ISO/IEC 27701: The convergence of data privacy and InfoSec

What is it? What does it do?

In the cyber security and data privacy world, most are familiar with International Standards Organisation (ISO) standards. However, it is important to note that whilst ISO standards are useful indicators of good business practice, they are not always mandatory. Businesses can decide whether or not to obtain a certification for any given ISO Standard.

The new ISO/IEC 27701 document has been designed as a certifiable extension to pre-existing standards (e.g. ISO/IEC 27001). It covers privacy management within an organisation, which is unsurprising given the global trend towards bolstered data protection regulation. It sets out guidance for controllers and processors to demonstrate accountability in relation to their personal data processing.

Is this a useful addition to existing ISO standards?

In line with the GDPR, ISO/IEC 27701 provides guidance for implementing, maintaining and continually improving a Privacy Information Management System (PIMS) which is capable of ensuring effective management of personal data within a business.

Is Data Protection Certification the answer?

This appears to be the first step towards a data protection certification mechanism, as provided for by Article 42 GDPR. This development has been hotly anticipated by businesses for two particular reasons: (1) Business to business (B2B) assurance; and (2) Consumer Trust.

B2B assurance
Processors may seek to use ISO certifications to demonstrate compliance with the obligations of Article 28 GDPR to some extent. For some processors and controllers this may be deemed enough to meet the standard of providing “all information necessary”. For others it may reduce the need, extent or breadth of data protection audits carried out on Processors by, or on behalf of, Controllers.

Consumer Trust
Building trust in society is of great importance, particularly for a data-driven business where transparency of processing and purpose for processing are frequently under considerable outside scrutiny. Showcasing the new standard as an add-on certification may enable businesses to present reliability on the systems and control environment they have adopted to process and protect personal data. This may form a crucial role in protecting brand reputations and building or maintaining trust.

Conclusion

Information security and data privacy are interrelated disciplines which have commonly been structured by businesses as separate activities and functions. The new ISO standard takes steps to knit the two activities closer together, which should prompt further internal discussion and collaboration between expert teams.