ISO/IEC 27701 is an extension to the ISO 27001 standardized information security management system and it focuses specifically on the processing of personal data. In addition to the information security management system, the new extension is a good step towards compliance with the requirements of the European Union’s Data Protection Regulation (GDPR).
How are ISO 27701 and ISO 27001 related?
The ISO 27701 standard provides organizations with a reference framework that helps develop a privacy information management system that considers different data protection laws and requirements. The standard can be added during the construction or implementation phase or afterwards as part of the ISO 27001 management system, which is an internationally used information security management system.
ISO 27701 is an extension of the management system that specifically concerns data protection, so ISO 27701 cannot be used alone without the ISO 27001 information security management system. While ISO 27001 requires an organization to have an information security management system (ISMS), the new extension requires an organization to have a privacy information management system (PIMS). Thus, when an ISO 27701-certified system is in use, then an organization has both ISMS and PIMS in use. With these systems, it is easier for the organization to take care of its information security and data protection as a whole in an appropriate way.
GDPR and ISO 27701
The standard refers directly to the European Union’s data protection regulation GDPR. It is good to note that this is not a legal guarantee of fulfilling the terms of the GDPR. Thus the possibility of sanctions still exists. However, their risk is substantially lower, and the standard works well to manage the so-called regulatory risk. In addition, the management system can include the requirements of the GDPR, which means that an organization is in overall in a very good situation in terms of meeting the GDPR’s conditions. When an organization wants to make sure that the requirements of the GDPR are met, the organization can commission a data protection impact assessment.
The new extension has yet another strength in relation to the GDPR: A certified management system can be used to fulfill the proof obligation under EU legislation.
Like other standards certified by a third party, ISO 27701 is helpful in contract negotiations where the customer has requirements regarding information security or data protection. By implementing this extension, a company can get a direct competitive advantage, in addition to the fact that information security and data protection are carefully managed.