What is ISO 27701? An Introduction to Privacy Information Management

Published: February 3rd, 2021

Author: Matt Quinn

Categories: ISO Risk Management

ISO IEC 27701 is the international standard for privacy and information management. It is an extension of ISO IEC 27001 and ISO IEC 27002 (Information Security Management).


ISO 27701 directly relates to requirements that are found in data protection regulations such as the General Data Protection Regulation (GDPR). 


The newly published standard was written with intent to satisfy the requirements of the GDPR and other privacy regulations. 


If ISO 27001 is the go-to standard for implementing an information security management system. Then ISO 27701 aims to become the go-to standard for implementing a Privacy information management system.


The two standards share a significant overlap in technical requirements. Which makes it a no brainer to adopt ISO 27701 if you have already adopted ISO 27001.


What is Privacy Information Management?


Privacy information management concerns how an organization: (i) collects.(ii) stores (iii) uses and (iv) erases personal identifiable information (PII) that it has collected from individuals.


PII is classified as any information that would help identify an individual. PII Controllers and PII Processors are responsible for the legal collection of PII and how it is handled.


There are very strict regulations that govern:


1) The collection and use of PII,

2) Protection of PII,

3) The rights that individuals have to their PII.

The collection and use of PII must have a purpose.


PII must be protected (stored in a safe place and encrypted).


Data subjects have the right to erase, modify and request the information that an organization has on them.


How does ISO 27701 help my organization?


The expansion of ISO 27701 covers the requirements of what you may find in a general data protection regulation. Controls to help organizations to legally collect and process PIl.


This will allow your organization to create and maintain a privacy information management system (PIMS). Similar to ISO 27001, the extension will provide control objectives and controls for your organization to consider implementing.


Organizations that have implemented ISO 27001 (or are looking to implement) can consider adding ISO 27701. They can do this to help comply with data protection regulations.


General Data Protection acts are becoming more common globally with each country adopting its own one to protect personal data.


If you wish to be audited/certified in ISO 27701, you will need to implement ISO 27001 alongside it.


BSI has available training courses for auditors and implementers of ISO 27001 and 27701.


ISO 27001 and 27701 are audited together as a single integrated management system. Meaning, for example, that your organisation will need an integrated risk management regime.



Organizations that have already obtained ISO 27001 certification will have an easier time obtaining ISO 27701 certification.


ISO standards are globally recognized standards in establishing, implementing and maintaining a management system based on best practices.


Organisations can achieve certification in ISO 27701 by submitting to an independent audit.


Being certified ISO holds many advantages as ISO standards were created to ensure consistency in practices globally. 


It demonstrates you have been audited and passed the requirements of the standard. This may be a requirement for some organizations to do business.


The Importance of Privacy Information Management


Having a privacy information management system is to ensure that your organization is in compliance with regulations such as the GDPR. The penalty for breaking data protection laws can be severe. 


The maximum penalty under GDPR is a fine of £17.5 million GBP or 4% of global turnover (whichever is greater). Other countries under different regulations may have different penalties but damages to reputation can be just as severe.


Note, even after Brexit, the Data Protection Act 2018 remains in force. So organisations can still be fined by the Information Commissioner’s Office for data breaches.


As more countries adopt privacy regulation, we will see an increase in the importance of a rigorous privacy information management system.


A survey from Acquia found that: “65% of respondents would stop using a brand that was dishonest about how it was using their data”. By having ISO 27701 certification, this would demonstrate your commitment to data privacy. 


There are growing concerns about how personal data is being used. By demonstrating compliance to privacy regulations may boost revenue and increase trust within consumers.


Understand your risks. Reduce the impact. Protect your business.

Apomatix’s Powerful Risk Management Software to help you understand, fix and manage all your organisation’s risks.