ISO/IEC 27701 - A Standalone Management System
With the upcoming release of ISO 27701:2024, there are significant updates to privacy information management systems (PIMS) that GRC professionals should be aware of. The most notable change is that ISO 27701 will evolve from an extension of ISO/IEC 27001 into a fully standalone management system. This marks a significant shift, as organizations will soon be able to implement ISO/IEC 27701 independently, providing enhanced flexibility and focus on privacy management.
In the previous revision from 2019, ISO/IEC 27701 had to be combined with ISO/IEC 27001. Many clauses simply referred back to ISO 27001 requirements, only adding specific guidance for personally identifiable information (PII) where necessary. However, the upcoming 2024, or 2025 revision, if published next year, will allow organisations to establish a dedicated privacy information management system.
Let's have a brief look at what to expect.
Changes in the Standard
Similar to ISO 27001, the new standard follows a risk-based approach, requiring organisations to conduct risk assessments with a focus on PII risks. With regards to the selected controls, organisations need to produce a Statement of Applicabiity (SoA) that lists their controls, in comparison to the reference controls of Annex A.
Annex A will contain three categories of PII reference controls.
Annex A
ISO 27701:2024 continues to provide clear guidance for PII controllers and PII processors, and security controls for both, through the normative controls listed in Annex A.
Reference Controls for PII Controllers
These controls ensure that organizations acting as PII controllers can effectively manage the lifecycle of PII. Controllers must clearly define the lawful basis for collecting PII, document purposes, obtain proper consent, and conduct privacy impact assessments where necessary. The standard also outlines obligations to PII principals, including mechanisms to access, correct, or erase their data and fulfill requests related to automated decision-making.
The current draft contains 31 controls for PII controllers
Reference Controls for PII Processors
Organizations acting as PII processors will follow controls focused on their contractual obligations to customers. They must ensure that PII is processed in line with documented customer instructions, and not for marketing without explicit consent. Additionally, they must maintain transparency regarding subcontractors and the transfer of PII between jurisdictions.
The current draft contains 18 controls for PII processors.
Security Controls for Both PII Controllers and Processors
There is a common set of controls for both controllers and processors. These include ensuring secure transmission of PII, maintaining records of PII disclosures, and employing strong policies for the protection, retention, and disposal of PII. Both parties must also document and implement privacy by design and default measures, such as data minimization and PII de-identification. There are many similarities to the controls of Annex A of ISO/IEC 27001.
The current draft contains 29 security controls for PII handlers.
Stay tuned for the upcoming release, it is expected to arrive later this year, or early next year.
Whenever you're ready, there are 3 ways we can help you:
TRECCERT ISO 27001 Lead Implementer Course: Join 11,500 students in mastering ISO/IEC 27001:2022. This comprehensive 11 hour course will teach you everything you need to implement the standard and pass the TRECCERT® ISO/IEC 27001 Lead Implementer exam.
ISO 27001 Starter Kit: Simplify Your Path to Compliance with a customizable Project Plan and supporting Resources.
Exam Vouchers: Save 10% compared to retail prizes.