New ISO / IEC 27701: 2019

The Keys to understanding the benefits and requirements of implementing ISO 27701 in our organization

What is ISO 27701?

This month of August 2019 has brought with it the release of the new privacy standard: ISO 27701, as an extension guideline to the requirements and controls established in ISO 27001 and ISO 27002. This standard has been designed to enable the addition of specific requirements for the Privacy sphere, without the need for developing a parallel Management System. All in all, ISO 27701 will provide to organizations the requirements to:

  • Manage Personal Identifiable Information (PII);
  • Monitor the processing of PII and;
  • Protect Information Privacy related to PII

This ISO standard is aimed for all types of organizations, regardless their size, complexity or country of operation.

Why implementing a Privacy Information Management System?

Processing personal data in itself is not something new, what is new is the ever-increasing requirements, especially since the GDPR came into force, that have complexified the necessary data exchange between departments within an organization, or within different organizations for rendering services or performing daily operations correctly. This increased complexity has made a necessity for organizations to implement a Privacy Information Management System, able to answer and fulfill the requirements and regulations set by each company.  

Benefits of implementing ISO 27701 in our organization

  1. Gain trust from your clients by demonstrating compliance to your organization countries’ regulation on Data Protection
  2. Improve your continuous improvement process and transparency within your Privacy Information Management System
  3. Increase your efficiency managing your Security and Privacy Risks by integrating both Management Systems
  4. Get ahead potential future certifications specific for the GDPR

What will I find in ISO 27701: an overlook to the standard

In a more detailed way, ISO 27701 enlarges the requirements for ISO 27001 and ISO 27002 in order to place a higher emphasis in Privacy Protection, in regards how this could be potentially affected by processing Personal Information.

The Standard will be divided in the following clauses:

  • Clause 5: The requirements set in this section share traceability with those in clause 4 and 10 from ISO 27001, extending the requirements on information protection, specifically in clause 4 on the organizational context and clause 6 on risk treatment plan, nevertheless, it does not point out additional requirements for other clauses.
  • Clause 6: This section extends the requirements established in the good practices guideline from ISO 27002 and the controls established in Annex A from ISO 27001. It goes over the 114 controls enlarging the requirements on information protection, creating particular controls for the domains from 5 to 18, with the exception of domain 17, where no additional measures are established.
  • Clause 7: This clause established additional controls and their implementation guide for the Personal Identifiable Information owners. Organizations are not obliged to implement these controls in its entirety, but properly justifying its applicability or exclusion.
  • Clause 8: In a similar manner to the requirements established in clause 7, this section established additional controls and recommends their implementation for the person in charge of processing data from contracted third parties, considering whether these, at the same time, are subcontracting services.

How does GlobalSUITE help organizations to efficiently implement ISO 27701?

Said this, deploying a software fully designed by a team of expert consultants helps our organizations to:

  • Manage both Systems from one platform, being able to share:
    • Privacy and Security Risks
    • Privacy and Security Controls
    • Risk and Control Assessment Methodologies
    • Compliance and Risk Catalogues
    • Organizational structure including processes and assets
  • Achieve a clearer and wider view on Information and Privacy Security, significantly improving the monitoring for KPIs, Objectives, Incidents, Non-Conformities and Corrective Actions
  • Improve decision making process by obtaining a 360º view
  • Achieve greater control of our Privacy and Security Risks
  • Reduce management costs and time, thus, obtaining a higher ROI