Topic-specific policies
ISO/IEC 27701


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27701:2019 < Click to purchase via Amazon — Information technology — Security techniques — Extension to ISO/IEC 27001 and to ISO/IEC 27002 for privacy information management Requirements and guidelines (first edition)

 

Abstract

“[ISO/IEC 27701] specifies requirements and provides guidance for  establishing, implementing, maintaining and continually improving a  Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the  context of the organisation.
[ISO/IEC 27701] specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
[ISO/IEC 27701] is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.”
[Source: ISO/IEC 27701:2019]
 

Introduction

Although the fields of information security and privacy management substantially overlap, both go further. This standard explains how to ‘enhance’ (adapt and extend) an ISO/IEC 27001 Information Security Management System and the associated ISO/IEC 27002 controls to manage privacy as well as information security.

 

Scope of the standard

The standard specifies a Privacy Information Management System based on ISO/IEC 27001(ISMS), ISO/IEC 27002 (security controls) and ISO/IEC 29100 (privacy framework). It is applicable to both controllers and processors of Personally Identifiable Information.

ISO/IEC 27701 builds and depends upon ISO/IEC 27001: organisations need to have an ISMS certified compliant to ISO/IEC 27001 in order for their PIMS to be certified compliant to ISO/IEC 27701.

Essentially the phrase ‘information security’ in ISO/IEC 27001 becomes ‘information security and privacy’.

 

Content of the standard

In the style of a sector-specific variant of ISO/IEC 27001, the ~70 page standard elaborates on the PIMS-related differences to the ISO/IEC 27001 and ISO/IEC 27002 standards clause-by-clause.

For example:

    “ISO/IEC 27001:2013, 6.1.3.c) is refined as follows:

    The controls determined in 6.1.3 b) of ISO/IEC 27001:2013 shall be compared with those in ISO/IEC 27001:2013, Annex A and/or Annex B of [ISO/IEC 27701] to verify that no necessary controls have been omitted.

    When assessing the applicability of control objectives and controls from ISO/IEC 27001:2013 Annex A for the treatment of risks, the control objectives and controls shall be considered in the context of both risks to information security as well as risks related to the processing of PII, including risks to PII principals.”

 

Status

The first edition was published in 2019.

The standard is currently being updated, with a new title: “Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance”.

July update The standard has been re-cast to specify a discrete PIMS rather than incorporating privacy within an ISMS.  You can get a rough idea of what to expect by replacing “information security” with “privacy” in the main body of ISO/IEC 27001:2022, replacing Annex A with a generic catalogue of privacy control objectives and controls, and adding a further annex with PIMS implementation guidance (similar to ISO/IEC 27003).

July update The second edition is at Final Draft International Standard stage, and is scheduled for release soon (August 2025) once the remaining minor editorial issues are resolved.

 

Personal comments

Practitioners familiar with ‘the ISO27k way’ should have little difficulty applying the usual information risk management principles to personal information i.e.:

  1. Identify privacy-related risks;
  2. Evaluate them;
  3. Decide how to treat them (what, if anything, to do about them);
  4. Treat them (implement the risk-treatment decisions);
  5. Lather, rinse, repeat.

Thanks to the standard elaborating on the requirements, even others ought to be able to have a jolly good stab at it.

An accompanying accreditation standard directs certification auditors on how to audit a PIMS and issue meaningful certificates for conformity with ISO/IEC 27701 - see ISO/IEC TS 27006-2. Note that, as with ISO/IEC 27001 ISMS certification, the emphasis is on verifying that the management system fulfills all the mandatory requirements of ISO/IEC 27701 ... which is subtly different from actually having all the appropriate privacy arrangements in place. For implementers and certification auditors alike, the challenge is that ‘appropriate’ is not laid out in ISO/IEC 27701 but is determined by the organisation itself. It is context-dependent.

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2025 IsecT Ltd. Contact us re Intellectual Property Rights