Organisations that hold current ISO 27001: 2013 registration will already have an information security policy in a documented format.

ISO / IEC 27701: 2019 refers to PIMS guidance and policies for data security. The guidance advocates integrating or preparing a separate set of PII policies. But the organisation should make a statement concerning the importance of personally identifiable information and its impact upon the enterprise. This would also include any specific reference to contractual agreements that may contain PII.

Many organisations created standalone GDPR policies aside from their privacy policies. These policies often demonstrated leadership and commitment with regards data protection principles and may address many PIMS features.

The guidance notes advise that the organisation seeking the scope extension to ISO / IEC 27701: 2019 should refer to any relevant legislation within the policy.

The author advocates an examination of existing data protection policies and a re-work to identify what is the clearest and most practical approach to comply with the Standard.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: marcus@thamerjames.co.uk

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.