ISO27701 2019 extension to ISO27001 – Privacy Information Management has just been published.
This robust addition addresses the management of personally identifiable information in a way that ISO27001 2013 did not. It is fair to say that 27001 made reference to the privacy and protection of personally identifiable information under control A.18.1.4. But this was very ‘wide-ranging’ in its scope of interpretation.
ISO27701 2019 aligns with Annex SL and addresses the issues of privacy information management, by expanding upon control areas from Annex A plus the higher structure.
The present understanding is that organisations holding personally identifiable information, that maintain ISO27001 from UKAS approved certification bodies – will be able to map out these additional control areas from 27701 and seek an enhanced scope. ISO27701 will not be certified in its own right as it is a supplement to ISO27001.
This Standard is most suited to organisations that have an international focus. There are approximately thirty thousand ISO27001 certificates world-wide. This supplement to 27001 is likely to be well adopted to address the issues of safeguarding personally identifiable information – within an international framework.
However, within the UK we have in addition BS 10012:2017+A1:2018
Data protection. Specification for a personal information management system. This was specifically updated from its 2009 iteration to address the Data Protection Act 2018. It is a very comprehensive Standard and is written around the Annex SL format.
It is very strong on the GDPR / DPA fundamentals and seeks to embed DPA principles within the management framework.
If an organisation holds large volumes of personal data within the UK and has data controllers within the UK seeking assurance of DPA adherence, then this is likely to be a model for consideration.
Marcus Allen is a certified data protection officer, holds a GDPR Practitioner qualification, is a member of the National Association of Data Protection Officers and is 27001 Lead Auditor. He has assisted over thirty organisations with GDPR compliance.