ISO/IEC 27701:2019 — Information technology — Security techniques — Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy information management — Requirements and guidelines
Although there is substantial overlap between information security and privacy management, both fields are broader. This standard explains how to ‘enhance’ (adapt and extend) an ISO/IEC 27001 Information Security Management System and the associated ISO/IEC 27002 [or other] controls to manage privacy as well as information security.
Scope of the standard
The standard specifies a Privacy Information Management System based on ISO/IEC 27001(ISMS), 27002 (security controls) and 29100 (privacy framework). It is applicable to both controllers and processors of Personally Identifiable Information.
Content of the standard
In the style of a sector-specific variant of ISO/IEC 27001, the ~70 page standard elaborates on the PIMS-related differences to the 27001 and 27002 standards clause-by-clause.
“ISO/IEC 27001:2013, 6.1.3.c) is refined as follows:
The controls determined in 6.1.3 b) of ISO/IEC 27001:2013 shall be compared with those in ISO/IEC 27001:2013, Annex A and/or Annex B of this document to verify that no necessary controls have been omitted.
When assessing the applicability of control objectives and controls from ISO/IEC 27001:2013 Annex A for the treatment of risks, the control objectives and controls shall be considered in the context of both risks to information security as well as risks related to the processing of PII, including risks to PII principals.”
The first edition was published in August 2019.
Practitioners familiar with ‘the ISO27k way’ should have little difficulty applying the usual information risk management principles to personal information. Thanks to the standard elaborating on the requirements, even others ought to be able to have a jolly good stab at it.
The title’s combination of ‘requirements’ with ‘guidelines’ may cause consternation in some quarters. Which is it? The possibility of certified compliance with this standard is under discussion ... but compliance auditors may need help to distinguish mandatory requirements from discretionary guidance. One solution might be to update ISO/IEC 27006.
The draft standard, initially known as ISO/IEC 27552, was renumbered 27701 right at the end of the drafting process, apparently due to an ISO regulation that certifiable management system requirements standards should end in “01” ... so certification was on the cards at that stage.
< Previous standard ^ Up a level ^ Next standard >