In section five of ISO 27701 the Standard outlines the need to extend the protection of privacy with regards PII and information security. So, in simple terms a 27001: 2013 certificate would just relate to information security whereas with 27701 this becomes information security and privacy.

Understanding the context of the organisation is derived from the Annex SL approach. An organisation with ISO 27001: 2013 registration will already have identified the organisational context.

To satisfy ISO / IEC 27701: 2019 additional requirements such as:

The enterprise must determine whether it is a data controller or a data processor or indeed both.

In addition, extra elements should be considered by the organisation:

  • What privacy issues are arising
  • Data protection / privacy legislation
  • Any judgments or judicial reviews within the country 
  • Relevant policies and procedures
  • Administrative issues
  • Contractual needs with regards PII

When an organisation operates as both a data controller and processor clearly defined roles should be created with separate sets of PII controls applied.

The organisation’s senior management should perform horizon scanning as would occur with 27001: 2013 to evaluate the PII needs of interested parties. This might include customers, public utilities, executive agencies etc. A ‘PESTEL’ analysis is a good place to start.

Of course, any PII should be identified if supplied by an interested party.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: [email protected]

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.