ISO/IEC 27701

Last updated

ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). [1] The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals. [2]

Contents

ISO/IEC 27701 is intended to be a certifiable extension to ISO/IEC 27001 certifications. In other words, organizations planning to seek an ISO/IEC 27701 certification will also need to have an ISO/IEC 27001 certification.

Intended application of the standard

The intended application of ISO/IEC 27701 is to augment the existing ISMS with privacy-specific controls and, thus, create PIMS to enable effective privacy management within an organization.

A robust PIMS has many potential benefits for PII Controllers and PII Processors, with at least three significant advantages:

First, achieving compliance to privacy requirements (particularly laws and regulations, plus agreements with third parties, plus corporate privacy policies etc.) is burdensome, especially if the requirements are not organized in the most effective way for PII Controllers and PII Processors. Organizations subject to multiple privacy compliance obligations (e.g. from several jurisdictions in which they operate or data subjects live) face additional burdens to reconcile, satisfy and keep watch on all the applicable requirements. A managed approach eases the compliance burden, for example as demonstrated by Annex C of the standard, a single privacy control may satisfy multiple requirements from General Data Protection Regulation (GDPR). [3]

Second, achieving and maintaining compliance with applicable requirements is a governance and assurance issue. Based on the PIMS (and, potentially, its certification), Privacy or Data Protection Officers can provide the necessary evidence to assure stakeholders such as senior management, owners and the authorities that applicable privacy requirements are satisfied.

Third, PIMS certification can be valuable in communicating privacy compliance to customers and partners. PII Controllers generally demand evidence from PII Processors that the PII Processors’ privacy management system adheres to applicable privacy requirements. A uniform evidence framework based on international standard can greatly simplify such communication of compliance transparency, especially when the evidence is validated by an accredited third-party auditor. [4] This necessity in communication of compliance transparency is also critical for strategic business decisions such as mergers and acquisitions and co-Controllers scenarios involving data sharing agreement. Lastly, PIMS certification can potentially serve to signal trustworthiness to the public.

Normative references

ISO/IEC 27701 normatively references the following documents:

Structure of the standard

The requirements of the standard are segregated into the four following groups:

  1. PIMS requirements related to ISO/IEC 27001 are outlined in clause 5.
  2. PIMS requirements related to ISO/IEC 27002 are outlined in clause 6.
  3. PIMS guidance for PII Controllers are outlined in clause 7.
  4. PIMS guidance for PII Processors are outlined in clause 8.

The standard further includes the following Annexes: [5]

  1. Annex A PIMS-specific reference control objectives and controls (PII Controllers)
  2. Annex B PIMS-specific reference control objectives and controls (PII Processors)
  3. Annex C Mapping to ISO/IEC 29100
  4. Annex D Mapping to the General Data Protection Regulation (GDPR).
  5. Annex E Mapping to ISO/IEC 27018 and ISO/IEC 29151
  6. Annex F How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002

History of the standard

A new work item was proposed to JTC 1/SC 27 by JTC 1/SC 27/WG 5 "Identity management and privacy technologies" in April 2016 based on an initiative by experts from the French National Body of JTC 1/SC 27.

The project was then developed in JTC 1/SC 27/WG 5 under the number ISO/IEC 27552.

British Standards Institution (BSI) made the first CD of ISO/IEC 27552 publicly available from its web store in February 2018.

The second CD of ISO/IEC 27552 was published in August 2018.

The DIS of ISO/IEC 27552 was issued in January 2019 and approved in March 2019. As no technical changes were necessary, the FDIS ballot was bypassed.

ISO/IEC JTC 1/SC 27 completed the technical work on ISO/IEC 27552 in April 2019.

Before its publication, ISO/IEC 27552 was renumbered to ISO/IEC 27701 as per the Resolution 39/2019 of ISO/Technical Management Board, which mandates that any Management System "type A" (containing requirements) shall have a number finishing with “01” as its last two digits. The renumbering was finalized in July 2019.

The standard was published on August 6, 2019.

See also

Related Research Articles

BS 7799 was a standard originally published by BSI Group (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and consisted of several parts.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

ISO/IEC 27000 is one of the ISO/IEC technical standards in the ISO/IEC 27000 series of Information Security Management Systems (ISMS)-related standards. The formal title for ISO/IEC 27000 is Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.

<span class="mw-page-title-main">IASME</span>

IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

eCOGRA is a London-based testing agency and standards organisation in the realm of online gambling. The company was established in 2003 in the United Kingdom at the behest of the online gaming industry as the first industry self-regulation system. eCOGRA is a testing laboratory, inspection body, and certification body, specializing in the certification of online gaming software and the audit of Information Security Management Systems.

ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is being developed by Subcommitee 27 (SC27) - IT Security techniques of the first Joint Technical Committee 1 of the ISO/IEC. A major element of SC27's program of work includes International Standards for information security management systems (ISMS), often referred to as the 'ISO/IEC 27000-series'.

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS are aligned and the compatibility of these standards is enhanced.

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

ISO/IEC 27018 is a security standard part of the ISO/IEC 27000 family of standards. It was the first international standard about the privacy in cloud computing services which was promoted by the industry. It was created in 2014 as an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process personally identifiable information (PII) to assess risk and implement controls for protecting PII. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

References

  1. https://www.iso.org/standard/71670.html ISO/IEC 27701:2019 [ISO/IEC 27701:2019]
  2. "Protection of personal data: How Voluntary Standards Contribute". AFNOR Marketing. July 2018. Archived from the original on 2020-09-19. Retrieved 2018-07-20.
  3. "Privacy matters: Managing personal information with ISO/IEC 27552" (PDF). BSI Group. 2018.
  4. Katko, Peter (June 13, 2019). "How GDPR compliance demands have shifted the focus to certification". Ernst & Young.
  5. https://www.iso.org/obp/ui/#iso:std:iso-iec:27701:ed-1:v1:en ISO/IEC 27701:2019 [ISO/IEC 27701:2019] Table of contents
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.