As privacy regulations continue to be introduced around the global, organizations now have an ISO standard they can look to for guidance. In August of 2019, ISO 27701:2019 was published and included the requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). Notably, the standard is linked to the ISO 27000 series that provides guidance on security techniques for keeping information secure. In fact, ISO 27001 conformance is a required prerequisite for ISO 27701 compliance.
The standards committee went to great lengths to ensure that existing standards help organizations set the floor when it comes to securing systems that store and process PII.
ISO 27701:2019 can be the foundation for compliance with GDPR, CCPA and other privacy regulations that may emerge. The standard is broken into four parts: The first two parts map to existing ISO standards that fall under the ISO 27000 information security standard, the other two are specific to privacy-related elements.
PIMS Requirements Related to ISO 27001:2013
ISO 27001:2013 specifies the requirements for establishing, implementing, and maintaining and continually improving an information security management system (ISMS). Defining the program, scope, charter, framework, vision, policy, alignment to strategy, team, defined activities, training, and communication are all key elements of a successful ISMS.
Additional elements such as benchmarking, mapping data inventories, data flows, performing a risk assessment, incident reports, auditing, regulatory analysis, record retention, vendor management, contractual requirements, data location, Privacy Threshold Analysis (PTA), Privacy Impact Assessments (PIA), and minimum standards for safeguarding information are included in 27701. Beyond that, management review, corrective action, continual improvement, and privacy by design are required.
PIMS Guidance Related to ISO 27002:2013
ISO 27002:2013 is the second major part of ISO 27701:2019. This standard provides the guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization’s information security environments(s). In more everyday language, this part of 27701 gets into the technical elements.
Unlike the first part (ISO 27001), technical environments can vary greatly, hence the use of the word guidance versus requirements. Setting up formal information security, security around employees handling data, creating a security team, access controls, incident reporting, information classification, user access, media handling, cryptography, information asset protection, data backup and recovery, logging, and data transfers are some of the elements that should be considered per ISO 27002:2013. Further, integrating privacy by design into the system development lifecycle (SDLC), vendor risk assessments, overall compliance, audits, and reviews of the security system are all included in detail throughout this standard. The standards committee went to great lengths to ensure that existing standards help organizations set the floor when it comes to securing systems that store and process PII.
Guidance for PII Controllers
The third major part of this standard provides specific guidance for PII controllers. This part and the subsequent parts will likely continue to evolve in future versions of this standard as new risks and technology become evident. Topics such as identifying where PII exists, understanding the lawful collection and processing of PII, understanding and recording consent from individuals, understanding the relationship between processors and controllers, knowing obligations to data subjects, sharing, accuracy, quality, and a deeper dive in regulatory requirements in this standard give processors ample guidance. When key stakeholders or business sponsors want to know specifics of information privacy, this part shines a light on what has to be done above and beyond, complying with PIMS guidelines as it relates to PII.
Guidance for PII Processors
The final major part of this standard is for personal data processors. Understanding the difference between controllers and processors of PII is essential for organizations, for they have specific responsibilities. Data purpose limitation, fairness, transparency, privacy notices, documentation for regulators, vendor management, sharing, managing subcontractors, disclosures to third-parties, transfers between jurisdictions, marketing, and advertising use, and a myriad of other data privacy elements are expanded upon under this part.
In addition to the four major parts, the standard contains guidance that provides the further mapping of other ISO standards and directly to GDPR. Organizations that have an existing focus on ISO 27001 and ISO 27002 certainly have an advantage if they are pursuing ISO 27701 readiness or certification.
ISO 27701 provides organizations the road map to protect PII, but the question is, will organizations invest in ISO 27701 compliance?