ISO/IEC 27701 is an extention to the existing ISO/IEC security standards 27001 and 27002. ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS).
Information security is defined within the standard in the context of the CIA Triad: the preservation of confidentiality. (ensuring that information is accessible only to those authorized to have access), integrity(safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).
The new ISO/IEC standard is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.
ISO/IEC 27701 At-A-Glance
*Extract from analysis by Samuel D. Goldstick Steven M. Millendorf Michael R. Overly Jennifer L. Rathburn of Foley & Lardner LLP
- ISO/IEC 27701 is a new, privacy-oriented standard that builds upon the well-known ISO/IEC 27001 security standard.
- Certification to ISO/IEC 27701 (when available) will require certification to ISO/IEC 27001 first.
- While ISO/IEC 27001 provides controls for general security measures, ISO/IEC 27701 focuses on new requirements and controls, along with implementation guidance, directed specifically at protecting personal information.
- ISO/IEC 27701 may be used to demonstrate compliance and accountability with various privacy regimes throughout the world, including the GDPR.
- Businesses may want to include contractual obligations requiring vendors who handle sensitive personal information to comply with or, where appropriate, become certified under ISO/IEC 27701.
- Vendors handling personal information may want to proactively begin efforts to build on ISO/IEC 27001 compliance and become compliant with and/or certified under ISO/IEC 27701.