining the corresponding certifications.

Contact us today and take the security and privacy of your information to the next level!