Whoever works in the security and privacy sphere of corporate life has at some point been introduced to the ISO 27001 standard. It is currently the most used security framework by European companies in order to drive and measure internal and external security measures. With the publication of the General Data Protection Regulation (GDPR) in 2016, we have seen a further increased focus on the definition, maintenance and accountability of security measures – especially for personal data. However, security and privacy professionals have long felt that the ISO 27001 standard did not fully cover the subject matter. Companies and institutions required more guidance on how to build and manage a sustainable Privacy Program. To this need the International Standards Organization (ISO) has provided additional guidance.
The ISO has provided this additional guidance under the format of a brand new international standard; officially called ISO/IEC 27701 (Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines), published in August 2019. The intent is that the existing Information Security Management System (ISMS) is extended with applicable privacy controls and activities, which would then lead to the establishment, implementation, management and improvement cycle of the Privacy Information Management System, or PIMS for short.
The PIMS standard provides extensions and guidance on how to update the ISMS to also adequately include the management of privacy information. Here we see additions for the ISMS (to a PIMS) itself, as well as additions and alterations of the Schedule A controls and ISO 27002 related guidelines. Furthermore, the standard also provides additional guidance for Controllers and Processors in implementing their respective PIMS.
One of the cornerstones of any PIMS are the regulations to which the organization in question needs to adhere to. Depending on the number of applicable regulations, these (sometimes even contradicting) requirements can truly add an additional level of complexity to a Privacy Program. The framework for a PIMS, as established under ISO 27701, does not provide any specificities when it comes to certain regulations. It’s specific enough so it can be relevant to managing privacy, but provides enough flexibility in order to fit multiple regulations. Nevertheless, it is highly recommended to review and tailor the PIMS to the needs of the individual company.
The GDPR provides the possibility to certify your Privacy Program against a DPA approved certification scheme; for which it is anticipated that ISO 27701 will also be recognized in the future. As a Controller, vetting vendors and service providers is always a challenging task; especially now when the market does not really provide a clear cut benchmark baseline for Privacy Compliance or Management. Moreover, given the large adoption of the ISO 27001 standard, we believe that the new PIMS standard will become the preferred choice amongst service providers in a very short time.
For more information on the ISO 27701 implementation, certification or related third party (risk) management, please do not hesitate to get in touch with our experts!