What is ISO 27701?
This August 2019 ISO 27701 has been published, as an extension guide to the requirements and controls set out in the ISO 27001 standard and the ISO 27002 Good Practice Guide, which is designed to allow the addition of industry-specific requirements, without the need to develop a new Management, giving organizations the requirements to manage, manage data and protect the privacy of personally identifiable information (PII).
The standard is intended to be used by all types of organizations, regardless of their size, complexity or the country in which they operate.
The processing of personal information is not something new today, but it is the exponential use that is being given due to the need for exchange between departments of the same company or more if possible, between different organizations for the correct provision of services, which makes it necessary to verify that this information is properly managed and protected by a Privacy Information Management System (PIMS), in accordance with country-specific laws and regulations.
Structure of ISO 27701
In a more detailed way ISO 27701 extends the requirements of ISO 27001 and ISO 27002 to take into account the protection of privacy, potentially affected by the processing and processing of personal information, in the following sections:
- Clause 5: The requirements set out in this section are traceable with paragraphs 4 to 10 of ISO 27001, extending the requirements on information protection specifically for paragraph 4 on the organizational context and paragraph 6 planning for risk management, not providing additional needs in the rest of the paragraphs.
- Clause 6: This section extends the requirements set out in the ISO 27002 Good Practice Guide and the controls set out in Annex A to ISO 27001, reviewing the 114 controls and extending the requirements on the protection of information in controls domains 5 through 18, with the exception of domain 17 (Information Security in Business Continuity) where no additional measures are established to existing ones.
- Clause 7: Determines additional controls and implementation guidance for Personally Identifiable Information (PII) owners. These controls must not be implemented in their entirety, but their applicability or exclusion must be duly justified.
- Clause 8: Similar to the requirements of clause 7, this section establishes additional controls and an implementation recommendation for those responsible for processing personal information of contracted third parties, also taking into account whether they, in turn, outsource services.
ISO 27701, as discussed above, refers to the data protection legislation in force in the country where it is implemented, which is an ideal basis for all those organizations that want to provide confidence in their customers, supported by a continuous improvement and transparency of its processes and procedures, as it is estimated that this standard can cover future certifications associated with the General Data Protection Regulation (GDPR) as it is a certifiable standard associated with ISO 27001.
From AUDISEC,with the support of the GlobalSUITE®software, we offer the necessary help and support for the complete adaptation of your organization to the new ISO 27701 standard and thus obtain the corresponding certification.
The software, fully developed by our team, allows the implementation, management and maintenance of all the requirements required by the standard in all types of organizations and sectors. Turn ISO standards management into a simple process with GlobalSUITE management software®