ISO 27701
Try Free
ISO 27701
ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.
ISO/IEC 27701 is intended to be a certifiable extension to ISO/IEC 27001 certifications. In other words, organizations planning to seek an ISO/IEC 27701 certification will also need to have an ISO/IEC 27001 certification.
The intended application of ISO/IEC 27701 is to augment the existing ISMS with privacy-specific controls and, thus, create PIMS to enable effective privacy management within an organization.
A robust PIMS has many potential benefits for PII Controllers and PII Processors, with at least three significant advantages: (Also lists how InfoComply platform can help support PIMS)
Infocomply experts are ready to guide you with industry proven solutions & best practices, with key bottom line to faster compliance and reduce risk.
Requst For DemoFirst, achieving compliance to privacy requirements (particularly laws and regulations, plus agreements with third parties, plus corporate privacy policies etc.) is burdensome, especially if the requirements are not organized in the most effective way for PII Controllers and PII Processors. Organizations subject to multiple privacy compliance obligations (e.g. from several jurisdictions in which they operate or data subjects live) face additional burdens to reconcile, satisfy and keep watch on all the applicable requirements. A managed approach eases the compliance burden, for example as demonstrated by Annex C of the standard, a single privacy control may satisfy multiple requirements from General Data Protection Regulation (GDPR).
Infocomply platform provides ISO 27701 Privacy Information Management System (PIMS) templates to assist with PIMS decision-making according to clause 5 of the ISO 27701 standard, including evaluating your organization and its context, understanding the needs and expectations of interested parties, determining the scope of the PIMS, identifying leadership roles and responsibilities, establishing and tracking objectives, defining risk criteria, and more.
Second, achieving and maintaining compliance with applicable requirements is a governance and assurance issue. Based on the PIMS (and, potentially, its certification), Privacy or Data Protection Officers can provide the necessary evidence to assure stakeholders such as senior management, owners and the authorities that applicable privacy requirements are satisfied.
Infocomply software provides audit and attestation module to document all the evidences of the compliance, this will help in achieving and maintaining certification.Platform also assists in building awareness of employees and consultants in organizations privacy policy, roles and responsibilities and impacts of not conforming to regulation
Third, PIMS certification can be valuable in communicating privacy compliance to customers and partners. PII Controllers generally demand evidence from PII Processors that the PII Processors’ privacy management system adheres to applicable privacy requirements. A uniform evidence framework based on international standard can greatly simplify such communication of compliance transparency, especially when the evidence is validated by an accredited third-party auditor. This necessity in communication of compliance transparency is also critical for strategic business decisions such as mergers and acquisitions and co-Controllers scenarios involving data sharing agreement. Lastly, PIMS certification can potentially serve to signal trustworthiness to the public.
Infocomply software has feature set to conduct internal audits against the ISO standard in using clause5 and annexA/B controls.Software comes with packaged templates for conducting internal and external audits and document corrective plans
Other InfoComply features mapped to Annex A & B requirements
Risk Assessment
Clause 5 includes documenting risk methodology, risk treatment plans an tracking them to completion. With InfoComply Assessment automation and an extensive set of templates help in identifying risk to individuals as result of processing their templates and to come up with treatment plans
Record of Processing Activities
Annexes 7 & 8 require organizations to maintain inventory of detailed data processing activities it process and supporting obligations.With InfoComply Data mapping module, organizations can collect information about the purpose, type and process by which personal data is being collected, used, stored, and transferred, as well as generate data flow visualizations.
Consumer Rights management
Annex 7 states the organizations should establish, document and uphold their obligations to individuals as needed by legal requirements, Individuals need to be provided with proper information about their personal data processing.
Infocomply software supports organizations with Privacy Request management module to intake requests from consumers and workflow automation for internally manage and respond with in the regulation required time