What the ISO/IEC 27701 Announcement Means for Your Business

The International Organization for Standardization has published the first International Standards for privacy information management. ISO/IEC 27701 specifies requirements for “establishing, implementing, maintaining and continually improving a privacy-specific information security management system.” This is a groundbreaking standard for privacy that will help organizations of all sizes, jurisdictions, and industries effectively protect and control the personal data they handle.

Dr. Andreas Wolf, Chair of the ISO/IEC technical committee that developed the standard, said that almost every organization processes personally identifiable information (PII) and that safeguarding it is both a legal requirement and a societal need. ISO/IED 27701 is designed to help businesses not only meet the legal requirements they are subject to, but also demonstrate their commitment to the social responsibilities that come with collecting and processing user data.

What is ISO/IEC 27701 and why was it created?

ISO/IEC 27701 builds on ISO/IEC 27001, which provides guidelines for information security management systems. ISO/IEC 27701 goes one step further and provides guidelines for building, managing, and updating systems to keep private information secure and give businesses more practical guidance. It provides more actionable information for meeting the standards laid out in ISO/IEC 27001.

According to Dr. Wolf, “ISO/IEC 27701 defines processes and provides guidance for protecting PII on an ongoing, ever-evolving basis . . . it defines processes for continuous improvement on data protection, particularly important in a world where technology doesn’t stand still.”

ISO/IEC 27701 was developed because the ISO understands that although it’s risky for businesses not to comply with data privacy standards, many of them simply lack the knowledge, tools, and guidance to come into compliance with them. 

Matthieu Grall, a member of the Commission Nationale de l’Informatique et des Libertés, the French independent watchdog for the protection of personal data, stated that there is a very real need for a standard like ISO/IEC 27701:

Despite the risks of not complying [with] these regulations, we know that many organizations are simply not ready and need guidance. With the number of complaints and fines related to privacy and data protection on the rise, the need for this standard is now obvious. Moreover, organizations need to bring trust to their authorities, partners, customers, and employers. Such a standard will contribute strongly to this trust.

A standard that helps with GDPR compliance

ISO/IEC 27701 is the first ISO standard that references frameworks not developed by ISO. Specifically, it references GDPR, which has been the subject of a lot of discussion by data compliance experts. GDPR has been in effect for more than a year, but a 2019 survey found that less than half of businesses are GDPR compliant, and one in five respondents said they believed that full compliance with GDPR is impossible to measure. Clearly, businesses are struggling with GDPR compliance, and ISO/IEC 27701 can help them see a clear path to compliance.

ISO/IEC 27701 maps so closely to the requirements in GDPR that some groups in the compliance space speculate enforcement agencies will eventually adopt it as a certification standard for GDPR. For businesses that are required to be GDPR compliant, ISO/IEC 27701 provides guidelines that can help them begin to work towards compliance while also implementing processes and policies that are compliant with other frameworks.

ISO/IEC 27701 gives businesses guidelines for extending their security efforts to cover privacy management, while it will ultimately help them demonstrate compliance with GDPR and other data protection laws.

Privacy information management systems vs. personal information management systems

ISO/IEC 27701 lays out specifications for establishing and managing “privacy-specific information security management system[s].” Essentially, these are systems a business can put into place to protect the PII that they store or process, and ISO/IEC 27701 gives businesses a standard they can compare their privacy information management systems against. These systems are put in place and utilized by businesses to protect the information they store and aren’t accessed or used by customers.

A personal information management system (PIMS), on the other hand, is a tool that allows users to control their personal data and manage how it’s used and whether they consent to give third parties access to their data. Frameworks such as GDPR and CCPA were designed to give users more control over their data, and a PIMS is a way to put control of that data directly into the users’ hands. They’re put in place by businesses, but the end-users are their customers.

While these two systems are different from each other, they have the same goal: to protect the personal information users trust to businesses and give users more control over their data.

ISO/IEC 27001 gives businesses guidelines for developing the internal systems that can help them give customers the required access and control.

Is ISO/IEC 27701 compliance necessary?

Similar to ISO/IEC 27001, ISO/IEC 27701 is a widely applicable framework and your business will benefit from compliance in a variety of ways. However, because ISO/IEC 27701 is an extension of the ISO/IEC 27001 standard, there isn’t a separate certification for it. Certification for 27701 has to be  obtained as an extension of ISO/IEC 27001 compliance. You can’t be 27701 compliant without being 27001 compliant, but pursuing compliance is still a good move for your business.

First, it is a way for your business to show you take protecting your users’ data seriously. It can be a big selling point for B2B providers whose clients want to know you’re taking steps to protect personal data and that you’re being proactive about compliance with the newest and most up-to-date data security frameworks. As more businesses begin to get ISO/IEC 27701 certified, companies will likely find that although it’s not legally required, more and more businesses are requiring their partners and vendors to be compliant with the standard.

Second, businesses that are accountable to multiple data compliance frameworks can use ISO/IEC 27701 to meet the compliance standards for those frameworks. Implementing ISO/IEC 27701 can help you build controls and systems that meet multiple data security standards and data privacy laws and requirements, as opposed to working through the requirements of each one individually and building multiple controls to meet multiple requirements. Specifically, ISO/IEC 27701 can help you come into compliance with GDPR, which is something that many businesses have struggled with. 

How you can move forward with ISO/IEC 27701

ISO/IEC 27701 is not another compliance headache; it can be a big asset to your business and help you realign your compliance efforts with some of the most important compliance frameworks today.

This is the first regulation of its kind, and ultimately it will be beneficial for the businesses that choose to invest in compliance. Making the investment in meeting the ISO/IEC 27701 standard will not only help you more effectively protect your user’s data but also allow you to demonstrate to potential clients and users the fact that you take data protection seriously.