Skip to content
Management system standards

ISO/IEC 27701 Privacy Information Management

April 16, 20244 minute read
Cybersecurity and VPN

ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

The standard helps organizations manage privacy risks and compliance with various privacy regulations, such as GDPR (General Data Protection Regulation). It outlines requirements and guidance for implementing, maintaining, and continually improving a PIMS, focusing on the protection of Personally Identifiable Information (PII) and ensuring individuals’ privacy rights are upheld.

The standard specifies PIMS-related requirements and provides guidance for personally identifiable information (PII), specifically in relation to PII controllers and PII processors holding responsibility and accountability for PII processing. It is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Table of Contents

Introduction
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
4 General
4.1 Structure of this document
4.2 Application of ISO/IEC 27001:2013 requirements
4.3 Application of ISO/IEC 27002:2013 guidelines
4.4 Customer
5 PIMS-specific requirements related to ISO/IEC 27001
5.1 General
5.2 Context of the organization
5.3 Leadership
5.4 Planning
5.5 Support
5.6 Operation
5.7 Performance evaluation
5.8 Improvement
6 PIMS-specific guidance related to ISO/IEC 27002
6.1 General
6.2 Information security policies
6.3 Organization of information security
6.4 Human resource security
6.5 Asset management
6.6 Access control
6.7 Cryptography
6.8 Physical and environmental security
6.9 Operations security
6.10 Communications security
6.11 Systems acquisition, development and maintenance
6.12 Supplier relationships
6.13 Information security incident management
6.14 Information security aspects of business continuity management
6.15 Compliance
7 Additional ISO/IEC 27002 guidance for PII controllers
7.1 General
7.2 Conditions for collection and processing
7.3 Obligations to PII principals
7.4 Privacy by design and privacy by default
7.5 PII sharing, transfer, and disclosure
8 Additional ISO/IEC 27002 guidance for PII processors
8.1 General
8.2 Conditions for collection and processing
8.3 Obligations to PII principals
8.4 Privacy by design and privacy by default
8.5 PII sharing, transfer, and disclosure
Annex A PIMS-specific reference control objectives and controls (PII Controllers)
Annex B PIMS-specific reference control objectives and controls (PII Processors)
Annex C Mapping to ISO/IEC 29100
Annex D Mapping to the General Data Protection Regulation
Annex E Mapping to ISO/IEC 27018 and ISO/IEC 29151
Annex F How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
F.1 How to apply this document
F.2 Example of refinement of security standards
ISO/IEC 27701:2019

Implementation

Implementing a Privacy Information Management System (PIMS) in conformity with ISO/IEC 27701 involves several key steps,

Here are those steps.

Gap Analysis

Conduct a thorough assessment of your organization’s current privacy management practices against the requirements of ISO/IEC 27701 to identify gaps and areas for improvement.

Leadership Commitment

Obtain commitment and support from top management to ensure that privacy is prioritized and integrated into the organization’s overall business strategy.

Scope Definition

Define the scope of your PIMS, including the boundaries, activities, and processes covered by the system.

Risk Assessment and Treatment

Identify and assess privacy risks associated with the processing of personally identifiable information (PII) within your organization. Develop and implement controls to mitigate these risks effectively.

Legal and Regulatory Compliance

Ensure compliance with relevant privacy laws, regulations, and contractual obligations, such as GDPR, CCPA, and HIPAA, by integrating legal requirements into your PIMS.

Privacy Policies and Procedures

Develop and implement comprehensive privacy policies, procedures, and guidelines to govern the collection, use, retention, and disclosure of PII within your organization.

Training and Awareness

Provide training and awareness programs to employees, contractors, and other relevant stakeholders to enhance their understanding of privacy responsibilities and requirements.

Documented Information

Establish and maintain documented information, including policies, procedures, records, and other relevant documentation, to support the effective implementation and operation of your PIMS.

Monitoring and Measurement

Implement mechanisms to monitor, measure, and evaluate the performance of your PIMS against defined objectives, targets, and key performance indicators (KPIs).

Internal Audit

Conduct regular internal audits to assess the effectiveness of your PIMS, identify non-conformities, and drive continual improvement.

Continual Improvement

Foster a culture of continual improvement by implementing corrective actions, preventive actions, and other measures to address identified non-conformities and enhance the overall performance of your PIMS.

Management Review

Hold periodic management reviews to evaluate the performance of your PIMS, identify opportunities for improvement, and make necessary adjustments to enhance its effectiveness.

In conclusion…

By following these steps, organizations can effectively implement a Privacy Information Management System in conformity with ISO/IEC 27701, thereby demonstrating their commitment to protecting individuals’ privacy rights and complying with applicable privacy laws and regulations.

ISO/IEC 27701 can be purchased through the ISO.org website.

Keywords
Share this Article
Further Reading
Trending Articles

No Comments

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top