The European Union’s GDPR [General Data Protection Regulation] has guided us in a new era of privacy regulatory and compliance. More privacy regulations have been enacted in different jurisdictions. This requires organizations to implement policies and procedures in order to assure compliance with the growing list of privacy regulations.
Additionally, we are amidst a rapid digital transformation, where data collection and processing are dramatically increasing. The simultaneous growth in data volume and regulatory requirements pertaining to that data makes compliance increasingly complex for organizations.
The new international standard ISO/IEC 27701 Privacy Information Management System [PIMS] helps organizations reconcile privacy regulatory requirements. Formerly known as ISO/IEC 27552 [during drafting period], ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management. An international management system standard that outlines a comprehensive set of operational controls can be mapped to various regulations, including the GDPR.
Once it is mapped, the PIMS operational controls are implemented by privacy professionals and audited by third-party auditors. This facilitates in a certification and comprehensive evidence of conformity. This standard provides guidance on the protection of privacy, including how organizations should manage personal information.
Vendors need to certify against PIMS. This will be effective for establishing responsible privacy practices by suppliers and partners, irrespective of the size of your organization. ISO/IEC 27701 will help address three key compliance challenges:
- Multiple Regulatory Requirements: Reconciling multiple regulatory requirements through the use of a universal set of operational controls will enable consistent and efficient implementation.
- Auditing Regulation-by-Regulation: Auditors, both internal and third party, will be able to assess regulatory compliance using a universal operational control set within a single audit cycle.
- Certificate of Compliance: Commercial agreements involving movement of personal information may warrant certification of compliance.
Building Blocks of The Standard
PIMS is built on top of the most widely adopted international standards for information security management, ISO/IEC 27001. If your business is already familiar with ISO/IEC 27001, it will be more efficient to integrate the new privacy controls of Privacy Information Management System [PIMS]. This means implementation and audit of both will be less expensive and easier to achieve.
PIMS has new Controller and Processor-specific controls, which help in bridging gaps between security and privacy. It also provides a point of integration between what may be two separate functions in organizations.
ISO/IEC 27701 helps organisations with:
- Building trust in managing personal information
- Maintaining transparency between stakeholders
- Facilitating effective business agreements
- Defining roles and responsibilities
- Supporting compliance with privacy regulations
- Reducing complexity
Does Your Organisation Need Privacy Information Management System?
ISO/IEC 27701 Certification can be implemented by all types and sizes of organizations, including government entities, public and private companies and not for profit organizations.
So, whether your organization is a Controller or a Processor, you should consider pursuing certification, either for your own organization, or as requested by Clients or vendors and suppliers based on your business requirements.
This applies especially to co-controllers, processors and sub-processors along with those who are processing sensitive or high volumes of personal data.
It provides guidance for organizations who are responsible for PII processing within an Information Security Management System [ISMS], specifically:
- PII Controllers [including those who are joint PII controllers]
- PII Processors
ISO/IEC 27701 Requirements
Privacy depends on security and similarly, Privacy Information Management System [PIMS] depends on ISO/IEC 27001 for security management. For obtaining Certification for PIMS, it should be done as an extension of an ISO/IEC 27001 certification, instead of obtaining it independently.
If you have an ISO/IEC 27001 Information Security Management System already in place, you are ready to get started with ISO/IEC 27701. The guidance and requirements for ISO/IEC 27701 PIMS go across 8 different clauses and 6 annexes, which include personally identifiable information [PII] controls and mappings to related standards and the GDPR.
It is crucial that you understand all the guidance, requirements & controls and ensure they are appropriately implemented across your organization.
Neumetric is a cyber security Advisory and Consulting organization that can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security in multiple industries make it easier for us to quickly execute security activities that add value to you, while you continue focusing on the business objectives of the Organization.