IT GOVERNANCE | GREEN PAPER

ISO 27701
Privacy information
management systems

Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Introduction
Since the introduction of the EU’s General Data Protection Regulation (GDPR), and
the ongoing growth in comparable data protection laws around the world, there has
been an increasing need for a standard or code of conduct to support compliance.
A small number have arisen, but they lack the international recognition necessary to
truly act as an effective mark of assurance.
ISO/IEC 27701 (Security techniques – Extension to ISO/IEC 27001 and ISO/
IEC 27002 for privacy information management – Requirements and guidelines)
was published in August 2019 and is one of the most anticipated standards in
information security and privacy management. It aims to fill the assurance gap and
provide a genuinely international approach to data protection as an extension of
information security.
This paper provides information about the Standard so that organisations with
a desire to meet their compliance challenges head-on can take advantage of it.
Organisations examining information security and data protection more broadly can
also see how the new standard’s approach might meet their needs.
Why an ISO/IEC privacy management system?
The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) are recognised internationally as authorities on
management systems and best practice. ISO/IEC publications carry a great deal of
weight, and certification to their management system standards through recognised
certification schemes is an extremely effective way of both meeting compliance
demands and proving your compliance to customers, business partners and
regulators.
2
While there are already some publications and standards that discuss data protection,
many are not international, primarily focusing on data protection requirements and
good practice in specific jurisdictions. The UK’s BS 10012 draws solely from the
GDPR and the UK’s Data Protection Act 2018, for instance, which has limited value
outside the UK. An approach based on international best practice must be capable
of adapting to other regimes and not impose requirements that hinge on specific
legislation.
Beyond these local initiatives, there is also ISO 29151, a code of practice for
protecting personally identifiable information (PII). This standard sets out control
objectives, controls and guidelines to protect PII in accordance with an impact and
risk assessment. This is an effective set of guidance, but it does not offer an externally
auditable framework that can offer assurance to third parties. ISO 27701 goes beyond
this, setting out management system and control requirements.
While ISO 27701 does not yet have a certification scheme, this is really only a matter
of time. Furthermore, there are interim options for asserting compliance, as we discuss
later in this paper.
What about ISO 27001?
Even though a ‘comprehensive’ information security management system
(ISMS) aligned to ISO/IEC 27001:2013 might already address privacy issues, the
requirements can be met without fully addressing privacy. This means that certificates
of conformity with ISO 27001 are issued without a guarantee that data protection
needs have been adequately met. While data protection naturally requires a degree
of information security (the GDPR addresses these as “technical and organisational
measures”), it goes much further than simply protecting the information – the
organisation must also protect the rights of the data subjects, which cannot be
guaranteed through information security alone.
Having a standard that ensures all the relevant privacy issues are factored into a
management system means that the resulting certificate must, by default, cover all
of those relevant aspects. This also means that a certificate of conformity (when a
scheme to provide this is available) gives external stakeholders greater confidence in
your privacy management.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 3

What does this mean for BS 10012? The ISO 27701 approach
BS 10012 is still an effective management system standard, especially for
organisations in the UK, as it takes into account not only the GDPR but also the
A privacy management system is different from an ISMS, but they are closely
UK’s Data Protection Act and guidance from the Information Commissioner’s
related. ISO 27701’s approach recognises that information security (the preservation
Office. This may have limited value for external stakeholders, however, especially
of the confidentiality, integrity and availability of information) is a key aspect of
those outside the UK.
effective privacy management, and that the ISMS requirements documented in ISO
27001 can support adding sector-specific requirements onto the ISMS without the
Despite this, there is a line of thinking that any organisation that requires privacy
need for a new management system specification.
assurance will opt for a BS 10012-type solution on the basis that a full ISO 27001
ISMS is overkill. At IT Governance, we do not subscribe to this view for two key
ISO 27701 defines the extra requirements for an ISMS to cover privacy and the
reasons.
processing of PII. These are supported by additional controls that relate specifically
to data protection and privacy. As a new whole, this creates what the Standard calls
First, we do not see an ISO 27001-conforming ISMS as burdensome. Through
a privacy information management system (PIMS).
our many successful engagements to implement ISO 27001, we have
demonstrated how scalable and flexible it is, and how the most common block is
the implementer’s mindset rather than the requirements of the Standard. The risk
assessment process in particular ensures that security controls are chosen on the
basis of need and suitability, helping the organisation build a cost-effective and
practical ISMS. ISO 27001 requirements ISO 27701 amendments

Second, a BS 10012 personal information management system’s primary concern

is data protection. As such, it is not an ideal framework for developing effective
ISO 27001 controls ISO 27701 control amendments
information security measures. It is also of little use if you want to extend your
information security to all of your organisation’s information, not just personal
data.

ISO 27701 controls

IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
The ISO 27701 standard
ISO 27701 was developed by ISO technical committee SC27 with input from 25
external bodies, including the European Data Protection Board (EDPB).
As already described, the new standard bolts privacy processing requirements onto
an ISMS. Part of this requires that anywhere ISO 27001 says “information security”
you instead read “information security and privacy” in all instances. For example,
where ISO 27001 uses “information security performance”, ISO 27701 requires you
to read it as “information security and privacy performance”.
The Standard then goes on to add privacy-specific requirements to some of the
clauses in ISO 27001 and the controls in Annex A, and adds some privacy-specific
controls over and above the existing information security (and now privacy) controls.
Finally, it offers guidance that builds on that available in ISO 27002 subject to
whether the organisation in question is a data controller and/or data processor.
ISO 27701 also builds on the principle of information security by directing the reader
to the more expansive privacy principles in ISO/IEC 29100. These cover a wider
range of privacy concerns, including those espoused in data protection regulations
internationally.
Definitions
ISO 27701 takes some of its key definitions from ISO 29100, which uses terms that
differ from some other sources. It is useful to understand these and how they relate
to your legal and regulatory environment.
Personally identifiable information (PII): ‘personal data’ in the GDPR. ISO 29100
defines this as “information that (a) can be used to identify the PII principal to whom
such information relates, or (b) is or might be directly or indirectly linked to a PII
principal” (Clause 2.9).
4
PII principal: ‘data subject’ in the GDPR. ISO 29100 defines this as a “natural person
to whom the personally identifiable information (PII) relates” (Clause 2.11).
PII controller: ‘data controller’ in the GDPR. ISO 29100 defines this as the “privacy
stakeholder (or privacy stakeholders) that determines the purposes and means for
processing personally identifiable information (PII) other than natural persons who
use data for personal purposes” (Clause 2.10).
PII processor: ‘data processor’ in the GDPR. ISO 29100 defines this as the “privacy
stakeholder that processes personally identifiable information (PII) on behalf of and
in accordance with the instructions of a PII controller” (Clause 2.12).
Structure of ISO 27701
Much like other ISO standards, ISO 27701 divides its content by clause, of which
Clauses 5–8 set out the additional requirements and amendments to be applied to
ISO 27001, and warrant particular attention.
Clause 5: PIMS-specific requirements
This clause addresses every clause in ISO 27001 and identifies where additional
content is necessary. The majority of the ISO 27001 clauses remain unchanged, with
the caveat that ISO 27701 requires the organisation to recognise its need for data
protection within its context, and this context informs all the other requirements.
Another notable addition affects the risk assessment, which will need to take into
account the organisation’s role in relation to PII – that is, whether it is a controller or
a processor, and how that might affect the risks to the PII. Another entry recognises
the existence of the new control sets and allows the organisation to reconcile its
controls against a wider range of controls, including those from ISO 27701.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Clause 6: PIMS-specific guidance
This section provides additional content for the control guidance set out in ISO
27002. It establishes a top-level amendment that all references to ‘information
security’ should be taken as including protection of privacy.
Controls with a potentially significant impact on privacy and data protection are
given extensive extra guidance. This includes subjects such as removable media,
cryptography and secure development.
Clause 7: Additional guidance for controllers
This clause provides guidance on ISO 27701’s Annex A controls, which are specific
to privacy for the purposes of PII controllers. These controls address many of the
critical areas of data protection and privacy that are not accounted for by the
controls provided in ISO 27001.
Clause 8: Additional guidance for processors
This clause provides guidance on ISO 27701’s Annex B controls, which are specific
to privacy for the purposes of PII processors. These controls address many of the
critical areas of data protection and privacy that are not accounted for by the
controls provided in ISO 27001.
Accredited certification
Article 42 of the GDPR addresses certification schemes, stating that member states,
supervisory authorities, the EDPB and the European Commission should encourage
schemes that demonstrate compliance with the Regulation.
5
ISO 27701 certification will not meet the GDPR’s requirements for a certification
scheme. Article 43 of the GDPR requires that any certification scheme be operated
under an ISO 17065-accredited scheme. ISO 27701, however, will fall under ISO
17021-1 and therefore not meet the GDPR’s requirements.
There is a good chance that an eventual ISO 17065 scheme will include ISO 27701
certification, but overall it will be more robust and hence more expensive. Those
organisations that want to demonstrate a degree of assurance without the expense
of an ISO 17065-accredited scheme might opt for ISO 27701 certification as an
economical compromise.
Whether accredited certification to ISO 27701 alone will suffice for many
organisations and their interested parties will likely be decided by the market and
regulators. Given the broad acceptance of ISO 27001 as a model for information
security, it is likely that many markets will accept ISO 27701 certification as adequate
proof that the organisation has taken appropriate steps to meet its data protection
obligations.
Either way, the options for accredited certification to ISO 27701 will need to evolve
as the current schemes do not accommodate it. In the interim, the closest option
for accredited certification will be referring to ISO 27701 as a source of controls in
a Statement of Applicability (SoA) cited in an accredited certification document for
ISO 27001.
This method is currently used to include sector-specific standards in certifications,
but that is changing: a pending amendment to ISO 27006 (which sets out the
accreditation requirements for certification bodies offering certification to ISO
27001) states that this reference can only relate to the source of controls detailed
in the SoA; it should not imply conformity to a set of management system
requirements.
Regardless of the outcome, it is only a matter of time until there is some method
for organisations to demonstrate conformity with ISO 27701. It is likely to become
a popular approach to managing data protection and privacy and demonstrating
that to others, even if certification to the Standard is not formally adopted as a
certification mechanism under the GDPR.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 6

Other papers you may be interested in

Conducting a Data Flow Mapping Exercise Under the GDPR General Data Protection Regulation – A compliance guide

IT GOVERNANCE | GREEN PAPER

EU General Data
Protection Regulation

A compliance guide

Protect Comply Thrive

Useful data protection and privacy resources

IT Governance offers a unique range of data protection and privacy products and services, including books, standards, pocket guides, training courses and professional
consultancy services. We have highlighted a selection on the next page.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 7

Standards Books Toolkits

INTERNATIONAL STANDARD
ISO 27001 Toolkit

ISO/IEC 27701:2019
Security techniques — Extension to
ISO/IEC 27001 and ISO 27002 for
privacy information management —
Requirements and guidelines
ISO/IEC
27701:2019
ISO/IEC 27001:2013 –
ISMS Requirements
Accelerate your ISO 27001 project with
this bestselling toolkit, which includes
customisable and fully ISO 27001-compliant
documentation templates, dashboards
and gap analysis tools, and direction
and guidance from expert ISO 27001
practitioners.
EU GDPR – A
pocket guide

ISO 27701 provides ISO 27001 provides the This essential guide
guidelines for specification of a best- is the ideal resource GDPR Toolkit
implementing, practice ISMS, which your for anyone wanting
maintaining and organisation can implement a clear primer on the This Toolkit was developed by expert
continually improving to improve the state of its principles of data practitioners and contains more than 80
a PIMS. information security. protection and their EU General Data Protection indispensable policies, procedures, forms,
Regulation (GDPR)

obligations under the Documentation Toolkit schedules and guidance documents to help
GDPR. you achieve and demonstrate compliance
with the Regulation.

Training

ISO 27001 Certified ISMS Certified ISO 27001 ISMS Lead Implementer Live
Foundation Training Course Online Training course
Classroom

ACCREDITED
This fully accredited, practitioner-led course equips you to
CIS F Learn from the experts about ISO 27001 best
lead an ISO/IEC 27001 ISMS implementation project. Win
practice and find out how to achieve compliance
new business by securing your organisation’s information
ISO 17024:2012 certificated

ISO 27001
Certified ISMS with the Standard. This course is led by practitioners
Foundation Training Course assets and reducing data security risks with real-world
offering real-world expertise and insights.
expertise and practical insights.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
IT Governance solutions
IT Governance writes and publishes extensively on GDPR, data privacy and cyber
security, and has developed a range of tools for IT governance, information security
and regulatory compliance practitioners.
IT Governance is your one-stop shop for corporate and IT governance information,
books, tools, software, training and consultancy. Our products and services are
designed to work harmoniously together so you can benefit from them individually
or use different elements to build something bigger and better.
Books
We sell sought-after publications covering all areas of data privacy and cyber risk
management. Our publishing team also manages a growing collection of titles that
provide practical advice for staff taking part in IT governance projects, suitable for
all levels of knowledge, responsibility and experience.
Visit www.itgovernance.eu/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly
and adopt best practice using customisable template policies, procedures, forms
and records.
Visit www.itgovernance.eu/documentation-toolkits to view and trial our toolkits.
8
Training
We offer training courses from staff awareness and foundation courses, through
to advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our training team organises and runs in-house and public training courses all year
round, as well as Live Online and distance-learning courses, covering a growing
number of IT GRC topics.
Visit www.itgovernance.eu/training or more information.
Consultancy
We are an acknowledged world leader in our field. Our experienced consultants,
with multi-sector and multi-standard knowledge and experience, can help you
accelerate your IT GRC projects.
Visit www.itgovernance.eu/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk management straightforward and affordable for
all, enabling organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.eu/software for more information.
 Protect • Comply • Thrive

Europe
IT Governance Europe Ltd, Third Floor t: 00 800 48 484 484
The Boyne Tower Bull Ring, Lagvooren, e: servicecentre@itgovernance.eu
Drogheda, Co. Louth, A92 F682, Ireland w: www.itgovernance.eu

@ITGovernanceEU /it-governance-europe-ltd /ITGovernanceEU

UK USA
IT Governance Ltd, Unit 3, Clive Court, IT Governance USA Inc.
Bartholomew’s Walk, Cambridgeshire Business Park, 420 Lexington Avenue, Suite 300
Ely, CB7 4EA, United Kingdom New York, NY 10170, USA

t: +44 (0)333 800 7000 t: +1 877 317 3454

e: servicecentre@itgovernance.co.uk e: servicecenter@itgovernanceusa.com
w: www.itgovernance.co.uk w: www.itgovernanceusa.com

@ITGovernance
@ITG_USA
/it-governance
/it-governance-usa-inc

/ITGovernanceLtd /ITGovernanceUSA

© 2003–2019 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification