Jumping to ISO 27701 ….. it helps if you’ve already got 27001

At 27k1 Ltd, we follow the International Standards Organisation, paying close attention to its’ Information Security committees and its’ decision making processes. We monitor changes taking place and the information placed in the public domain, in order to develop and improve our total, ISO 27001 compliance software and stay ahead of the curve.

Get ready or get left behind!

Many Information Security consultants know of the huge changes to ISO/IEC 27001 that are due to be implemented in a revised form. The revisions await ratification later this year/early 2021 by this ISO Standard User Group committee, the members coming from 57 different countries. The standard is currently at Committee Draft Stage and the working title will be “Information security, cyber security and privacy protection – information security controls

Jumping to ISO 27701 ….. it helps if you’ve already got 27001 1

Concurrently, ISO/IEC 27701: 2019 is being drafted to accommodate Privacy Information Management – PIM. This new standard reduces complexity by integrating with ISO/IEC 27001.

There are 4 key points relating to ISO 27701: 2019

  • ISO 27701: 2019 is an extension to ISO 27001/2 for privacy information management. It provides additional guidance for the protection of privacy, which is potentially affected by the collection and processing of personal information.
  • The goal is to enhance the existing ISMS with additional requirements in order to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS).
  • It outlines a framework for PII controllers and PII processors to manage privacy controls so that risk to individual privacy rights is reduced
  • It is written in a practical way that is applicable for organisations of any size and cultural environments.

There are many advantages to an organisation in complying with the requirements in ISO/IEC 27701, since this will generate documented evidence of how it handles the processing of personal information. This evidence may be used to facilitate agreements with business partners where the processing of personal information is mutually relevant. This might also assist in relationships with other stakeholders. The use of ISO/IEC 27701 in conjunction with ISO/ IEC 27001 can, if desired, provide independent verification of this evidence.

Steps to ISO 27701 Certification

Step 1: A qualified certification body will audit your organisation.

Step 2: The assessor will provide a thorough evaluation of your PIMS in line with ISMS requirements.

Step 3: If the requirements are met, they will issue a certificate which is valid for three years.

Note: If you don’t already have ISO 27001 certification, you will need to either gain this certification first or gain ISO 27001 & ISO 27701 at the same time. If you don’t necessarily need ISO 27001, you can instead implement BS 10012:2017 with Annex A1:2018. This functions as an independent PIMS without requiring ISO 27001 as a prerequisite.

There will be major changes to the existing ISO 27001 standard

The 14 guiding principles will be split into 4 main sub-sections and the Controls are set to be rationalised from 114 to 97. This will be achieved by updating old controls, removing duplications, making some controls redundant and adding new ones, as follows:

1. Organisational Controls (39) – formerly Policy; Organising Security; Asset M; Supplier R; Incident M; BCP & Compliance plus 4 new controls

2. People Controls (7) –formerly Human Resources

3. Physical Controls (14) – formerly Physical/Environmental Security plus1 new control

4. Technological Controls (37) – Ops Security; Communications Security; Access Controls; Cryptographic controls; Development Security plus 9 new controls

ISO 27002 Revision – the 14 New Controls

1. Threat Intelligence

2. Information security for cloud services

3. ICT continuity planning

4. Digital rights management

5. Physical security monitoring

6. Configuration management

7. Information deletion

8. Data masking

9. Data leakage prevention

10. Monitoring activities

11. Vulnerability disclosure & handling in delivering ICT products & services

12. Web filtering

13. Data integrity protection

14. Secure coding principles

The next User Group meeting to progress this draft is in April 2020 in St Petersburg, Russia, where further comments may be discussed. There will then be a public draft (DIS) prior to final publication. There is no set timetable for these at present, but publication is possible either late 2020 or into 2021

For those organisations who are currently ISO 27001 certified, there will be a one year transition period.

The 27k1 ISMS presently offers the most up to date compliance solution. Yet, once the new Controls are ratified and approved, the system will provide the new Controls and Clauses, ready for deployment at the click of a mouse!

Jumping to ISO 27701 ….. it helps if you’ve already got 27001 2