IT GOVERNANCE | GREEN PAPER

ISO 27701
Privacy information
management systems

Protect Comply Thrive

IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Introduction
Since the introduction of the EU’s General Data Protection Regulation (GDPR), and
the ongoing growth in comparable data protection laws around the world, there has
been an increasing need for a standard or code of conduct to support compliance.
A small number have arisen, including the UK’s BS 10012 (Data protection –
Specification for a personal information management system), but they lack the
international recognition necessary to truly act as an effective mark of assurance.
ISO/IEC 27701 (Security techniques – Extension to ISO/IEC 27001 and ISO/
IEC 27002 for privacy information management – Requirements and guidelines)
was published in August 2019 and is one of the most anticipated standards in
information security and privacy management. It aims to fill the assurance gap and
provide a genuinely international approach to data protection as an extension of
information security.
This paper provides information about the Standard so that organisations with a
desire to meet their compliance challenges head-on can look ahead and prepare
themselves. Organisations examining information security and data protection more
broadly can also see how the new standard’s approach might meet their needs.
Why an ISO/IEC privacy management system?
ISO (International Organization for Standardization) and IEC (International
Electrotechnical Commission) are recognised internationally as authorities on
management systems and best practice. ISO/IEC publications carry a great deal of
weight, and certification to their management system standards through recognised
certification schemes are an extremely effective way of both meeting compliance
demands and proving your compliance to customers, business partners and
regulators.
2
While there are already some publications and standards that discuss data protection,
many are not international, primarily focusing on data protection requirements and
good practice in specific jurisdictions. BS 10012 draws solely from the GDPR and the
UK’s Data Protection Act (DPA) 2018, for instance, which makes it a good candidate
for organisations with a strong regional interest. Meanwhile, an approach based on
international best practice must be capable of adapting to other regimes and not
impose requirements that hinge on specific legislation.
Crucially, this means that ISO 27701 supports compliance with a wider, international
range of data protection and privacy legislation, including HIPAA (Health Information
Portability and Accountability Act) and the CCPA (California Consumer Privacy Act) in
the US.
Beyond these local initiatives, there are also ISO 27018 and ISO 29151, which are
codes of practice for protecting personally identifiable information (PII). ISO 27018
is focused specifically on public Clouds acting as data processors, while ISO 29151
takes a more general approach to protecting PII. These standards set out control
objectives, controls and guidelines to protect PII in accordance with an impact and
risk assessment. They offer effective guidance, but are not subject to an externally
auditable framework that can offer assurance to third parties. ISO 27701 goes beyond
this, setting out management system and control requirements.
While ISO 27701 does not yet have a certification scheme, this is really only a matter
of time. Furthermore, there are interim options for asserting compliance, as we discuss
later in this paper.
What about ISO 27001?
Even though a ‘comprehensive’ information security management system
(ISMS) aligned to ISO/IEC 27001:2013 might already address privacy issues, the
requirements can be met without fully addressing privacy. This means that certificates
of conformity with ISO 27001 are issued without a guarantee that data protection
needs have been adequately met. While data protection naturally requires a degree
of information security (the GDPR addresses these as “technical and organisational
measures”), it goes much further than simply protecting the information – the
organisation must also protect the rights of the data subjects, which cannot be
guaranteed through information security alone.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 3

Having a standard that ensures all the relevant privacy issues are factored into a
management system means that the resulting certificate must, by default, cover
The ISO 27701 approach
all of those relevant aspects. This also means that a certificate of conformity
(when a scheme to provide this is available) gives external stakeholders greater A privacy management system is different from an ISMS, but they are closely
confidence in your privacy management. related. The approach that ISO 27701 takes recognises that information security
(the preservation of the confidentiality, integrity and availability of information) is
What does this mean for BS 10012? a key aspect of effective privacy management, and that the ISMS requirements
documented in ISO 27001 can support adding sector-specific requirements onto the
BS 10012 is still an effective management system standard, especially for ISMS without the need for a new management system specification.
organisations in the UK, as it takes into account not only the GDPR but also
the DPA 2018 and guidance from the Information Commissioner’s Office (ICO). ISO 27701 defines the extra requirements for an ISMS to cover privacy and the
This may have limited value for external stakeholders, however, especially those processing of PII. These are supported by additional controls that relate specifically
based in other countries. to data protection and privacy. As a new whole, this creates what the Standard calls
a privacy information management system (PIMS).
Despite this, there is a line of thinking that any organisation that requires privacy
assurance will opt for a BS 10012-type solution on the basis that a full ISO 27001
ISMS is overkill. At IT Governance, we do not subscribe to this view for two key
reasons.

First, we do not see an ISO 27001-conforming ISMS as burdensome. Through ISO 27001 requirements ISO 27701 amendments
our many successful engagements to implement ISO 27001, we have
demonstrated how scalable and flexible it is, and how the most common block is
the implementer’s mindset rather than the requirements of the Standard. The risk ISO 27001 controls ISO 27701 control amendments
assessment process in particular ensures that security controls are chosen on the
basis of need and suitability, helping the organisation build a cost-effective and
practical ISMS.

Second, a BS 10012 personal information management system’s primary concern ISO 27701 controls
is data protection. As such, it benefits from a supporting framework that provides
effective information security measures such as ISO 27001. This enables you to
extend your information security to all of your organisation’s information, not just
personal data.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
The ISO 27701 standard
ISO 27701 was developed by ISO technical committee SC27 with input from 25
external bodies, including the European Data Protection Board (EDPB).
As already described, it bolts privacy processing requirements onto an ISMS. Part
of this requires that anywhere ISO 27001 says “information security” you instead
read “information security and privacy” in all instances. For example, where ISO
27001 uses “information security performance”, ISO 27701 requires you to read it as
“information security and privacy performance”.
The Standard then goes on to add privacy-specific requirements to some of the
clauses in ISO 27001 and the controls in Annex A, and adds some privacy-specific
controls over and above the existing information security (and now privacy) controls.
Finally, it offers guidance that builds on that available in ISO 27002 subject to
whether the organisation in question is a data controller and/or data processor.
ISO 27701 also builds on the principle of information security by directing the reader
to the more expansive privacy principles in ISO/IEC 29100. These cover a wider
range of privacy concerns, including those espoused in data protection regulations
internationally.
Definitions
ISO 27701 takes some of its key definitions from ISO 29100, which uses terms that
differ from some other sources. It is useful to understand these and how they relate
to your legal and regulatory environment.
Personally identifiable information (PII): ‘personal data’ in the GDPR. ISO 29100
defines this as “information that (a) can be used to identify the PII principal to whom
such information relates, or (b) is or might be directly or indirectly linked to a PII
principal” (Clause 2.9).
4
PII principal: ‘data subject’ in the GDPR. ISO 29100 defines this as a “natural person
to whom the personally identifiable information (PII) relates” (Clause 2.11).
PII controller: ‘data controller’ in the GDPR. ISO 29100 defines this as the “privacy
stakeholder (or privacy stakeholders) that determines the purposes and means for
processing personally identifiable information (PII) other than natural persons who
use data for personal purposes” (Clause 2.10).
PII processor: ‘data processor’ in the GDPR. ISO 29100 defines this as the “privacy
stakeholder that processes personally identifiable information (PII) on behalf of and
in accordance with the instructions of a PII controller” (Clause 2.12).
Structure of ISO 27701
Much like other ISO standards, ISO 27701 divides its content by clause, of which
Clauses 5–8 set out the additional requirements and amendments to be applied to
ISO 27001, and warrant particular attention.
Clause 5: PIMS-specific requirements
This clause addresses every clause in ISO 27001 and identifies where additional
content is necessary. The majority of the ISO 27001 clauses remain unchanged, with
the caveat that ISO 27701 requires the organisation to recognise its need for data
protection within its context, and this context informs all the other requirements.
Another notable addition affects the risk assessment, which will need to take into
account the organisation’s role in relation to PII – that is, whether it is a controller or
a processor, and how that might affect the risks to the PII. Another entry recognises
the existence of the new control sets and allows the organisation to reconcile its
controls against a wider range of controls, including those from ISO 27701.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
Clause 6: PIMS-specific guidance
This section provides additional content for the control guidance set out in ISO
27002. It establishes a top-level amendment that all references to ‘information
security’ should be taken as including protection of privacy.
Controls with a potentially significant impact on privacy and data protection are
given extensive extra guidance. This includes subjects such as removable media,
cryptography and secure development.
Clause 7: Additional guidance for controllers
This clause provides guidance on ISO 27701’s Annex A controls, which are specific
to privacy for the purposes of PII controllers. These controls address many of the
critical areas of data protection and privacy that are not accounted for by the
controls provided in ISO 27001.
Clause 8: Additional guidance for processors
This clause provides guidance on ISO 27701’s Annex B controls, which are specific
to privacy for the purposes of PII processors. These controls address many of the
critical areas of data protection and privacy that are not accounted for by the
controls provided in ISO 27001.
Accredited certification
Article 42 of the GDPR addresses certification schemes, stating that member states,
supervisory authorities, the EDPB and the Commission should encourage schemes
that demonstrate compliance with the Regulation.
5
ISO 27701 certification will not meet the GDPR’s requirements for a certification
scheme. Article 43 of the GDPR requires that any certification scheme be operated
under an ISO 17065-accredited scheme. ISO 27701, however, will fall under ISO
17021-1 and so not meet the GDPR requirements.
There are good chances that an eventual ISO 17065 scheme will include ISO 27701
certification, but overall it will be more robust and hence more expensive. Those
organisations that want to demonstrate a degree of assurance without the expense
of an ISO 17065-accredited scheme might opt for ISO 27701 certification as an
economical compromise.
Whether accredited certification to ISO 27701 alone will suffice for many
organisations and their interested parties will likely be decided by the market and
regulators. Given the broad acceptance of ISO 27001 as a model for information
security, it is likely that many markets will accept ISO 27701 certification as adequate
proof that the organisation has taken appropriate steps to meet its data protection
obligations.
Either way, the options for accredited certification to ISO 27701 will need to evolve
as the current schemes do not accommodate it. In the interim, the closest option
for accredited certification will be referring to ISO 27701 as a source of controls in
a Statement of Applicability (SoA) cited in an accredited certification document for
ISO 27001.
This method is currently used to include sector-specific standards in certifications,
but that is changing: a pending amendment to ISO 27006 (which sets out the
accreditation requirements for certification bodies offering certification to ISO
27001) states that this reference can only relate to the source of controls detailed
in the SoA; it should not imply conformity to a set of management system
requirements.
Regardless of the outcome, it is only a matter of time until there is some method
for organisations to demonstrate conformity with ISO 27701. It is likely to become
a popular approach to managing data protection and privacy and demonstrating
that to others, even if certification to the Standard is not formally adopted as a
certification mechanism under the GDPR.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 6

Other papers you may be interested in

Conducting a Data Flow Mapping Exercise Under the GDPR EU General Data Protection Regulation – A compliance guide

IT GOVERNANCE | GREEN PAPER IT GOVERNANCE | GREEN PAPER

Conducting a Data EU General Data

Flow Mapping Protection Regulation
Exercise Under the
GDPR
A compliance guide
January 2019

Protect Comply Thrive Protect Comply Thrive

Useful data protection and privacy resources

IT Governance offers a unique range of data protection and privacy products and services, including books, standards, pocket guides, training courses and professional
consultancy services.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019 7

Standards Books Toolkits

INTERNATIONAL STANDARD BRITISH STANDARD

ISO 27001 ISMS Documentation
Toolkit
ISO/IEC 27701:2019 BS 10012:2017
Data protection – Specification for a
Accelerate your ISO 27001 project with
Security techniques — Extension to
ISO/IEC 27001 and ISO 27002 for
privacy information management —
personal information management
system this bestselling toolkit, which includes
Requirements and guidelines
customisable and fully ISO 27001-compliant
documentation templates, dashboards
and gap analysis tools, and direction
and guidance from expert ISO 27001
practitioners.
ISO/IEC BS 10012:2017 +A1 EU GDPR – A
27701:2019 2018 - Specification for pocket guide
a personal information
ISO 27701 provides This essential guide EU GDPR Documentation
management system
guidelines for is the ideal resource Toolkit
implementing, (PIMS) for anyone wanting
maintaining a clear primer on the The GDPR Documentation Toolkit was
and continually BS 10012:2017+A1:2018 principles of data developed by expert practitioners and
improving a PIMS specifies the framework for protection and their EU General Data Protection contains more than 80 indispensable
Regulation (GDPR)

(privacy information implementing a personal obligations under the Documentation Toolkit policies, procedures, forms, schedules and
management information management GDPR. guidance documents to help you achieve
system). system (PIMS) in compliance and demonstrate compliance with the
with the GDPR and DPA 2018. Regulation.

Training

ISO 27001 Certified ISMS Certified BS 10012 PIMS Lead

Classroom
Foundation Training Course Classroom
Implementer Training Course
BS 10012 is a British standard that outlines the specifications
ACCREDITED
ACCREDITED

CIS F Learn from the experts about ISO 27001 best C BS PIMS LI

ISO 17024:2012 certificated
ISO 27001
Certified ISMS
Foundation Training Course
practice and find out how to achieve compliance ISO 17024:2012 certificated
for a PIMS (personal information management system).
with the Standard. This course is led by practitioners
BS 10012
Certified PIMS Lead
This course will teach you how to implement an effective
offering real-world expertise and insights.
Implementer Training Course PIMS, allowing your organisation to demonstrate
compliance with the requirements of the EU GDPR.
IT GOVERNANCE GREEN PAPER | SEPTEMBER 2019
IT Governance solutions
IT Governance writes and publishes extensively on GDPR, data privacy and cyber
security, and has developed a range of tools for IT governance, information security
and regulatory compliance practitioners.
IT Governance is your one-stop shop for corporate and IT governance information,
books, tools, software, training and consultancy. Our products and services are
designed to work harmoniously together so you can benefit from them individually
or use different elements to build something bigger and better.
Books
We sell sought-after publications covering all areas of data privacy and cyber risk
management. Our publishing team also manages a growing collection of titles that
provide practical advice for staff taking part in IT governance projects, suitable for
all levels of knowledge, responsibility and experience.
Visit www.itgovernance.co.uk/shop/category/itgp-books to view our full catalogue.
Toolkits
Our unique documentation toolkits are designed to help organisations adapt quickly
and adopt best practice using customisable template policies, procedures, forms
and records.
Visit www.itgovernance.co.uk/documentation-toolkits to view and trial our toolkits.
8
Training
We offer training courses from staff awareness and foundation courses, through
to advanced programmes for IT practitioners and certified lead implementers and
auditors.
Our training team organises and runs in-house and public training courses all year
round, as well as Live Online and distance-learning courses, covering a growing
number of IT GRC topics.
Visit www.itgovernance.co.uk/training or more information.
Consultancy
We are an acknowledged world leader in our field. Our experienced consultants,
with multi-sector and multi-standard knowledge and experience, can help you
accelerate your IT GRC projects.
Visit www.itgovernance.co.uk/consulting for more information.
Software
Our industry-leading software tools, developed with your needs and requirements in
mind, make information security risk management straightforward and affordable for
all, enabling organisations worldwide to be ISO 27001-compliant.
Visit www.itgovernance.co.uk/software for more information.
 Protect • Comply • Thrive

United Kingdom
Unit 3, Clive Court, Bartholomew’s Walk t: +44 (0)333 800 7000
Cambridgeshire Business Park, Ely e: servicecentre@itgovernance.co.uk
Cambs., CB7 4EA, United Kingdom w: www.itgovernance.co.uk

@ITGovernance /it-governance /ITGovernanceLtd

Europe USA Asia

t: 00 800 48 484 484 t: +1 877 317 3454 t: 00 800 48 484 484
e: servicecentre@itgovernance.eu e: servicecenter@itgovernanceusa.com e: servicecentre@itgovernance.asia
w: www.itgovernance.eu w: www.itgovernanceusa.com w: www.itgovernance.asia

@ITGovernanceEU @ITG_USA @ITGAsia

/it-governance-europe-ltd /it-governance-usa-inc /it-governance-asia-pacific

/ITGovernanceEU /ITGovernanceUSA /ITGovernanceLtd

© 2003–2019 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification