What is ISO 27701?

The ISO 27701 standard is an extension of the ISO 27001 standard for information security, but provides specific privacy control measures.

Why has ISO published this standard?

The purpose of this standard is to provide organizations with a practical framework with which they can extend the existing ISMS (Information Security Management System) to become a PIMS (Privacy Information Management System).

For whom is the ISO 27701 standard suitable?

ISO 27701 is for organizations that have already started implementing ISO 27001 and is therefore based on this framework, which also includes the PDCA cycle and risk analysis as required in the ISO 27001 standard. With this extension, an organization can show that it is in control and has set up the PDCA cycle and performed risk analysis according to the control measures mentioned for privacy in the ISO 27701.

Is ISO 27701 mandatory and can certification be obtained for it?

No, ISO 27701 is not mandatory. You can actually compare this standard with the other extensions to ISO 27001, such as ISO 27799 which provides specific control measures for healthcare or ISO 27017 for cloud services. None of these are mandatory but give you a practical framework and specific control measures for a niche market. We do not yet know if certification can be obtained for ISO 27701. No official statement has yet been made about this; the possibilities are being investigated by NEN.

How to start implementing ISO 27701?

In order to start implementing ISO 27701, you must first understand and implement the ISO 27001 standard. At Brand Compliance we provide ISO 27001 implementation training for organizations that want to start with this. Do you specifically want training on ISO 27701, because you have already implemented ISO 27001 and 27002? If so, please contact us about the possibilities for ISO 27701 training.

Is ISO 27701 a GDPR certification?

No, ISO 27701 provides control measures that serve as tools to keep your organization in control as regards the GDPR. However, privacy legislation (GDPR) requires a different type of accreditation and certification scheme than that used for ISO 27001. The legislation requires ISO 17065 accreditation under which products, services or processes are certified, not the business.

When do I comply with the GDPR?

The GDPR (Article 5, paragraph 2) states that you as an organization must be able “to demonstrate compliance” with the law. There are three different ways to demonstrate this. 1: At the authority’s request, make everything available as proof that your organization is in compliance. 2: By means of an approved code of conduct. 3: By means of GDPR certification. At the time of writing, there are no officially approved codes of conduct or GDPR certifications in the Netherlands. Check the website of the Dutch Data Authority for the current status.

Is GDPR certification possible?

Yes, GDPR certification is certainly possible and that is also stated in the Regulation (Articles 42 and 43). However, in order to be able to certify in accordance with GDPR legislation, there are a number of obligations a certification body must meet. The organization must comply with a 17065 accreditation with which processes, products and services can be certified. There must be a specific certification scheme that can follow the entire process of processing personal data and that can be assessed by an auditor.

What is BC 5701, version 2, 2018?

BC 5701 is a Brand Compliance standard based on the GDPR and provides guidance on how to correctly record processes in which you process personal data so that you are able to demonstrate your compliance with privacy legislation. With this standard and the associated certification process, Brand Compliance is working on a GDPR certification as required by privacy legislation. The standard and the certification scheme have now been submitted to the Dutch Data Authority and the ISO 17065 accreditation has been submitted to the Dutch Accreditation Council (RVA). The preliminary investigation by the Dutch Accreditation Council (RVA) has now been concluded positively.