ISO 27701: Data Compliance Management System Supporting GDPR Compliance
What is ISO 27701?
ISO/IEC 27701 is a data privacy extension to ISO 27001. Published in 2019, the information security standard provides guidance for organisations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System), outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to effectively manage data privacy. Privacy information management systems are also often referred to as personal information management systems.
Implementing this standard as a bolt on to ISO 27001 can help you reduce and minimise the risk to the privacy rights of individuals and organisations by enhancing an existing Information Security Management System.
This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.
In the Gov.uk Cyber Security Breaches Survey 2019, approx 30% of businesses made changes to their cyber security practices because of GDPR laws and this number will continue to increase in the upcoming years.
Organisations looking comply with GDPR and gain accredited certification to ISO 27701 will either need to have an existing ISO 27001 certification or implement ISO 27001 and ISO 27701 together as a single implementation audit. ISO 27701 is a natural expansion to the requirements outlined in ISO 27001.
The ISO 27001 standard provides a framework for an Information Security Management Systems (ISMS) that enables the continued confidentiality, integrity and availability of information within an organisation as well as legal compliance.
More than 60,000 organisations worldwide have certified to date to ISO 27001, proving certification to be an essential part of protecting your most vital assets.
NQA is at the forefront of the ISO 27701 roll-out after becoming UKAS accredited in March 2022 and having a range of fully trained and mentored PIMS auditors conducting ISO 27701 audits. NQA can offer overview training to ISO 27701, ISO 27701 Gap Assessments and UKAS accreditation and UKAS-Accredited ISO 27701 Certifications.
Our third-party auditing services can provide a gap analysis for additional insights on steps you can take to adhere to regulations for these three certifications.
NQA can provide a comprehensive third party audit service, assessing your current compliance and identifying potential areas for continued improvement moving forward. You'll also receive top-level auditor expertise and experience in your ISO 27701 audits to ensure that you receive thorough, rigorous, supportive and consistent audits.
If you are looking to implement an ISO 27701 PIMS management system and aren't sure where to start... Download our ISO 27701 Implementation Guide here.
How to Get Certified to ISO 27701
In order to gain certification to ISO 27701 you will be required to follow specific steps. Working to meet these stringent requirements will ensure compliance with the relevant standards.
NQA can provide you with an optional gap analysis service, designed to help you recognise key gaps within your management system so that you can make the necessary changes/improvements to comply with the ISO 27701 standard framework.
The video below explains that you will need to obtain ISO 27001 certification simultaneously with ISO 27701 or have prior ISO 27001 certification with an UKAS accredited certification body as ISO 27701 certification is an extension of ISO 27001 rather than a standalone framework.
How to start your journey to achieve ISO 27701 certification:
-
Complete a request form for a formal quote.
-
Receive a signed NQA quotation, sign and return.
-
Preparing for our audit.
The video below offers visuals and a more detailed explanation of the certification process.
How To Get Certified To ISO 27701
Helps you with
- GDPR compliance
- Privacy rights of individuals
- Continued confidentiality
- IT governance
- Data breaches
- Securing personal information
- Building customers trust
- Increasing customer satisfaction
- Protecting the organisation’s reputation
Other risk management standards:
- ISO 27001 - Information Security
- BS 10012 - Personal Information
- ISO 20000-1 - IT Service Management
- ISO 22301 - Business Continuity
- ISO 27017 - Security Controls for Cloud Services
- ISO 27018 - Protection of Personally Identifiable Information
- ISO 44001 - Collaborative Working
- ISO 55001 - Asset Management
- ISO 41001 - Facilities Management
NOTE: We are currently offering UKAS-accredited certification to this scheme.
Benefits of ISO 27701 Certification
Supporting GDPR and data privacy compliance
Aligning to GDPR but also allowing organizations to use the standard to encompass other privacy laws, regulations and requirements.
Maintain integrity
Maintain the integrity of customers’ and other interested parties’ information. Conduct your activities with assurance that your systems can help manage data privacy risks.
Save time and win bids
Certification to ISO 27701 will make it easier to respond to security questionnaires, demonstrate compliance and assure individuals their data is protected. This standard can provide extra assurance to potential customers which may enable you to win more bids.
Preparedness
Helps prepare an organization with a framework in the event that the UK exits Europe and further develops the Data Protection Act. Helps prepare an organization with a framework in the event that the UK becomes a third country after BREXIT.
Commitment to security
Demonstrate commitment to information security to customers, suppliers and other interested parties.
Global recognition as a reputable supplier
Certification is recognised internationally and accepted throughout industry supply chains, setting industry benchmarks for sourcing suppliers.
Is ISO 27701 certification right for me?
ISO 27701 certification offers several key advantages for a broad range of industries:
-
Global standard: ISO 27701 certification is a globally respected standard for privacy information management systems. Having these credentials demonstrates your business's position as a leader in the field.
-
Rigorous assessment: This certification holds your operations up to a rigorous standard that demonstrates the level of thoroughness and detail of your operations as you meet the highest requirements.
-
Jurisdictional flexibility: The provisions of ISO 27701 hold up your organisation to a worldwide standard. At the same time, this certification allows you to adhere to regional jurisdiction requirements. You can remain fully compliant on both local and worldwide levels.
The General Data Protection Regulations (GDPR) is in full swing. Since its implementation in May 2018, the EU's landmark legislation has brought widespread change to data privacy rights, particularly who 'owns' data, who controls it and who gets the final say in its uses and transactions in today's digital-first world.
Under the GDPR the upper limit could reach €20million or 4% of the annual global turnover of an organisation - whichever is higher. Organisations also face significant reputational damage risk from non-compliance and data breaches. For some business this could posed a threat of bankruptcy or even closure.
The Information Commissioner’s Office (ICO) in the UK has indicated that organisations adopting certification or having a robust system in place to manage their data protection may be seen more favourably from a regulatory perspective in the event of a data breach.
Implementing a Privacy Information Management System (PIMS) in compliance with the requirements of ISO 27701 will enable organisations to assess, react and reduce risks associated with the collection, maintenance and processing of personal information. Certification to ISO 27701 does not confirm legal compliance to GDPR however it provides a valuable framework for any company to support their efforts in compliance to legislation.
Organisations can also consider implementing BS 10012:2017 with Annex A1:2018 as an alternative approach. This is for organisations seeking to implement a standalone Privacy Information Management System without ISO 27001.
Differences between ISO 27001 and ISO 27701
ISO 27701 is set to be the go-to standard for compliance with GDPR regulations, in the same way that ISO 27001 is considered to be the ‘gold standard’ for information security management. ISO 27701 specifically focuses on addressing GDPR requirements to ensure industry-specific standards that match relevant operational needs.
It aligns to GDPR but also allows organisations to use the standard to incorporate other privacy laws, regulations and requirements. This makes it an excellent choice for organisations of all industries and sizes looking to demonstrate their compliance with the ‘accountability’ principle of GDPR. It demonstrates responsibility and expertise in the requirements and helps increase operational cost-effectiveness and value in the industry.
Get certified to ISO 27701
If you already have accredited certification to ISO 27001 you will find applying the information risk management principles to personal information fairly straightforward.
The standards require that organisations with certification to ISO 27001 must include privacy management, this means reviewing the organisation’s contextual analysis, risk assessment and control environment to ensure that privacy management is incorporated.
The privacy information management system then needs to be documented. Organisations that are less confident in their GDPR compliance will find ISO 27701 particularly helpful as it provides specific recommendations for actions to comply with the regulation.
We can assess your compliance to ISO 27701 as an addition to your ISO 27001 assessment. We will ensure our approach follows the same method as the standard – looking at one system supporting information security and personal information management.
FAQs about ISO 27701
Many industries have questions about how the ISO 27701 standard certification works, so we've compiled some key FAQs and answers. We also have a more extensive list under our Information Security Toolkit section if you need additional information.
Q: Who does the ISO 27701 standard apply to?
A: The ISO 27701 certification has a design specifically customised for data controllers and data processors. It is highly relevant for this field and is most valuable when used by professionals in these specific areas.
Q: How much does it cost to become ISO 27701 certified?
A: Costs will vary depending on your organisation, its level of complexity, number of employees and sites. We can offer a quick quote if you provide some company details and information about your goals.
Q: How long does it take to get an ISO 27701 certification?
A: Gaining ISO 27701 certification can take as little as two to three months with experienced, strategic management. It can take more than six months if personnel doesn't have the best resources for training. Several factors can influence the overall duration of certification, including the organisation size, the number of employees and the number of business locations.
We can work with you and help you determine the best approach for your company. We recommend that you treat certification as a project you can complete through an ISO 27701 consultant or in-house depending on your skills and experience.
STEPS TO CERTIFICATION
-
Step 1
Complete a Quote Request Form so we can understand you and your business. We will then use this to personally prepare a proposal for your certification and define what is known as your 'scope of assessment'.
-
Step 2
We will then contact you to book your assessment with an NQA assessor. This consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been operational for a minimum of three months, has been subject to a management review and a full cycle of internal audits.
-
Step 3
Following a successful two stage audit, a decision is made and if positive, your certification is issued by NQA. You will receive both a hard and soft copy of the certificate. Certification is valid for three years and maintained through surveillance audits (years one and two,) and a recertification audit in year three.
Information Security Toolkit 2013
Related ISO 27001 Content
Ready to start your journey?
What's next
Get in touch today to begin your journey to a greener, more sustainable business and a member of our team will be in touch to discuss your requirements: