For those that were monitoring the wire, ISO/IEC 27001:2019 (ISO 27701) was released the week of August 5th. In draft form, it was previously labeled ISO/IEC 27552 (should you be wondering why that specific standard number has not been issued). You can obtain a copy of the published version here: https://www.iso.org/standard/71670.html
What is the Objective?
There has been much market anticipation for this standard to be released. It is titled Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management – Requirements and Guidelines. The objective is to provide organizations additional requirements and guidance, specific to elements of the information security management system (ISMS) as well as for additional control guidance and implementation requirements for controls noted within Annex A (and considerations of those from ISO/IEC 27018 and ISO/IEC 29100) that would support an effective privacy information management system (PIMS) as an extension to an organization’s ISMS. The beauty of ISO 27701 is that it is intended to be applicable to any organization that would be considered a controller or processor for personally identifiable information (PII) in the context of their ISMS.
The Structure of ISO 27701
The structure of the standard is broken down by clauses, where each provides additional requirements or implementation guidance on 1) necessary modifications to the ISMS (Clause 5), 2) additional information security controls (Clause 6), 3) additional controls for PII controllers (Clause 7), and 4) additional controls for PII processors (Clause 8). The standard also includes six Annexes which cover:
- Annex A – PIMS-specific control objectives and controls for an organization acting as a PII controller
- Annex B – PIMS-specific control objectives and controls for an organization acting as a PII processor
- Annex C – Mapping to ISO/IEC 29100
- Annex D – Mapping of the controls in ISO 27701 to the European Union General Data Protection Regulation (GDPR)
- Annex E – Mapping to ISO/IEC 27018 and ISO/IEC 29151
- Annex F – explanation on how ISO/IEC 27001 and ISO/IEC 27002 are extended to the protection of privacy when processing PII.
How Would an Organization Approach 27701?
As extensions to the ISMS go, ISO 27701 is a much bigger task for organizations that may have previously included ISO/IEC 27017 or ISO/IEC 27018 into their management systems. The effort must consider key modifications to the overall ISMS structure and requirements, modification of existing controls from Annex A, as well as the implementation of the control objectives and controls that may be relevant to either a PII processor or PII controller. For organizations that may have a structure and processes in place to support the requirements of GDPR, the transition to conform to ISO 27701 may be a bit simpler; however, the need is still to ensure that these processes are effectively implemented into the scope of the ISMS.
For any scope modification, including incorporating ISO 27701 into your ISMS, there are some necessary tasks to complete.
- Perform a gap assessment of your existing ISMS to the requirements of ISO 27701
- Assign owners to identified gaps and produce an action plan as to how to address those gaps
- Revise the design of the ISMS to incorporate these new requirements
- Perform the necessary activities on the revised ISMS, including but not limited to the risk assessment, measurement and monitoring, internal audit, management review
- Assess the output from the operations of the revised ISMS to ensure that it meets the existing and net-new requirements and that any areas of deficiency or nonconformance are processed through the formalized continual improvement or corrective action process
How Soon Can I Implement ISO 27701?
With the release of this standard being relatively new to the market, there will be those early adopters and market drivers. However, it is important to note that with the criticality of the objective of this standard, ISO is looking to identify specific requirements, both in competency and in process, for certification bodies to adhere to when effectively performing an audit against ISO 27701. These pending new requirements may necessitate certification bodies to modify their existing methodology and approach related to ISO 27701 assessments, which could lengthen the timeline for when an external audit could be properly performed. If new requirements are issued, it may allow for additional time for most organizations to appropriately implement ISO 27701 into their ISMS.
Schellman will continue to monitor any updates and will be sure to communicate them as they unfold. Additionally, we plan to provide a detailed guide to ISO 27701 that will be coming in the next month to help organizations better understand the approach and requirements of ISO 27701.
You can contact Schellman's team
if you need more information or would like a consultation on ISO 27701 and how it can be added to your organization's ISMS.
About the Author
Ryan Mackie is a Principal at Schellman & Company, LLC, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.
More Content by Ryan Mackie