It is a privacy extension to ISO 27001 (Information Security Management) and ISO 27002 (Security Controls). It sets out the policies and procedures you need to safeguard personal information and comply with relevant legislation.
ISO 27701 helps you identify your objectives and determine the processes and resources required to manage privacy related risks and opportunities. This is done by implementing an Privacy Information Management System (PIMS).
You may already have a number policies and procedures in place to help manage your privacy information risks.
However, making sure that everybody is aware of your policies and that everyone follows them in the same way, can sometimes be difficult to manage.
With the ISO 27701 Standard, you will have robust framework to help you define, document, monitor, review and update your privacy information management processes, ensuring they are consistently applied.
How do I implement ISO 27701?
- Define the context of the organisation (e.g interested parties) and determine the scope of the PIMS
- Plan how to address risks and opportunities
- Set Information Security objectives and plan how to achieve them
- Outline resources (people, infrastructure, etc) and documentation necessary to support the PIMS.
- Establish performance evaluation procedures (including an internal audit function).
- Define an improvement process.
What is a Privacy Information Management System (PIMS)?
A Privacy Information Management System, or PIMS, is a set of processes, policies and records that define and describe how your organisation manages its privacy related risks. A well designed PIMS needs to be constructed around the specific needs of the company in question, but it is here that ISO 27701 can serve as an excellent guide as to the sorts of policies and procedures to implement.
What does ISO 27701 cover?
The aim of ISO 27701 is to help organisations protect the privacy of individuals, acknowledging that such protection “in the context of the processing of Personally Identifiable Information (PII) is a societal need, as well as the topic of dedicated legislation and/or regulation all over the world.” Building on ISO 27001’s Information Security Management System, ISO 27701 takes a systematic approach to privacy information management that looks at a broad range of factors, from cryptographic controls through to supplier management.
Who needs ISO 27701?
ISO 27701 is perfect for any organisation, whatever their size, looking to effectively manage their PIMS risks and capitalize on any opportunities. It is also a great fit for those organisations who are already ISO 27701, but are looking to address the complicated issue of data protection