IT GOVERNANCE | GREEN PAPER

ISO 27701
Privacy information
management systems

Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Introduction
Since the introduction of the EU’s General Data Protection Regulation (GDPR), and
the ongoing growth in comparable data protection laws around the world, such as
the California Consumer Privacy Act (CCPA), there has been an increasing need for
a standard or code of conduct to support compliance. A small number have arisen,
but they lack the international recognition necessary to truly act as an effective mark
of assurance.
ISO/IEC 27701 (Security techniques – Extension to ISO/IEC 27001 and ISO/IEC
27002 for privacy information management – Requirements and guidelines) was
published August 2019 and is one of the most anticipated standards in information
security and privacy management. It aims to fill the assurance gap and provide a
genuinely international approach to data protection as an extension of information
security.
This paper provides information about the Standard so that organizations with
a desire to meet their compliance challenges head-on can take advantage.
Organizations examining information security and data protection more broadly can
also see how the new standard’s approach might meet their needs.
Why an ISO/IEC privacy management system?
The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) are recognized internationally as authorities on
management systems and best practice. ISO/IEC publications carry a great deal of
weight, and certification to their management system standards through recognized
certification schemes is an extremely effective way of both meeting compliance
demands and proving your compliance to customers, business partners, and
regulators.
While there are already some publications and standards that discuss data
protection, many are not international, primarily focusing on data protection
requirements and good practice in specific jurisdictions. An approach based on
international best practice must be capable of adapting to other regimes and not
impose requirements that hinge on specific legislation.
2
Crucially, this means that ISO 27701 supports compliance with a wider, international
range of data protection and privacy legislation, including HIPAA (Health Information
Portability and Accountability Act) and the CCPA.
Beyond these local initiatives, there are also ISO 27018 and ISO 29151, which are
codes of practice for protecting personally identifiable information (PII). ISO 27018
is focused specifically on public Clouds acting as data processors, while ISO 29151
takes a more general approach to protecting PII. These standards set out control
objectives, controls, and guidelines to protect PII in accordance with an impact and
risk assessment. They offer effective guidance, but are not subject to an externally
auditable framework that can offer assurance to third parties. ISO 27701 goes beyond
this, setting out management system and control requirements.
While ISO 27701 does not yet have a certification scheme, this is really only a matter
of time. Furthermore, there are interim options for asserting compliance, as we discuss
later in this paper.
What about ISO 27001?
Even though a ‘comprehensive’ information security management system
(ISMS) aligned to ISO/IEC 27001:2013 might already address privacy issues, the
requirements can be met without fully addressing privacy. This means that certificates
of conformity with ISO 27001 are issued without a guarantee that data protection
needs have been adequately met. While data protection naturally requires a degree of
information security (legislation such as the GDPR and CCPA often addresses these as
‘technical and organizational measures’), it goes much further than simply protecting
the information – the organization must also protect the rights of the data subjects,
which cannot be guaranteed through information security alone.
Having a standard that ensures all the relevant privacy issues are factored into a
management system means that the resulting certificate must, by default, cover all
of those relevant aspects. This also means that a certificate of conformity (when a
scheme to provide this is available) gives external stakeholders greater confidence in
your privacy management.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
The ISO 27701 approach
A privacy management system is different from an ISMS, but they are closely
related. ISO 27701’s approach recognizes that information security (the preservation
of the confidentiality, integrity, and availability of information) is a key aspect of
effective privacy management, and that the ISMS requirements documented in ISO
27001 can support adding sector-specific requirements onto the ISMS without the
need for a new management system specification.
ISO 27701 defines the extra requirements for an ISMS to cover privacy and the
processing of PII. These are supported by additional controls that relate specifically
to data protection and privacy. As a new whole, this creates what the Standard calls
a privacy information management system (PIMS).
ISO 27001 requirements ISO 27701 amendments
ISO 27001 controls ISO 27701 control amendments
ISO 27701 controls
3
What about complex compliance requirements?
One of the key strengths of ISO 27701 is that it is not bound to a single data
protection regime. Instead, it recognizes the general trend of regulation and
provides a framework that builds on information security to give organizations
the ability to customize their activities to their legal and regulatory environment.
In the US, there is a growing body of such data protection legislation at both
federal and state level, building on a range of related information security
legislation. Every state now has broadly comparable data breach notification
laws, while some states have also mandated protections for specific information,
such as under the NYDFS Cybersecurity Regulations. Furthermore, there is
mounting pressure on Congress to pass a federal data protection act.
Beyond this, American organizations often have dealings with international
customers and partners, which can leave them subject to more stringent
regulations, such as the GDPR, Australia’s Federal Privacy Act, and Japan’s Act
on Protection of Personal Information.
Taking all this into consideration, a more flexible approach to data protection
that also supports compliance with cybersecurity and information security laws is
a significant benefit.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
The ISO 27701 standard
ISO 27701 was developed by ISO technical committee SC27 with input from 25
external bodies, including the European Data Protection Board (EDPB).
As already described, the new standard bolts privacy processing requirements onto
an ISMS. Part of this requires that anywhere ISO 27001 says “information security”,
you instead read “information security and privacy” in all instances. For example,
where ISO 27001 uses “information security performance”, ISO 27701 requires you
to read it as “information security and privacy performance”.
The Standard then goes on to add privacy-specific requirements to some of the
clauses in ISO 27001 and the controls in Annex A, and also adds some privacy-
specific controls over and above the existing information security (and now privacy)
controls. Finally, it offers guidance that builds on that available in ISO 27002 subject
to whether the organization in question is a data controller and/or data processor.
ISO 27701 also builds on the principle of information security by directing the reader
to the more expansive privacy principles in ISO/IEC 29100. These cover a wider
range of privacy concerns, including those espoused in data protection regulations
internationally.
Definitions
ISO 27701 takes some of its key definitions from ISO 29100, which uses terms that
differ from some other sources. It is useful to understand these and how they relate
to your legal and regulatory environment.
Personally identifiable information (PII): ‘personal data’ in the GDPR. ISO 29100
defines this as “information that (a) can be used to identify the PII principal to whom
such information relates, or (b) is or might be directly or indirectly linked to a PII
principal” (Clause 2.9).
4
PII principal: ‘data subject’ in the GDPR. ISO 29100 defines this as a “natural person
to whom the personally identifiable information (PII) relates” (Clause 2.11).
PII controller: ‘data controller’ in the GDPR. ISO 29100 defines this as the “privacy
stakeholder (or privacy stakeholders) that determines the purposes and means for
processing personally identifiable information (PII) other than natural persons who
use data for personal purposes” (Clause 2.10).
PII processor: ‘data processor’ in the GDPR. ISO 29100 defines this as the “privacy
stakeholder that processes personally identifiable information (PII) on behalf of and
in accordance with the instructions of a PII controller” (Clause 2.12).
Structure of ISO 27701
Much like other ISO standards, ISO 27701 divides its content by clause, of which
Clauses 5–8 set out the additional requirements and amendments to be applied to
ISO 27001, and warrant particular attention.
Clause 5: PIMS-specific requirements
This clause addresses every clause in ISO 27001 and identifies where additional
content is necessary. The majority of the ISO 27001 clauses remain unchanged, with
the caveat that ISO 27701 requires the organization to recognize its need for data
protection within its context, and this context informs all the other requirements.
Another notable addition affects the risk assessment, which will need to take into
account the organization’s role in relation to PII – that is, whether it is a controller or
a processor, and how that might affect the risks to the PII. Another entry recognizes
the existence of the new control sets and allows the organization to reconcile its
controls against a wider range of controls, including those from ISO 27701.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Clause 6: PIMS-specific guidance
This section provides additional content for the control guidance set out in ISO
27002. It establishes a top-level amendment that all references to ‘information
security’ should be taken as including protection of privacy.
Controls with a potentially significant impact on privacy and data protection are
given extensive extra guidance. This includes subjects such as removable media,
cryptography, and secure development.
Clause 7: Additional guidance for controllers
This clause provides guidance on ISO 27701’s Annex A controls, which are specific
to privacy for the purposes of PII controllers. These controls address many of the
critical areas of data protection and privacy that are not accounted for by the
controls provided in ISO 27001.
Clause 8: Additional guidance for processors
This clause provides guidance on ISO 27701’s Annex B controls, which are specific
to privacy for the purposes of PII processors. These controls address many of the
critical areas of data protection and privacy that are not accounted for by the
controls provided in ISO 27001.
Accredited certification
While the CCPA, HIPAA, and other regulations do not set out any specific form of
certification to support compliance, the GDPR does offer a pathway. Article 42 of
the GDPR addresses certification schemes, stating that member states, supervisory
authorities, the EDPB, and the European Commission should encourage schemes
that demonstrate compliance with the Regulation.
ISO 27701 certification will not meet the GDPR’s requirements for a certification
scheme. Article 43 of the GDPR requires that any certification scheme be operated
under an ISO 17065-accredited scheme. ISO 27701, however, will fall under
5
ISO 17021-1 and therefore not meet the GDPR’s requirements.
There is a good chance that an eventual ISO 17065 scheme will include ISO 27701
certification, but overall it will be more robust and hence more expensive. Those
organizations that want to demonstrate a degree of assurance without the expense
of an ISO 17065-accredited scheme might opt for ISO 27701 certification as an
economical compromise.
Whether accredited certification to ISO 27701 alone will suffice for many
organizations and their interested parties will likely be decided by the market and
regulators. Given the broad acceptance of ISO 27001 as a model for information
security, it is likely that many markets will accept ISO 27701 certification as adequate
proof that the organization has taken appropriate steps to meet its data protection
obligations.
Either way, the options for accredited certification to ISO 27701 will need to evolve
as the current schemes do not accommodate it. In the interim, the closest option
for accredited certification will be referring to ISO 27701 as a source of controls in
a Statement of Applicability (SoA) cited in an accredited certification document for
ISO 27001.
This method is currently used to include sector-specific standards in certifications,
but that is changing: A pending amendment to ISO 27006 (which sets out the
accreditation requirements for certification bodies offering certification to ISO
27001) states that this reference can only relate to the source of controls detailed
in the SoA; it should not imply conformity to a set of management system
requirements.
Regardless of the outcome, it is only a matter of time until there is some method
for organizations to demonstrate conformity with ISO 27701. It is likely to become
a popular approach to managing data protection and privacy and demonstrating
that to others, even if certification to the Standard is not formally adopted as a
certification mechanism under the GDPR. For organizations bound by other data
protection laws – or subject to a number of laws with varying requirements – such
a certification mechanism is likely to be accepted as a demonstration of efforts to
comply. As such, any legal or administrative action against the organization is likely
to be minimized.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 6

Other papers you may be interested in Useful data protection and privacy resources

Conducting a Data Flow Mapping Exercise Under the GDPR IT Governance offers a unique range of data protection and privacy products and
services, including books, standards, pocket guides, training courses, and professional
IT GOVERNANCE | GREEN PAPER
consultancy services.

Conducting a Data
Flow Mapping Standards
Exercise Under the
GDPR
INTERNATIONAL STANDARD

January 2019
ISO/IEC 27001:2013 – ISMS Requirements
ISO/IEC 27001:2013
Information technology — Security
techniques — Information security
management systems — ISO 27001 is the best-practice specification that helps
Requirements
organizations throughout the world to develop an
ISMS.
Protect Comply Thrive

EU General Data Protection Regulation – A compliance guide

IT GOVERNANCE | GREEN PAPER

INTERNATIONAL STANDARD

ISO/IEC 27701:2019
EU General Data
Protection Regulation ISO/IEC 27701:2019 ISO/IEC 27701 is the international standard that serves
as an extension to an ISO 27001/ISO 27002 ISMS. It
Security techniques — Extension to
ISO/IEC 27001 and ISO 27002 for
privacy information management —
Requirements and guidelines
provides guidelines for implementing, maintaining, and
A compliance guide continually improving a PIMS.

Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 7

Books Toolkits

Nine Steps to Success – An ISO 27001:2013 ISO 27001 Cybersecurity Toolkit

Implementation Overview, North American edition
Accelerate your ISO 27001 project with
this best-selling toolkit, which includes
A must-have guide from ISO 27001 expert Alan Calder to
customizable and fully ISO 27001-compliant
help you get to grips with the requirements of the Standard
documentation templates, dashboards, and
and make your ISO 27001 implementation project a success.
gap analysis tools, and direction and guidance
from expert ISO 27001 practitioners.

EU GDPR & EU-US Privacy Shield – A Pocket Guide GDPR Toolkit

This essential guide – the first of its kind on the market – is This toolkit was developed by expert
the ideal resource for anyone wanting a clear primer on the practitioners and contains more than 80
principles of data protection and their new obligations under EU General Data Protection indispensable policies, procedures, forms,
Regulation (GDPR)
the GDPR and the EU-US Privacy Shield. Documentation Toolkit schedules, and guidance documents to help
you achieve and demonstrate compliance with
the GDPR.

Training

Certified ISO 27001 ISMS Foundation Certified GDPR Foundation Distance

Classroom
Online Training Course Distance
Learning
Learning Training Course
Get a comprehensive introduction to the Regulation
ACCREDITED
ACCREDITED

CIS F Learn from the experts about ISO 27001 best C GDPR F

ISO 17024:2012 certificated
ISO 27001
Certified ISMS
Foundation Training Course
practice and find out how to achieve compliance ISO 17024:2012 certificated and IISP accredited
and a practical understanding of the implications and
with the Standard. This course is led by practitioners
EU General Data Protection
Regulation (GDPR)
legal requirements for organizations in this one-day
offering real-world expertise and insights.
Foundation Training Course and Exam
training course.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
IT Governance solutions
IT Governance writes and publishes extensively on cybersecurity and IT governance,
risk management, and compliance (GRC) subjects, and has developed a range
of tools for IT governance, information security, and regulatory compliance
practitioners.
IT Governance is your one-stop shop for corporate and IT governance information,
books, tools, training, and consultancy. Our products and services are designed
to work harmoniously together so you can benefit from them individually or use
different elements to build something bigger and better.
Books
We sell sought-after publications covering all areas of corporate and IT governance.
Our publishing team also manages a growing collection of titles that provide
practical advice for staff taking part in IT governance projects, suitable for all levels
of knowledge, responsibility, and experience.
Visit www.itgovernanceusa.com/shop/category/it-governance-usa-books to view our
full catalog.
Toolkits
Our unique documentation toolkits are designed to help organizations adapt quickly
and adopt best practice using customizable template policies, procedures, forms,
and records.
Visit www.itgovernanceusa.com/documentation-toolkits to view and trial our
toolkits.
8
Training
We offer training courses from staff awareness and foundation courses, through
to advanced programs for IT practitioners and certified lead implementers and
auditors.
Our training team organizes and runs in-house and public training courses all year
round, as well as Live Online and distance learning courses, covering a growing
number of IT GRC topics.
Visit www.itgovernanceusa.com/training for more information.
Consultancy
We are an acknowledged world leader in our field. Our experienced consultants,
with multi-sector and multi-standard knowledge and experience, can help you
accelerate your IT GRC projects.
Visit www.itgovernanceusa.com/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk management straightforward and affordable for
all, enabling organizations worldwide to be ISO 27001-compliant.
Visit www.itgovernanceusa.com/software for more information.
 Protect • Comply • Thrive

USA
420 Lexington Avenue, t: +1 877 317 3454
Suite 300, New York e: [email protected]
NY., 10170 USA. w: www.itgovernanceusa.com

@ITG_USA /it-governance-usa-inc /ITGovernanceUSA

Europe UK
t: 00 800 48 484 484 t: +44 (0)333 800 7000
e: [email protected] e: [email protected]
w: www.itgovernance.eu w: www.itgovernanceusa.com

@ITGovernanceEU @ITGovernance

/it-governance-europe-ltd /it-governance

/ITGovernanceEU /ITGovernanceLtd

© 2003 - 2019 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification