BS 10012:2017 - Personal Information Management System

What is BS 10012:2017?

BS 10012:2017 is a British standard which has been developed to enable organizations to implement a Personal Information Management System (PIMS). This provides a framework for maintaining and improving compliance with data protection legislation and good practice.

BS 10012:2017 provides a framework which will help you to manage risks to the privacy of personal data and implement appropriate policies, procedures, and controls. In March 2017, BSI updated this Standard in response to the introduction of the European Union General Data Protection Regulation (GDPR). Article 42 of the GDPR encourages the “establishment of data protection certification mechanism for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” This is exactly what BS 10012:2017 is intended to offer.

Organizations can consider implementing BS 10012:2017 as an approach to implement a standalone Privacy Information Management System without ISO 27001 or ISO 27701.

Benefits of BS 10012:2017 Compliance

BS 10012:2017 helps organizations to protect their customer Personally Identifiable Information (PII), which in turn brings many benefits where some benefits are mentioned below:
  • Improved Personal Information Privacy
  • Increased Customer Satisfaction
  • Gain Competitive Advantage
  • Increased PII Attack Resilience
  • Increased Focus on Risks
  • Greater Legal Compliance
  • Reduce the Costs of Information Privacy
  • Continued PII Confidentiality
  • International Recognition

Differences Between BS 10012:2017, ISO/IEC 27001 & ISO/IEC 27701

1 - ISO/IEC 27001 is the mother standard for information security in the family of 27001 where ISO/IEC 27701 is only the extension of ISO/IEC 27001 related to data privacy.
2 - ISO/IEC 27701 brings additional requirements within the main clauses of ISO/IEC 27001:2013, as well as further guidance to clauses in ISO27002.
3 - ISO/IEC 27701 also requires that your risk assessment considers risks associated with the confidentiality, integrity, and availability of personal data as well as the Statement of Applicability (SOA) must also be amended to include controls from Annex A and/or Annex B of ISO/IEC 27701.
4 - BS 10012:2017 gives a clear way to compliant with GDPR (General Data Protection Regulation) alone and there is no need to go for ISO/IEC 27001 or ISO/IEC 27701 implementation.

Journey to BS 10012:2017 Compliance

BS 10012 Certification is a 3rd party audit performed by MQA, during the audit we will verify that your organization is following the requirements of BS 10012, if received positive results then we will issue an BS 10012 certificate. This certification is then maintained through annual surveillance audits by MQA, with re-certification of the BS 10012 Certification after three years. See below cycle to know how you can get started on the road to certification:

MQA Certification Cycle

Year 1
Step 1.1 (Initial Application)
  • Client request a quotation.
  • MQA will assess Client’s requirements.
  • MQA will share proposal with client.
  • Client signed the 3-year Certification Contract with MQA.
Step 1.2 (Certification Audit)
  • MQA will conduct:
    1. Gap Assessment (Readiness Review)
    2. Stage-1 Audit (Documentation Review)
    3. Stage-2 Audit (Implementation Review)
  • MQA Auditor will share the audit reports to MQA’s Certification Decision Committee.
Step 1.3 (Certificate Management)
  • If certification decision is positive, then certificate is issued by MQA.
  • If certification decision is negative, then verification audit is planned by MQA.
  • Client will receive the MQA Portal access to:
    1. View the Audit Reports.
    2. Download the ISO Certificate.
    3. Review & Respond to Audit Findings, etc.
Year 2 & 3
Step 2.1 (Renewal Request)
  • MQA request for renewal.
  • Client agreed for Surveillance Audit.
Step 2.2 (Surveillance Audit)
  • MQA will conduct Surveillance Audit
  • MQA Auditor will share the audit reports to MQA’s Certificate Decision Committee.
Step 2.3 (Certificate Management)
  • If no critical non-conformity found, then certificate is renewed by MQA.
  • If any critical nonconformity found, then verification audit is planned by MQA.
  • Client have the MQA Portal access to:
    1. View the Audit Reports.
    2. Download the ISO Certificate.
    3. Review & Respond to Audit Findings, etc.

MQA help you to certify your organization to BS 10012:2017.

Get a Free Quote