Burger Menu Icon

ISO 27701

Privacy Information Management System

WHAT IS ISO 27701?

ISO/IEC 27701:2023 is a privacy extension to the international information security management standard, ISO/IEC 27001 (ISO/IEC 27701 Security techniques – Extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – ​​Requirements and guidance). ISO 27701 specifies the requirements for – and provides guidance for – establishing, implementing, maintaining and continually improving – a privacy information management system (PIMS).

ISO 27701 is based on the requirements, control objectives and controls of ISO 27001, and includes a set of requirements, controls and control objectives that are specific to privacy.

WHO SHOULD APPLY ISO 27701?

ISO 277101 has been designed for use by all data processing and management officials. Just like ISO 27001, it supports a risk- based approach so that every complying organization can address the specific risks they face as well as the personal data and privacy risks.

WHAT IS THE DIFFERENCE BETWEEN A PRIVACY INFORMATION MANAGEMENT SYSTEM AND A PERSONAL INFORMATION MANAGEMENT SYSTEM?

The key difference lies in who is in control: Privacy IMS (like ISO 27701) is a corporate framework that helps organizations comply with GDPR and securely manage third-party data. In contrast, Personal IMS focuses on the individual, giving the user the tools to control access to their information through digital “treasures”. Although in corporate practice ISO 27701 and BS 10012 standards present small tangible differences in their structure, the essential distinction remains: the former concerns corporate accountability, while the latter concerns digital citizen autonomy.

HOW DO ISO 27001 AND ISO 27701 INTERCONNECT?

ISO 27001 defines the requirements for an ISMS (information security management system), a risk-based approach that includes people, processes and technology. Independently accredited ISO 27001 certification provides stakeholders with assurance that their data is adequately protected.

Organizations that have implemented ISO 27001 will be able to use ISO 27701 to extend their efforts to cover privacy management – ​​including the processing of personal data/PII (personally identifiable information) – which can help them demonstrate that reasonable steps have been taken to comply with data protection laws such as the GDPR. Organizations without an ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project.