Statement: Coronavirus (COVID-19)

ISO/IEC 27701 - Q&A Session

1. What is the purpose of ISO/IEC 27701 and why is it so important?

The purpose of the ISO/IEC 27701 requirements is to incorporate the protection of Privacy Information in a client’s Management System. Within the past few years, many countries and states have implemented legislation and guidelines to protect the privacy of personal information. 

The ISO/IEC 27701 standard provides guidance for organizations how to review, evaluate and to maintain principal’s privacy information, and the technical/security controls needed to protect the management, the processing, the storage and the deletion of this data. Additionally, ISO/IEC 27701 helps organizations to demonstrate through third party audits that they have taken the steps to incorporate the various controls in accordance with regulatory requirements.

Furthermore, for organizations which have been already certified to the ISO/IEC 27001 standard, ISO/IEC 27701 serves as a continual improvement of ISO/IEC 27001 since it chooses to implement and enhance their management system with the protection of Privacy Information. 

Governments are also requiring evidence from their supply chain to demonstrate that CUI – Controlled Unclassified Information – is protected by their vendors.

2. Which are the most important clauses of this standard?

The following clauses are very important to the standard:

  • "Information Security" shall be extended to the protection of privacy as potentially affected by the processing of PII (Clause 5.1).
  • The organization should ensure that people under PII control are made aware of the definition of PII and how to recognize information that is PII (Clause 6.5.2.2). 
  • The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals (Clause 5.2.2).
  • The organization shall apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability, within the scope of the PIMS.
  • The organization shall apply privacy risk assessment process to identify risks related to the processing of PII, within the scope of the PIMS (Clause 5.4.1.2).
  • The organization shall ensure throughout the risk assessment processes that the relationship between information security and PII protection is appropriately managed (Clause 5.4.1.2).

3. Which industries can benefit the most from this standard and how?

Almost all industries would benefit from this standard if they engage with employees and work with software vendors where information is stored, processed or used in a transaction. Even if a vendor makes widgets, there would still be some information either employee, clients or vendor information. 

The process to identify Personal Identifiable Information (PII) should be performed. Invoices created or any other business processes transacted on the web will determine that in some way or another the exchange or handling of PII or CUI will occur. Thus, all organizations should seek to get certification against ISO/IEC 27701, for instance, service companies or any other company that handles and processes PII, CUI or data processing. 

4. What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is considered to be any information that can be used to recognize a specific person. By having access to PII without the person’s knowledge, this rogue party can use this information to take advantage of the other person’s credentials, without the person’s permission or knowledge in a compromising way.

5. What is the difference between PII Processor and PII Controller?

A PII Processor is an entity (company), who processes, or uses the PII for legitimate purpose and with the person’s consent for the purpose given. They may use this information for the purpose of processing a transaction on behalf of the PII Principal, i.e. credit card processing, processing and sharing PII data with other parties for the purpose of Payroll and benefits, etc. 

PII Controller receives the PII data by permission and for the purpose of something specific. The PII controller protects the PII data but does not change it or use in any unlawful way. 

6. What is the relation between ISO/IEC 27701 and ISO/IEC 27001?

The relationship between the ISO/IEC 27001 and ISO/IEC 27701 is that they apply the basic principle and process of protection for both Information Security and Privacy. The additional Annex A Controls of ISO/IEC 27701, enables companies to build on the foundation of the ISO/IEC 27001 standard, by implementing  the additional controls, specifically, those for handling the protection of privacy of information. 

7. Is it necessary for an organization to be certified with ISO/IEC 27001 before seeking ISO/IEC 27701 certification?

Yes, considering that ISO/IEC 27701 is an extension to ISO/IEC 27001, organizations seeking certification against ISO/IEC 27701 need to be first certified against ISO/IEC 27001. 

8. Will the ISO/IEC 27701 certificate prove that you are in compliance with GDPR?

The certification indicates that the organizations meet the requirements of the ISO/IEC 27701 standard, however, the organization can implement appropriate controls as required by regulatory and legal requirements i.e. GDPR, CCPA and NY Shield Act, and other state requirements for the protection of data. The ISO/IEC 27701 has a very detailed and clear mapping to GDPR clauses, therefore, when the standard is implemented with GDPR as a primary focal point, it ensures that all the clauses of GDPR have been taken into consideration.

Thus, organizations can demonstrate alignment and governance to the GDPR requirements, though they should not claim certification to GDPR.

9. How does the certification audit against ISO/IEC 27701 help organizations?

The certification against ISO/IEC 27701 helps organizations to be cognizant of how and where PII information is being used by them, and their responsibility to protect this data and not be sued for a security breach, or misuse of information. Organizations can ensure that any legal, contractual and regulatory requirements have been evaluated and are managed as required. The certification process will enable organizations to review and address any gaps and mitigate risks through careful review and data impact analysis (DIA).

10. What are some tips to get ready for a certification audit against ISO/IEC 27701?

From my experience, once organizations begin the analysis process for the types of data managed, processed, and utilized within the organization, the application and enhancement to incorporate the privacy controls becomes easier, in particular when they already have the ISO/IEC 27001 certification. The analysis of the data, how it is used, the identification of their vendors/suppliers, how and when the  data is exchanged between the two organizations, and the application and usage of this data either by the organization or their suppliers is a critical phase. These steps help to ease the implementation and management processes that protect the privacy of this information. 

However, the client must be made aware that based on the size of the organization and the scope of the certification, new policies or changes to policies and processes, the appropriate awareness training, technical controls and/or the use of technologies or other controls would have to be managed, defined and  implemented. 

11. What would be your advice towards the organizations that are thinking of getting certified?

As more states and countries adopt privacy laws, it has become a critical requirement for many if not all businesses to implement and manage the security and protection of PII. Organizations may face loss of business and reputation, get penalized by clients, partners or vendors if they have a security breach without appropriate security controls. The protection of information, is also a protection from threats and vulnerabilities which cause harm to the company. 

About Nazma Ahmed

Since 2016, Nazma Ahmed has been part of our great network of auditors. As an Approved MS Auditor, Nazma has conducted more than 90 audits on behalf of PECB MS. The work and dedication shown in auditing of ISO 9001, ISO/IEC 20000-1, ISO 22301, ISO/IEC 27001, and ISO/IEC 27701 has been immensely noted and highly valued by all our clients and PECB MS team.