ISO 27701

ISO/IEC 27701:2019 is a privacy extension to the international information security management standard, ISO/IEC 27001 (ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines).

ISO 27701 specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system).

ISO 27701 is based on the requirements, control objectives and controls of ISO 27001, and includes a set of privacy-specific requirements, controls and control objectives.

Get your copy of ISO 27701 here

Alternatively, for a clear and concise overview of the principles of personal information management and ISO/IEC 27701, read our bestselling pocket guide ISO/IEC 27701:2019: An introduction to privacy information management.

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organisation addresses the specific risks it faces, as well as the risks to personal data and privacy.

The DPA (Data Protection Act) 201 and UK GDPR (General Data Protection Regulation), and the EU GDPR (General Data Protection Regulation) require organisations to take measures to ensure the privacy of any personal data that they process.

However, none of these laws provide much guidance on what those measures should look like.

ISO (the International Organization for Standardization) and IEC (International Electrotechnical Commission) developed ISO 27701 to provide that guidance.

ISO 27001 establishes the requirements for an ISMS (information security management system) that takes a risk-based approach to security, covering people, processes and technology.

Certification to ISO 27001 provides stakeholders with assurance that data is being secured appropriately.

Organisations that have implemented ISO 27001 can use ISO 27701 to extend their security efforts to cover privacy management, including the processing of PII (personally identifiable information), which can help them demonstrate compliance with data protection laws such as the GDPR.

Organisations without an ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project.

There is little material difference between a privacy information management system (aligned with ISO 27701) and a personal information management system (aligned with BS 10012). Although there are some differences in the approach taken by each standard, both are suitable for organisations looking to improve security and management of the personal data they hold.

As well as providing privacy-specific requirements, controls and control objectives for controllers and processors, ISO 27701 includes annexes that map them to:

• ISO 29100 (Information technology – Security techniques – Privacy framework);
• ISO 29151 (Information technology – Security techniques – Code of practice for personally identifiable information protection); and
• ISO 27018 ((Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).

It also contains an annex that maps its requirements and controls to the GDPR’s requirements, so ISO 27701 can be used as a GDPR compliance guide by data controllers and processors.

For instance, data controllers’ obligations for meeting data subjects’ rights under the GDPR are covered by ISO 27701’s controls covering obligations to PII principals.

Guidance is provided for implementing each control.

ISO 27701 and ISO 27001 will help you meet GDPR requirements and show that you have the necessary security measures in place to protect personal data and uphold data subjects’ rights.

Article 42 of the GDPR discusses data protection certification mechanisms and data protection seals and marks. It is possible to achieve independently accredited certification to ISO 27001 – and by extension ISO 27701 if you implement its controls – which will demonstrate to stakeholders and regulators that your organisation is following international best practice when it comes to securing personal data/PII.

Find out more about ISO 27001 certification

We have everything you need to extend your ISMS to cover ISO 27701 and privacy management.

• ISO/IEC 27701:2019: An introduction to privacy information management
• ISO/IEC 27701 2019 Standard
• ISO 27701 Gap Analysis Tool
• ISO 27701 Toolkit
• Certified ISO 27701 PIMS Lead Implementer Training Course
• Certified ISO 27701 PIMS Lead Auditor Training Course