ISO 27701 – Privacy Information Management System (PIMS)

ISO/IEC 27701 is an international standard that provides guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). The standard is an extension to ISO/IEC 27001, which is the international standard for Information Security Management Systems (ISMS).

ISO/IEC 27701:2019, titled “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines,” outlines requirements and guidance for organizations to manage privacy information and comply with privacy regulations. It is designed to assist organizations in addressing privacy concerns and protecting personal information.

Key aspects and objectives of ISO/IEC 27701 include:

Integration with ISO/IEC 27001 and ISO/IEC 27002: ISO/IEC 27701 is designed as an extension to ISO/IEC 27001 and ISO/IEC 27002, providing additional requirements and guidance specifically focused on privacy information management.

Personal Information Management System (PIMS): The standard outlines the establishment of a PIMS within the broader context of an organization’s ISMS. This includes considerations for the protection of personal information and the rights of data subjects.

Legal and Regulatory Compliance: ISO/IEC 27701 emphasizes compliance with privacy laws and regulations. Organizations are encouraged to understand and meet the legal requirements related to the processing of personal information.

Risk Management: Similar to ISO/IEC 27001, ISO/IEC 27701 incorporates a risk-based approach. Organizations are required to assess and manage risks associated with the processing of personal information.

Data Subject Rights: The standard addresses the rights of data subjects, including their rights to access, rectify, erase, and object to the processing of their personal information. Organizations are required to establish processes to address these rights.

Security Controls for Privacy: ISO/IEC 27701 includes specific security controls and measures related to the protection of personal information. These controls are designed to ensure the confidentiality, integrity, and availability of the information.

Transparency and Communication: The standard emphasizes transparency in the processing of personal information and the importance of effective communication with data subjects and other stakeholders.

Roles and Responsibilities: ISO/IEC 27701 outlines roles and responsibilities within the organization for the effective implementation and maintenance of the PIMS.

Certification to ISO/IEC 27701 provides organizations with a framework for demonstrating their commitment to privacy protection and can enhance trust with stakeholders, including customers and regulators. It is particularly relevant in the context of the increasing emphasis on privacy rights and data protection globally.