The ISO 27701 Assessment: What It Is and Why It Matters
In this series, we’ll explore the leading industry standard, frameworks, and questionnaires that are relevant to third-party risk. First up: ISO 27701.
Who Developed ISO 27701?
The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. Founded in 1947, ISO is the world’s largest developer of voluntary international standards and facilitates world trade by providing common standards among nations. Over 20,000 standards have been set thus far, covering everything from manufactured goods and technology to food safety, agriculture, and healthcare.
Beyond the mission of guiding standards throughout the drafting, review, voting and publication process, ISO also offers a variety of programs to support their more far-reaching initiatives. This includes working to raise public awareness of standards and standardization as well as training their members via ISO research.
What is the ISO 27701 Certification?
The ISO 27701 certification for a Privacy Information Management System (PIMS), is the privacy extension of ISO 27001, the certification for an Information Security Management System (ISMS). The design intent of ISO 27701 is to enhance the existing ISMS with additional controls in order to establish, implement, maintain and consistently improve a PIMS. The certification outlines the framework in which data controllers (including joint personal data controllers) and data processers (including those using subcontractors) must manage and maintain personal identifiable information (PII) to reduce risk associated with an individual’s privacy risks.
Organizations working to become ISO 27701 certified must already have and ISO 27001 certification in place. Additionally, organizations should be aware that the scope of the PIMS can sometimes require revising the scope of the ISMS, because of the extended interpretation of “information security” in ISO 27701.
Who Uses the ISO 27701 Assessment?
Organizations will often assess themselves internally against ISO 27701 requirements. Increasingly, organizations are also using it as the standard in which they assess their third parties against.
International organizations across sectors and jurisdictions look to implement ISO 27701 for several reasons, some of which include:
- ISO 27701 is set to be the gold standard for compliance with the General Data Protection Regulation (GDPR). Because of this, any organization implementing ISO 27701 can demonstrate their ethical, GDPR-ready data protection standards to customers, prospect, employees and more.
- Mappings of the ISO 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), GLBA and HIPAA, should also be expected and will likely help organizations by providing a common standard for demonstrating compliance with these regulatory regimes.
- Organizations seeking to increase collaboration between their privacy and security teams may benefit to implementing ISO 27701.
How Can I Use a Cyber Risk Exchange to Assess My Third Parties Against ISO 27701?
The OneTrust Vendorpedia Cyber Risk Exchange is a community of shared vendor risk assessments, as well as security and privacy research on 60,000+ third parties. Through the exchange, your team can request access to completed ISO 27701assessments (along with other leading-industry standards).
Want to try it out? We’re offering an extended free trial that includes access to 10 free and completed ISO 27701 vendor risk assessments, as well as other leading-industry standards.