An introduction to ISO 27701: the international standard for data privacy

ISO 27701 is the newest standard in the ISO 27000 series, explaining what organisations must do when implementing a PIMS (privacy information management system).

The advice essentially bolts privacy processing controls onto ISO 27001, the international standard for information security, and provides a framework to establish the best practices required by regulations such as the GDPR.

Organisations that are already ISO 27001 compliant will only have a few extra tasks to complete, such as a second risk assessment, to account for the new controls.

ISO 27701 and ISO 27001: privacy vs security

Despite how neatly ISO 27701 ties into ISO 27001, they cover different topics. The former addresses organisations’ privacy controls, whereas ISO 27001 addresses information security.

To put it another way:

  • ISO 27001 relates to the way an organisation keeps data accurate, available and accessible only to approved employees.
  • ISO 27701 relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.

You can discover more by downloading ISO 27701 – Privacy information management systems.

This free green paper provides a comprehensive introduction to ISO 27701. You’ll learn:

  • How ISO 27701 differs from and complements ISO 27001; 
  • The structure and requirements of ISO 27701; 
  • How ISO 27701 can help you achieve compliance with privacy laws like the GDPR (General Data Protection Regulation); and
  • Which additional requirements will apply if you already have an established ISMS (information security management system). 

When building an information security framework, organisations must take a few extra steps to ensure that privacy concerns are accounted for.

ISO 27701’s helps organisations do this by expanding on the clauses of ISO 27001 and controls in Annex A that relate specifically to data privacy. It also provides two additional sets of controls specific to data controllers and data processors.

Additionally, it builds on the principle of information security by directing the reader to the more expansive privacy principles in ISO 29100, the international standard that provides a privacy framework for personal data held in IT systems.

ISO 27701 and the GDPR

Although it has ‘data protection’ in its name, the GDPR is equally concerned about data privacy.

However, as you will have already learned during your GDPR compliance programme, the legislation doesn’t include guidance on how to meet its requirements.

This is to prevent the GDPR from becoming outdated as best practices evolve and new technologies become available.

Although that’s a smart decision in the long term, it leave organisations unsure about specifics.

That’s where ISO 27001 helps, explaining how organisations can address data privacy adequately.

Controllers and processors

Broadly speaking, a data controller is the organisation that determines what information will be processed and why, and the data processor is the one that does the actual processing.

For example, say Company X outsources its payroll responsibilities to a third party. That company is the data controller, outlining who is on the payroll, what their wages are and when payments should be made.

The third party acts as the data processor, providing the IT system where employees’ data is kept.

This distinction is important when it comes to ISO 27701, because controllers and processors are subject to different requirements.

Controllers are responsible for:

  • Creating privacy notices;
  • Implementing mechanisms to ensure that individuals can exercise their data subject rights; and
  • Adopting measures to ensure the data processing meets the GDPR’s principle of privacy by design and by default.

Meanwhile, processors are responsible for:

  • Meeting the instructions set by the controller, therefore mitigating the risk that data is processed excessively or without a lawful basis;
  • Providing whatever information is necessary to help the controller complete a DSAR (data subject access request); and
  • Informing data subjects in advance if personal data is being transferred between jurisdictions.

Get started with ISO 27701

For those looking to implement ISO 27701’s requirements, we are here to help. Our ISO 27701 Starter Bundle contains everything you need to kick-start your compliance project.

It contains our essential guide ISO/IEC 27701:2019: An introduction to privacy information management to help you get to grips with the Standard.

You’ll also receive a copy of the Standard itself, as well as our ISO 27701 Gap Analysis Tool, which you can use to assess your compliance status and identify exactly which steps you must take next.


A version of this blog was originally published on 17 September 2019.

No Responses

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.