Since the introduction of the GDPR – General Data Protection Regulation on May 26th 2018, UK businesses have been waiting for an accreditation that reflects compliance with this EU legislation. In the interim and in order to demonstrate that they place a priority on safeguarding Personally Identifiable Information (PII) many firms have worked to achieve the Government approved Cyber Essentials or Cyber Essentials Plus accreditations.
However, the Cyber Essentials and Cyber Essentials Plus schemes are not globally recognised standards. Moreover, they focus on protection from cyber crime, committed via the internet. Typical attacks include phishing, identity theft, DDoS attacks and the introduction of viruses or malware in order to corrupt, damage or threaten a system and its users.
ISO 27001 + GDPR = ISO 27701
By contrast, ISO 27001 is the globally recognised standard for information security, where the scope extends beyond internet usage, covering personnel, hardware, software, property, documentation and other means by which information is held. Compliance with this standard enables a business to develop an Information Security Management System – the scope of the ISMS being submitted for audit by an approved accreditation body. The extension of ISO 27001 to incorporate the requirements of GDPR results in a unified approach to a total ISMS – hence the arrival of ISO 27701.
According to the BSI – British Standards Institute, ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management. An international management system standard, it provides guidance on the protection of privacy, including how organisations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world.
The standard is intended to be a certifiable extension to ISO 27001. In other words, organisations that are planning to certify to ISO 27701 will need ISO 27001 certification as a precursor. ISO 27701 aims to:
- supplement the Information Security Management System (ISMS) with a PIMS and privacy-specific controls,
- recognise overlap between different privacy laws and reduce complexity,
- build an evidence-based privacy program and demonstrate compliance through accredited third-party certification,
- serve as the basis for a potential GDPR certification mechanism.
Get ready to demonstrate GDPR compliance
ISO 27701 was published in August 2019. The additional requirements and guidance being practical and usable by organisations of all sizes and cultural environments. Implementing the controls specified in ISO/IEC 27701 should enable an organisation to allocate PI responsibilities to PI Controllers and PI Processors and document evidence of how it handles the processing of personal information. Such evidence may be used to facilitate agreements with business partners where the processing of personal information is mutually relevant and in the event of gaining a widely accepted certification mechanism, can assist in demonstrating compliance with data protection laws such as GDPR.