ISO 27701 FAQs

The ISO 27701 certificate represents an organization’s commitment to implementing a robust privacy information management system (PIMS). It indicates that the organization has met the international standards for managing and protecting personally identifiable information (PII) by extending the security controls of ISO 27001 to include privacy-specific requirements.

ISO 27701 includes 184 controls, which are a combination of modifications and additions to the 114 controls in ISO 27001 Annex A. Of these, 135 controls modify existing ISO 27001 controls, and 49 new controls are specific to managing PII.

No, organizations cannot obtain ISO 27701 certification without first achieving ISO 27001 certification. ISO 27701 is designed as an extension of ISO 27001, and its privacy controls are built on the foundation of ISO 27001’s information security management system (ISMS).

The current version of ISO 27701 is the one published in August 2019, known as ISO/IEC 27701:2019. It was developed to provide guidelines for implementing a PIMS in conjunction with ISO 27001 and ISO 27002.

ISO 27701 is important because it provides a globally recognized framework for managing privacy and protecting PII. It helps organizations comply with data protection regulations, such as the GDPR, and demonstrates to stakeholders that they take privacy seriously. This certification can enhance trust with customers, partners, and regulators.

ISO 27001 focuses on information security management systems (ISMS), providing a framework for securing all types of information. ISO 27701 extends this framework to include privacy management, specifically targeting the protection of PII. While ISO 27001 addresses general information security, ISO 27701 adds controls for handling privacy concerns and data protection.

ISO 27701 is not mandatory, but it is highly beneficial for organizations that handle PII and seek to demonstrate their commitment to privacy management. Achieving ISO 27701 certification can also help organizations comply with various privacy laws and regulations, such as the GDPR.

The primary focus of ISO 27701 is to establish, implement, maintain, and continually improve a privacy information management system (PIMS). It aims to enhance the privacy controls within an organization’s ISMS, ensuring effective management and protection of PII.

Yes, ISO 27701 is designed to align closely with GDPR and other local privacy laws. The standard provides a framework that helps organizations demonstrate compliance with data protection regulations by establishing robust privacy controls. It acts as a certification that independently confirms an organization’s adherence to these laws.

PII, or Personally Identifiable Information, in ISO 27701 refers to any information that can be used to identify an individual. This can include names, addresses, email addresses, identification numbers, or any other data that can directly or indirectly identify a person. ISO 27701 focuses on establishing controls to protect PII throughout its lifecycle within an organization.