ISO 27701 is an international standard for privacy information management. Officially known as ISO/IEC 27701, it was published in August 2019 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This standard is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management systems. It provides guidance on the protection of privacy, including how organizations should manage personal data, and assists in demonstrating compliance with privacy regulations around the world.
Key aspects of ISO 27701 include:
Privacy Framework: It establishes a framework for managing privacy-related information, addressing requirements and providing guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
Integration with ISO/IEC 27001: ISO 27701 is designed to be a companion to ISO/IEC 27001 and ISO/IEC 27002. Organizations already compliant with ISO/IEC 27001 can extend their Information Security Management System (ISMS) to incorporate privacy management, including the processing of personal data.
Compliance with Privacy Regulations: The standard helps organizations meet regulatory requirements related to data privacy and protection, such as the General Data Protection Regulation (GDPR) in the European Union, by providing a set of guidelines and best practices.
Applicability to All Types of Organizations: ISO 27701 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations.
Data Processing Roles: The standard distinguishes between data controllers and data processors, providing specific guidelines for each role regarding the handling of personal information.
Risk Management: ISO 27701 emphasizes a risk-based approach to privacy and information security, encouraging organizations to identify and mitigate risks related to personal data.