Certification
ISO 27701 is a valuable tool for organizations aiming to protect personal data and demonstrate their commitment to privacy.
By implementing a management system in compliance with this standard, organizations can mitigate risks, enhance customer trust, and strengthen their reputation in the marketplace.
What is ISO 27701?
ISO/IEC 27701:2019 defines the requirements for implementing a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001’s Information Security Management System (ISMS). The resulting management system expands the concept of “Information Security” to “Information Security and Privacy.”
Specifically:
- Clause 5 provides PIMS-specific guidance and additional information related to ISO/IEC 27001 information security requirements, tailored for organizations acting as PII Controllers or PII Processors.
- Clause 6 offers further guidance and PIMS-specific recommendations in relation to ISO/IEC 27002 security controls, again for both PII Controllers and PII Processors.
- Clause 7 gives additional implementation insights to ISO/IEC 27001 specifically for PII Controllers.
- Clause 8 offers further recommendations aligned with ISO/IEC 27002, targeting PII Processors.
This standard bridges the gap between information security and data privacy, making it a strategic framework for organizations that handle Personally Identifiable Information (PII) and must comply with GDPR and other privacy regulations.
Certification
What is ISO 27701?
ISO/IEC 27701:2019 defines the requirements for implementing a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001’s Information Security Management System (ISMS). The resulting management system expands the concept of “Information Security” to “Information Security and Privacy.”
Specifically:
- Clause 5 provides PIMS-specific guidance and additional information related to ISO/IEC 27001 information security requirements, tailored for organizations acting as PII Controllers or PII Processors.
- Clause 6 offers further guidance and PIMS-specific recommendations in relation to ISO/IEC 27002 security controls, again for both PII Controllers and PII Processors.
- Clause 7 gives additional implementation insights to ISO/IEC 27001 specifically for PII Controllers.
- Clause 8 offers further recommendations aligned with ISO/IEC 27002, targeting PII Processors.
This standard bridges the gap between information security and data privacy, making it a strategic framework for organizations that handle Personally Identifiable Information (PII) and must comply with GDPR and other privacy regulations.
ISO 27701 is a valuable tool for organizations aiming to protect personal data and demonstrate their commitment to privacy.
By implementing a management system in compliance with this standard, organizations can mitigate risks, enhance customer trust, and strengthen their reputation in the marketplace.
Our Approach to
27701
At GERICO, we support businesses through every step of the process to align their management systems with ISO/IEC 27701. Our approach includes:
- Requirements analysis for extending the existing ISMS (ISO/IEC 27001) to include ISO 27701, identifying gaps and necessary integrations;
- Identification of processes and activities that need to be implemented, modified, or extended to ensure compliance with ISO 27701;
- Support in the development of policies, procedures, and operational instructions required to meet ISO 27701 standards;
- Risk identification and assessment related to personal data processing, along with guidance on appropriate mitigation measures;
- Assistance in defining non-conformity management requirements and handling potential breaches of ISO 27701, in alignment with the ISMS;
- Internal audit activities to verify the compliance of the extended ISMS with ISO 27701 (PIMS).
The resulting Management System will enable the client to upgrade their ISO/IEC 27001 certification to ISO/IEC 27701, reinforcing their commitment to privacy and data protection.
What We Offer
- Adaptation and update of the Information Security Management System (ISMS) documentation, extending it to include the controls required for implementing a Privacy Information Management System (PIMS) in compliance with the ISO/IEC 27701 standard.
- Internal audit of the PIMS, conducted by the Gerico Security team in accordance with ISO 19011:2018 – Guidelines for Auditing Management Systems, and based on best practices for Information Security Audits as defined by ISACA (Information Systems Audit and Control Association).
- Assessment of the resulting Statement of Applicability (SoA) to ensure that the applied controls match those declared, while also extending the SoA to cover the controls introduced by ISO/IEC 27701.
The project team will also support the client in preparing for the certification audit, ensuring the completeness of documentation, verifying the progress of the risk treatment plan based on the risk analysis, and addressing any findings from internal or third-party audits effectively and in a timely manner.
