ISO/IEC 27701:2019 - Privacy Information Management System

What is ISO/IEC 27701:2019?


ISO/IEC 27701 is an international standard which is a data privacy extension to ISO/IEC 27001 that specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) which enables organizations to support compliance with GDPR and other data privacy requirements.

ISO/IEC 27701 is the international standard that outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. The current version of ISO/IEC 27701:2019 was released in August 2019.

Organizations looking to get certified to ISO/IEC 27701 in order to comply with GDPR will either need to have an existing ISO/IEC 27001 certification or implement ISO/IEC 27001 and ISO/IEC 27701 together as a single implementation audit. ISO/IEC 27701 is an expansion to the requirements and guidance set out in ISO 27001 related to data privacy.

Certification to ISO/IEC 27701 does not confirm legal compliance to GDPR however it provides a considerable framework for any company to support compliance with GDPR or any other data privacy requirements. Organizations can also consider implementing BS 10012:2017 as an alternative approach. This is for organizations seeking to implement a standalone Privacy Information Management System without ISO 27001

Benefits of ISO/IEC 27701:2019 Compliance

ISO/IEC 27701 helps organizations to protect their customer information, which in turn brings many benefits where some benefits are mentioned below:
  • Improved Personal Information Privacy
  • Increased Customer Satisfaction
  • Gain Competitive Advantage
  • Increased PII Attack Resilience
  • Increased Focus on Risks
  • Greater Legal Compliance
  • Reduce the Costs of Information Privacy
  • Continued PII Confidentiality
  • International Recognition

Differences between ISO/IEC 27001:2013 & ISO/IEC 27701:2019

1 - ISO/IEC 27001 is the mother standard for information security in the family of 27001 where ISO/IEC 27701 is only the extension of ISO/IEC 27001 related to data privacy.
2 - ISO/IEC 27701 brings additional requirements within the main clauses of ISO27001:2013, as well as further guidance to clauses in ISO27002.
3 - ISO/IEC 27701 also requires that your risk assessment considers risks associated with the confidentiality, integrity, and availability of personal data as well as the Statement of Applicability (SOA) must also be amended to include controls from Annex A and/or Annex B of ISO/IEC 27701.
4 - ISO/IEC 27701 gives a clear way to compliant with GDPR (General Data Protection Regulation) so basically if any organization focuses on data privacy i.e. GDPR regulations so during implementation of information security guidelines as per ISO/IEC 27001 organization has to implement ISO/IEC 27701 guidelines also.

Journey to ISO/IEC 27701:2019 Compliance

ISO/IEC 27701 Certification is a 3rd party audit performed by MQA, during the audit we will verify that your organization is following the requirements of ISO/IEC 27701 , if received positive results then we will issue an ISO/IEC 27701 certificate. This certification is then maintained through annual surveillance audits by MQA, with re-certification of the ISO/IEC 27701 Certification after three years. See below cycle to know how you can get started on the road to certification:

MQA Certification Cycle

Year 1
Step 1.1 (Initial Application)
  • Client request a quotation.
  • MQA will assess Client’s requirements.
  • MQA will share proposal with client.
  • Client signed the 3-year Certification Contract with MQA.
Step 1.2 (Certification Audit)
  • MQA will conduct:
    1. Gap Assessment (Readiness Review)
    2. Stage-1 Audit (Documentation Review)
    3. Stage-2 Audit (Implementation Review)
  • MQA Auditor will share the audit reports to MQA’s Certification Decision Committee.
Step 1.3 (Certificate Management)
  • If certification decision is positive, then certificate is issued by MQA.
  • If certification decision is negative, then verification audit is planned by MQA.
  • Client will receive the MQA Portal access to:
    1. View the Audit Reports.
    2. Download the ISO Certificate.
    3. Review & Respond to Audit Findings, etc.
Year 2 & 3
Step 2.1 (Renewal Request)
  • MQA request for renewal.
  • Client agreed for Surveillance Audit.
Step 2.2 (Surveillance Audit)
  • MQA will conduct Surveillance Audit
  • MQA Auditor will share the audit reports to MQA’s Certificate Decision Committee.
Step 2.3 (Certificate Management)
  • If no critical non-conformity found, then certificate is renewed by MQA.
  • If any critical nonconformity found, then verification audit is planned by MQA.
  • Client have the MQA Portal access to:
    1. View the Audit Reports.
    2. Download the ISO Certificate.
    3. Review & Respond to Audit Findings, etc.

MQA help you to certify your organization to ISO/IEC 27701:2019.

Get a Free Quote