The new standard provide a comprehensive set of controls for information security and the protection of personal information.
On August 6, 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701 (ISO 27701), a privacy extension to ISO/IEC 27001 and ISO/IEC 27002, designed to help organizations protect and control the personal information they handle. Similar to the existing ISO standards ISO 27701 supplements, this new ISO standard may become the de facto standard of care for organizations to protect personally identifiable information (PII) and may be used to demonstrate compliance with privacy regulations around the globe, including the General Data Protection Regulation (EU) 2016/679 (GDPR).
This new standard is the “icing on the cake” for security compliance. The well-known ISO 27001 forms the foundation and the new ISO 27701 builds on that foundation to provide a comprehensive set of controls for information security and the protection of personal information.
What is ISO 27701?
Originally developed as ISO/IEC 27552, ISO 27701 provides specific requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) as an extension of the flexible Information Security Management System (ISMS) defined in ISO 27001 to take into account the privacy protections required for processing PII in addition to information security. Like the ISO 27001 standard, ISO 27701 does not expect organizations to adopt each and every control in all situations. Instead, it requires organizations to understand the particular context in which they process PII and adjust the particular set of controls and related implementation of those controls in a way that is appropriate to their processing activities.
To better understand the new standard, two key terms should be understood: controllers and processors. These terms are found in many privacy laws and regulations, including the GDPR. Generally, a “controller” is the entity that directs the reason why PII is collected and processed in the first place, and the “processor” is a separate legal entity (i.e., not an employee) responsible for processing such data on behalf of that controller.
The newly published standard applies to both controllers (as well as joint controllers) and processors (including sub-processors) of PII, regardless of the jurisdictions and sectors in which they operate, and also includes mappings to the GDPR and to the ISO/IEC 29100, ISO/IEC 27018 and ISO/IEC 29151 security frameworks. Mappings of the ISO 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), GLBA and HIPAA, should be expected and will likely aid organizations by providing a common standard for demonstrating compliance with these regulatory regimes.
A high-level overview of certain key ISO 27701 requirements applicable to controllers and processors is provided below.
Requirements applicable to controllers and processors
- Confidentiality. Individuals authorized to access PII must execute a confidentiality agreement.
- Analyze risk. A privacy risk assessment must be conducted to identify PII processing risks.
- Oversight. Organizations must appoint an individual who is responsible for developing, implementing, maintaining and monitoring their governance and privacy program.
- Training. Privacy awareness training for personnel that have access to PII is required.
- Internal processes. Organizations must adopt various policies and procedures, such as incident response plans for breaches of PII.
- Record keeping. ISO 27701 requires organizations to maintain a record of all PII processing activities, including PII transfers between jurisdictions and disclosures to third parties.
- Processor contract requirements. Organizations must have a written contract in place with their processors that address specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.
- Individuals’ rights. ISO 27701 requires organizations to implement mechanisms to accommodate individuals’ rights to access, correct and erase their PII, as well as object to, or restrict, the processing of PII, among others.
- Privacy by design and default. Organizations must adopt measures that operationalize the principles of privacy by design and privacy by default.
- Processing limitations. Organizations must process PII only on the documented instructions of the controller or processor (depending on the role of the customer)
- Assist with individuals’ rights. ISO 27701 requires processors to implement measures that assist the customer in complying with the rights of individuals.
- Transfers and disclosures. Processors must inform the customer in advance of PII transfers between jurisdictions or any intended changes thereof.
- Subcontractors. ISO 27701 requires processors to only engage a subcontractor for processing PII pursuant to the terms of the customer contract.