Relationship between ISO 27701, ISO 27001, and ISO 27002
You probably know what the GDPR (General Data Protection Regulation) is, and maybe you also know about information security and the ISO 27001 series standards, but do you know that there is an international standard that is an integration between the general requirements of the GDPR, the Information Security Management System (ISMS) of ISO/IEC 27001, and the guide of best practices known as ISO/IEC 27002? This interesting standard is called ISO/IEC 27701. Read what you need to know about it in the following article.
The main objective of ISO 27701
ISO/IEC 27701 was published in August 2019 and, although it was initially developed as ISO/IEC 27552, it was finally published as ISO/IEC 27701 – basically because, due to the internal rules of ISO, all ISO standards that define a management system, like ISO/IEC 27001, ISO 9001, ISO 14001, etc., need to include the number “1” at the end.
The main objective of the ISO/IEC 27701 standard is the privacy of information, which basically means that this standard is focused on information security and personally identifiable information (or personal data protection). So, we have an international standard for information security, and for personally identifiable information, but how does this system work?
Because this standard defines a management system, the base of a continual improvement model is clearly necessary, and the best way to do this is to use the structure of ISO/IEC 27001, which has a continual improvement model and, furthermore, is related to information security. Why invent a new thing if we still have the ISMS of ISO/IEC 27001?
Some specific items related to the personally identifiable information, like applicable privacy legislations, the definition of a controller, the definition of a processor, etc. are included in ISO/IEC 27701, but the base is exactly the same as in the ISO 27001 ISMS, although in this case we have a Privacy Information Management System (PIMS).
The knowledge: How to implement the security controls
ISO/IEC 27001 has Annex A, with a total of 114 security controls, and we have ISO/IEC 27002 to know how to implement these security controls. In the case of ISO/IEC 27701 the scenario is similar, but includes all the information and all knowledge in a unique standard. So, ISO/IEC 27701 has the 114 security controls of Annex A of ISO/IEC 27001 and, furthermore, has the guide of ISO/IEC 27002 to know how to implement these security controls. But, additionally, ISO/IEC 27701 has specific security controls that are directly related to personally identifiable information, which are grouped into two categories, depending on whether the company is acting as a controller or as a processor.
So, for example, for companies acting as controllers, ISO/IEC 27701 has controls like 7.2.1 Identify and document purpose, 7.2.2 Identify lawful basis, 7.2.3 Determine when and how consent is to be obtained, etc. And for companies acting as processors, there are controls like 8.2.1 Customer agreement, 8.2.2 Organization’s purposes, 8.2.3 Marketing and advertising use, etc.
For more about the differences between controller and processor in the GDPR, read the article: EU GDPR controller vs. processor – What are the differences?
ISO 27701: Be compliant with the GDPR, ISO 27001, and ISO 27002 in a unique way
But, from a legal point of view, the most interesting point of ISO/IEC 27701 is that it gives you a clear guide to being compliant with the GDPR: if you implement the ISO/IEC 27701 standard, you can be sure that all important requirements of the European General Data Protection Regulation are in place in your organization.
So, if you are thinking about implementing ISO/IEC 27001, and you are also worried about how to be sure that you are aligned with the requirements of the GDPR, and you need best practices to know how to implement controls, the ISO/IEC 27701 is the perfect tool for you and, furthermore, you can also certify with it!
To learn more about the relationship between privacy and information security, download this free white paper: Privacy, cyber security, and ISO 27001 – How are they related?
About the author:
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.