ISO 27701 Certification
ISO 27701 certification allows data controllers and data processors to demonstrate compliance with a broad scope of privacy laws, such as GDPR and CCPA. An extension of ISO 27001 – one of the most widely accepted standards for information security management – ISO 27701 provides additional standards for implementing and maintaining a Privacy Information Management System (PIMS). By allowing you to satisfy multiple privacy requirements with one set of controls – and by providing a single framework to audit against – it can significantly streamline your compliance efforts.
Our ISO 27701 Certification Services
At 360 Advanced, we can help you achieve – and maintain – ISO 27701 certification.
Readiness Assessment
If you are implementing ISO 27701 for the first time, 360 Advanced can help you understand the requirements as they apply to your business. We can identify the standards that you are required to meet based on the types of data that you handle, then map these requirements to ISO 27701 controls. We can also identify any additional requirements that are not encompassed by the standard controls, and the conditions under which these requirements apply. From there, we can help you determine how your existing system compares to these standards, and which controls require remediation before your organization can become ISO-certified.
Audits
360 Advanced can formally audit your Privacy Information Management System against ISO 27001 standards, including the 27701 extension. If your PIMS meets the minimum requirements, we will issue a report validating certification. You can use this independent, third-party report to communicate your compliance efforts to regulatory bodies, stakeholders, customers, and business partners.
New to ISO 27701? Learn More about the Requirements.
ISO 27701 is designed to complement ISO 27001. Because ISO 27001 provides the security controls that provide an essential foundation for privacy efforts, ISO 27001 certification is a pre-requisite for ISO 27701. However, ISO 27701 introduces new controls that are specific to controllers and processors of personally identifiable information.
ISO 27701 Privacy Requirements
Like ISO 27001, the ISO 27701 privacy framework does not require organizations to implement every control in every situation. Instead, compliance relies on a risk-based approach; you can apply relevant controls based on the way you use your information management system.
The framework prescribes different requirements for data processors and data controllers. However, common requirements for ISO 27701 certification include:
- Employees that have access to personal data must sign a confidentiality agreement and complete a privacy awareness training program.
- Organizations must have a public-facing privacy policy.
- Organizations must complete a privacy risk assessment to identify potential threats.
- Organizations must appoint a responsible individual for their governance and privacy program.
- Organizations must have a documented incident response plan.
- Organizations must keep a record of all activities and systems through which personal information is processed.
- Organizations must implement appropriate mechanisms to accommodate individuals’ rights to access, correct, and erase their PII.
- Data controllers must have documented agreements with data processors regarding the access and protection of PII.
How does ISO 27701 Realted to GDPR?
ISO 27701 sets the framework for compliance with a variety of regulations. The standards can be mapped to:
- GDPR
- ISO/IEC 29100
- ISO/IEC 27018
- ISO/IEC 29151
Mappings to other privacy standards, such as CCPA and HIPAA, are expected in the future, allowing organizations to demonstrate compliance with an even broader spectrum of privacy laws.
While many organizations use their ISO 27701 certification to communicate their GDPR compliance efforts, it is important to note that the certification is not currently recognized as an official GDPR certification. However, it may be considered a potential path to certification in the future.