- 2024-12-20
As more and more data protection and privacy regulations emerge around the globe, the desire or wish to demonstrate compliance with these increases. With assorted management systems and associated certifications well established to demonstrate conformity and compliance, organizations are eager to manage their data protection and privacy obligations equally.
This is where ISO/IEC 27701:2019, titled “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines”, comes in. While being a management system standard against which ISO/IEC 27701 certification can be obtained, there are some important differences from other management systems standards. Likewise, there are important specifics that need to be addressed by the respective management system to be successful in achieving certification. This article will cover both aspects, giving an auditor’s ultimate guide to ISO/IEC 27701 certification.
Structure of ISO/IEC 27701:2019
Understanding the Structure of ISO/IEC 27701
Two important structural variances exist between ISO/IEC 27701:2019 and other management standards such as ISO 9001, ISO/IEC 27001, etc.
First, the standard is not stand-alone but – as the title expresses – an extension to ISO/IEC 27001 and ISO/IEC 27002, which means it is impossible to achieve certification to ISO/IEC 27701 on its own. Instead, ISO/IEC 27701 certification will always be linked to an ISO/IEC 27001 certification. This can be achieved by adding ISO/IEC 27701 to an existing ISO/IEC 27001 certification or simultaneously obtaining ISO/IEC 27001 and ISO/IEC 27701 certification.
Consequently, the management system under certification also needs to conform with both ISO/IEC 27001 and ISO/IEC 27701, thus commonly referred to as a Privacy Information Management System (PIMS) rather than an Information Security Management System (ISMS). It is also important to note that this does not constitute an integrated management system but remains a single.
As such possible audit time reductions based on IAF MD11 do not apply. To be eligible, the PIMS would need to be integrated with e.g. a QMS, EMS, or SMS according to the relevant ISO standards, which is perfectly feasible.
Auditor’s Ultimate Guide to Extending ISO/IEC 27001
Secondly, unlike most other ISO management system standards including ISO/IEC 27001, ISO/IEC 27701 is not a pure requirement standard but also includes a significant amount of guidance and thus does not follow the Annex SL high-level structure (clauses 4-10).
From both an implementation and certification perspective it is hence important to pay close attention to which sections of ISO/IEC 27701 are worded or marked as normative as opposed to informative with the prior required to be conformed with to achieve certification while the latter being guidance to be considered yet not mandatory, as also summarised in clause 4.
The strictly normative parts of the ISO/IEC 27701 are clause 5 as well as Annexes A and/or B (see below), so particular attention should be paid to these parts. Clause 5 includes additional PIMS-specific requirements adding to clauses 4-10 of ISO/IEC 27001 while Annexes A and B include additional PIMS-specific controls thus effectively extending Annex A of ISO/IEC 27001. Attention should be paid to clause 4.4 defining the term “customer” regularly used across the standard to describe assorted relationships occurring as part of the handling of Personal Identifiable Information (PII).
Clauses 6 to 8 all include additional guidance with clause 6 adding to guidance in ISO/IEC 27002 related to Annex A of ISO/IEC 27001 while clauses 7 and 8 guide Annexes A and B of ISO/IEC 27701:2019 respectively.
Finally, we should note that ISO/IEC 27701:2019 formally refers to ISO/IEC 27001:2013, i.e. clause 6 relates to Annex A of that rather than the current version of ISO/IEC 27001 issued in 2022. Respective revision of ISO/IEC 27701 is underway. In the meantime, it is perfectly fine to have a PIMS based on ISO/IEC 27001:2022 as extended by ISO/IEC 27701:2019, and certification of such both will generally be granted by certification bodies and supported under respective accreditations as granted by the relevant accreditation bodies to the respective certification body. It merely required the extra leg work at implementation to link the guidance in clause 6 back to the revised Annex A of ISO/IEC 27001:2022, e.g. based on mapping provided in ISO/IEC 27002:2022.
What does extending ISO/IEC 27001 mean?
Privacy Information Management System (PIMS)
So, let’s take a closer look at the mechanics in ISO/IEC 27701 to extend an ISMS into a PIMS.
Clause 5.1 consists of a seemingly “innocent” statement on how to interpret ISO/IEC 27001 for a PIMS by stating that any reference to “information security” shall be extended to the protection of privacy as potentially affected by the processing of PII. As the associated note states, this in practice means, that where “information security” is used in ISO/IEC 27001, “information security and privacy” applies instead.
As such the most tedious task is to reflect every corner of the ISMS whether and what privacy elements need to be added, especially where a pre-existing ISMS is to be extended into a PIMS. Consequently, throughout clause 5 being structured along clauses 4 to 10 of ISO/IEC 27001, it will often simply state “The requirements stated in ISO/IEC 27001:2013, X.X along with the interpretation specified in 5.1, apply”. The importance of not overlooking this cannot be stressed enough. Take for example clause 9 of ISO/IEC 27001: for all three sub-clauses 9.1 to 9.3 ISO/IEC 27701:2019 clause 5.7 solely includes the aforementioned phrase. Does that mean the PIMS has no impact on KPIs, internal audits, and management reviews? Far from it and indeed it would be silly if that was the case. Instead, the implementer of the PIMS needs to establish how the privacy aspect is reflected in those activities and the auditor will assess the appropriateness of that determination. In this example it would e.g. be appropriate to include KPIs on data protection and privacy activities and performance, review the same in internal audits, and report on them in the management review, all in line with applicable regulatory requirements. Equally, the internal audit program not just would need to cover Annex A of ISO/IEC 27001 but likewise Annexes A and B of ISO/IEC 27701 as applicable.
Of course, clause 5 also includes a few precisely worded additional requirements. These only relate to clause 4 “Context of the organization” and clause 6.1 “Actions to address risks and opportunities” of ISO/IEC 27001. So, let’s have a look at them.
As part of the context analysis, clause 5.2.1 starts with an important requirement for the organization to determine its role as a PII controller (including as a joint PII controller) and/or a PII processor, closely followed by the requirement to identify the applicable legal and regulatory data protection and privacy frameworks, i.e. laws, regulations, judicial decisions, contractual requirements, etc. Both aspects have far-reaching consequences for the PIMS to be implemented, and hence are critical for its success.
Applicability of Annexes A and B in PIMS
The applicability of Annexes A and B is controlled by the determined role(s) in that Annex A only applies to PII controllers, Annex B only to PII processors, yet an organization could determine to be both for different aspects of their activities in the scope of the PIMS, in which case both Annexes would apply.
The latter is particularly important for those organizations operating multi-nationally as it is crucial to identify and satisfy those requirements in all jurisdictions that the organization operates directly as well as where their PII principals, i.e. those individuals whose PII in the scope of the PIMS is processed, e.g. customers, are located, as local law there hence will apply to the organization and thus need to be covered by the PIMS.
This can be a bit of a minefield, and it is hence highly recommended to involve legal experts in this exercise. It also highlights the fact that while GDPR has been a significant contributor to drafting ISO/IEC 27701, the same is by no means limited to GDPR but aims to cover any kind of data protection and privacy information management, based on whatever jurisdiction(s) and their respective laws and regulations.
It should also be noted that in some parts of the world, these matters may be partially or fully devolved from national/federal level to subordinate levels, and hence there may be (also) localized supervisory authorities – not necessarily consistently – overseeing its application to just add to the “fun” of compliance. Both the USA and Germany are good examples of that.
While there is a consensus worldwide as to the concepts of (joint) controller vs processor role in data protection and privacy management, it is always worthwhile to verify whether there are any subtle differences between applicable jurisdictions. In a nutshell, though the controller is the responsible party setting policies, procedures, processes, etc. on how privacy information is processed any processors engaged will be obliged to follow those rules.
Other Requirements and Risk Management for PII
The remaining additional requirements regarding the context of the organization are rather obvious in that of course other PII-relevant interested parties, e.g. supervisory authorities, other controllers, processors, and their subcontractors need to the included. Likewise, the scope of the management system might need to be fine-tuned accordingly.
The additional requirements regarding actions to address risks and opportunities equally are pretty straightforward bar one that regularly is missed.
The obvious elements are that risk management of course needs to cover privacy-related risks and the SoA (statement of applicability) needs to ensure no controls have been omitted, neither from Annex A of ISO/IEC 27001 (in its extended interpretation per above) nor – based on the determined role of the organization – from Annexes A and/or B of ISO/IEC 27701.
The crucial and regularly missed addition here though is, once again a tiny few extra words in clause 5.4.1.2, that risks and consequences not just to the organization but likewise the PII principals must be managed. So, an organization not just needs to consider the damage it is causing to itself but equally and probably more importantly to the individuals whose PII they are processing where any risks materialize. This is a core principle of various data protection and privacy frameworks with violation of the same typically leading to hefty fines as well as during the certification audit resulting in a major nonconformity.
What else to keep in mind?
Conclusion: The Path to Certification Success
There are also a few bits to keep in mind assuming that an organization is going for accredited certification. It is always highly recommended as accreditation provides extra assurance that the certification body follows correct procedures to ensure competent audits and thus reliable certification. As such it is like an extra quality seal on the certification.
Accredited certification bodies like MSECB need to demonstrate conformity with additional ISO standards, namely, ISO/IEC 17021-1:2015 governing overall management system certification, further extended by ISO/IEC 27006 for ISMS certification, recently updated to ISO/IEC 27006-1:2024, and ISO/IEC 27006-2:2021 for PIMS certification.
ISO/IEC 27006-2:2021 mandates a few additional requirements as per above primarily to be considered by certification bodies like MSECB but generally helpful for organizations seeking accredited certification to consider early on in their management system implementation.
Probably most importantly the ISO/IEC 27701 certificate needs to state the role of the organization for each activity, product, or service in scope as per above as well as include the wording “privacy information management system” and a link to the ISO/IEC 27001 certificate if separate.
The ISO/IEC 27701 certification also comes with a mark-up on the ISO/IEC 27001 audit time. While ISO/IEC 27006-2:2021 defines some requirements based on the role(s) determined by the organization, it’s ultimately for the certification body to evaluate that input, determine the additional audit time required, and quote the same accordingly.
Finally, accreditation bodies might opt to geographically limit the scope of accreditation based on competence having been demonstrated by the certification body, especially for schemes like PIMS that heavily rely upon local jurisdictions, so when choosing a certification body, it is important to verify that their accreditation covers those jurisdictions in scope identified above.
About the Author
Martin Holzke
Martin Holzke provides consultancy, audit, and training services. Based on his education in physics to degree level, he started up as a freelancer in full systems and software development life cycle projects in Germany more than 30 years ago, then over the years expanded into training, coaching, and mentoring in these fields in Germany and UK, for many years now applying this vast range of experience in providing training, audit and implementation support services for management systems to clients all over Europe and beyond as well as being a technical assessor for the United Kingdom Accreditation Service (UKAS) across various schemes. He has been a PECB trainer and MSECB lead auditor for many years and runs the “ISO in the Sun” courses in Lanzarote, Canary Islands, Spain.
