In 2019, the ISO organization (due to the high demand at European level) made an elaboration of the GDPR. This extension is described in ISO 27701 from a management system approach. Together with ISO 27001, you can therefore see it as a management system for information security and privacy. Because ISO 27701 is an add-on to the ISO 27001 standard for information security, with specific privacy controls.
Standard
ISO 27701 is ideally suited for organizations that have already organized their information security according to ISO 27001. It expands the requirements of ISO 27001 to take into account, in addition to information security, the protection of the privacy of PII (Personally Identifiable Information) clients, who may be affected by the processing of PII. ISO 27701 brings together the areas of information security and PII.
By obtaining the ISO 27701 certificate, as an add-on to the ISO 27001 certificate, it is demonstrated within the management system that personal data is processed in compliance with the GDPR. Certification for the ISO 27701 standard can also be an add-on to a NEN 7510 certification.
What is a ISO 27701 certification?
A certification indicates that the requirements for setting up, implementing, maintaining and continuously improving a PIMS (Privacy Information Management System) in the form of an extension to ISO 27001 and ISO 27002 or NEN 7510 for Privacy Management within the context of the organization has been tested and found to be sufficient. It indicates that the specified PIMS-related requirements for PII administrators and PII processors responsible and accountable for the processing of PII have been reviewed.
How do I implement this standard?
Certification of conformity to ISO 27701 can only be achieved indirectly at most. For example, it is conceivable to mention ISO 27701 in the context of the ISO 27001 certificate, after appropriate verification, with a reference in the Statement of Applicability. The ISO 27701 extends the requirements of ISO 27001 to take into account the protection of the privacy of PIIs.
The standard is entirely based on ISO 27001. This means that first of all, for compliance with ISO 27701, all points of ISO 27001 must be met. Most of the requirements of ISO 27001 also apply to ISO 27701.
Certification
We are happy to carry out the audits for you that are necessary to obtain an ISO 27701 certificate. Because every organization is unique, we are happy to talk to you about your starting position and identify which steps (perhaps) still need to be taken to be ready for certification. We then make a customized certification proposal for you. The costs for an ISO 27701 certification depend on several factors, for example the size and complexity of your organization.
Please note! ISO 27701 certification can only be obtain in combination with an accredited ISO 27001 and/or NEN 7510 certification.
Do you already have an accredited ISO 27001 certification from another certification body? Call us to talk about the possibilities.
More informationISO 27701 specifies requirements and provides guidelines for establishing, implementing, maintaining and continuously improving the privacy information management system in the form of an extension to ISO 27001 and ISO 27002 for privacy management within the context of the organisation. Without ISO 27001 certification, there can be no ISO 27701 certification.
ISO 27018 establishes generally accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information in accordance with privacy principles in ISO 29100 for the public Cloud computing environment. in particular, this document specifies guidelines based on ISO 27002, taking into account the legal requirements for the protection of PII that may be applicable within the context of the information security risk environment(s) of a public Cloud service offering. This document applies to organisations, which provide information processing services as PII processors via Cloud computing on behalf of other organisations.
The ISO 27701 provides guidelines for establishing and implementing the requirements, maintaining and continuously improving a Privacy Information Management System. The GDPR is the legislation on which the standard is based. Elements of the law are reflected in the standard. As a result, the law structures the standard. The other way around is not possible.
In addition, the standard states that national (matter) legislation must be complied with. As a result, in the healthcare sector, for example, you also have to comply with the requirements of, for example, the WGBO, Public Health Act, Wabpvz, etc., while these contain instructions that are only outlined in the GDPR.