Abstract
“This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. …”
Introduction
Although there is substantial overlap between information security and privacy management, both fields are broader and go beyond each other. This standard explains how to ‘enhance’ (adapt and extend) ISO/IEC 27001. Information Security Management System and the associated ISO/IEC 27002 [or other] controls to manage privacy as well as information security.
-
Privacy and Data Protection
PECB ISO/IEC 27701 Foundation in English – with 50% discount coupon
Select options This product has multiple variants. The options may be chosen on the product pageClearLive OnlineSelf-Study -
Privacy and Data Protection
PECB ISO/IEC 27701 Lead Implementer in English – with 50% discount coupon
Select options This product has multiple variants. The options may be chosen on the product pageClearLive OnlineSelf-Study -
Privacy and Data Protection
PECB ISO/IEC PIMS 27701 Lead Auditor in English – with 50% discount coupon
Select options This product has multiple variants. The options may be chosen on the product pageClearLive OnlineSelf-Study -
Privacy and Data Protection
Self Study for PECB GDPR – Certified Data Protection Officer (CDPO) in English – with 50% discount coupon
Select options This product has multiple variants. The options may be chosen on the product pageClearLive OnlineSelf-Study
Scope of the standard
The standard specifies a Privacy Information Management System based on ISO/IEC 27001(ISMS), 27002 (security controls) and 29100 (privacy framework). It is applicable to both controllers and processors of Personally Identifiable Information.
‘27701 builds and depends upon ‘27001: organisations need to have an ISMS certified compliant to ‘27001 in order for their PIMS to be certified compliant to ‘27701. ‘27701 essentially adds ‘privacy’ to ‘27001’s mentions of information security.
Content of the standard
In the style of a sector-specific variant of ISO/IEC 27001, the ~70 page standard elaborates on the PIMS-related differences to the 27001 and 27002 standards clause-by-clause.
For example:
“ISO/IEC 27001:2013, 6.1.3.c) is defined as follows:
The controls determined in 6.1.3 b) of ISO/IEC 27001:2013 shall be compared with those in ISO/IEC 27001:2013, Annex A and/or Annex B of this document to verify that no necessary controls have been omitted.
When assessing the applicability of control objectives and controls from ISO/IEC 27001:2013 Annex A for the treatment of risks, the control objectives and controls shall be considered in the context of both risks to information security as well as risks related to the processing of PII, including risks to PII principals.”
Status
The standard will presumably need to be updated after ISO/IEC 27001 Annex A is updated following the 2022 update to ISO/IEC 27002, since it refers to the current (old) Annex A controls.
For purchasing an official copy of this standard, please visit www.iso.org