Let A-LIGN guide your journey from Information Security Management System (ISMS) to Privacy Information Management System (PIMS)

If ‎ISO/IEC 27001:2013 has been the gold standard for Information Security Management Systems (ISMS), then ISO/IEC 27701:2019 is the new gold standard for Privacy Information Management Systems (PIMS). ISO 27701 was developed to help organizations implement privacy controls against a certifiable framework to demonstrate a strong privacy program. Privacy has become a global zeitgeist with international and domestic privacy regulations driving the adoption of new privacy controls.

The General Data Protection Regulation (GDPR) has been driving international data privacy since it came into effect on May 25, 2018. The penalty for non-compliance is steep – €20 million or 4% of annual revenue. There have been dozens of fines in the past two years, including €50 million against Google and €99 million against Marriott.

Its home-grown cousin, the California Consumer Privacy Act (CCPA), came into effect for California in 2020 – enforcement began July 1. Time will tell how fiercely CCPA will be enforced, but if GDPR is any indication, then its advocates will be seeking to make an example out of companies that fail to comply. Case in point, Zoom has already been served a class action lawsuit for violating individuals’ CCPA privacy rights.

When privacy is such a premium, data controllers, data processors, and their partners have realized the value of demonstrating trust. Organizations want certification to prove they have done the hard work.

ISO 27701 is the first international privacy standard to provide a certification path for organizations to demonstrate their privacy systems and controls. ISO 27701 is a privacy extension to ISO 27001, which requires extending an ISMS into a PIMS. Compliance with privacy standards and regulations cannot be achieved without implementing appropriate technical and organizational security controls.

The Path to ISO 27701 Certification

To receive an ISO 27701 accredited certificate, organizations must either be ISO 27001 certified or undergo a series of initial audits conducted by a certification body. There are multiple parallels paths for ISO 27701 Certification, one for data controllers and one for data processors. Generally, a controller collects the data and directs it to be processed, whereas a processor processes the data for its controller. Controllers are assessed on their privacy notices, protections, principles, and processor requirements. Processors are assessed on their ability to limit processing, assist privacy protection, transfer disclosure, and subcontractor requirements. Additionally, both controllers and processors are required to demonstrate confidentiality agreements, risk analysis, oversight, training, processes, and records. Since ISO 27701 is an extension of ISO 27001, organizations should begin with a gap assessment and develop a plan to close the gap between their ISMS and their PIMS.

Consolidate Compliance with ISO 27701

ISO 27701 minimizes the burden of managing multiple privacy requirements through consolidation—a strategic approach to compliance. Consequently, organizations considering ISO 27701, should also consider where else they consolidate their compliance program, in an effort to conduct multiple audits at once.

A Strategic Partner in A-LIGN

A-LIGN enables organizations to elevate their strategic compliance initiatives with A-SCEND, its proprietary compliance management system that centralizes and streamlines workflows to eliminate duplicate work. As an ANAB accredited certification body, A-LIGN is one of a few companies that can issue an accredited ISO 27701 certification globally.