Benefits of ISO27701
How we can help you achieve ISO27701 certification
ISO27701 is a privacy extension to the increasingly popular ISO27001, the Information Security Management Standard (ISMS). It is not possible to achieve ISO27701 without ISO27001. If you already have ISO27001, we’ll help you establish what needs to be done to meet the requirements of ISO27701. If you are already GDPR compliant, achieving certification may be easier than you think.
If you don’t have ISO27001, we can help you implement a step-by-step plan to achieve both certifications simultaneously.
Please note: this service, including ISO certification audits, can be delivered remotely.
Getting started with certification
Approaching audits with confidence
How we can help you maintain ISO27701 compliance
No one likes getting to audit and having a panic about whether you’ve done enough to get through the process. We can help by conducting regular internal audits against the requirements of the standards and help you manage your privacy paperwork and record keeping.
If you’re confused about Controllers, Processors, DPIAs, ROPAs and International Transfers, find the maintenance of your privacy policies and privacy notice never quite make it to the top of your ‘to do’ list or don’t know how to explain to staff what data privacy is and why it’s important, then we can manage this on your behalf.
If you subscribe to Compliance as a Service, you’ll also have access to an experienced ISO consultant who can help you resolve any unexpected queries or situations.
FAQs
ISO27701 is an extension to ISO27001, the Information Security Management Standard (ISMS). Where ISO7001 focuses on data security, ISO27701 covers data privacy – the other side of the same coin.
ISO27701 helps organisations implement measures which drive compliance with both the EU General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA) and other international data privacy regulations. By implementing ISO27701, you can demonstrate that you have taken appropriate steps to comply with both pieces of legislation.
ISO27701 will help any organisation that controls or processes personal data. If you want to reduce the risk of your valuable data getting into the wrong hands and causing embarrassment, operational disruption and reputational damage (not to mention the risk of costly fines and compensation claims), ISO27701 is a great choice.
No. If you don’t yet have ISO27001, we can help you implement both standards at the same time. If you do have ISO27001, we can help you achieve certification to ISO27701.
The short answer is no. As with ISO45001 (Occupational Health & Safety), the standard does not guarantee compliance. However, standards provide a framework and management system that support compliance.
ISO27701 will help you:
- Comply with the GDPR and Data Protection Act
- Reduce the risks of non-compliance, including reputational damage and fines
- Shortcut complicated and time-consuming supplier questionnaires
- Reassure potential clients that their data is safe in your hands
This will depend on whether we help you implement ISO27701 at the same time as ISO27001 and how much data you are processing. Our prices start at £2,500 for ISO27701.
No, ISO27701 is also known as the Privacy Information Management System, aka PIMS. The terms are interchangeable. It is also sometimes referred to as the Personal Information Management System.
You will need to be externally audited on an annual basis, usually at the same time as your ISO27001 audit. Please note that some certification bodies don’t offer ISO27701 so you may need to transfer to a new organisation. If you’re confused by this, then please call and we’ll guide you through the process.
The scope of ISO27001 is expanded to include Information Security & Data Privacy. Your existing information security policy will need to be expanded to meet requirements re privacy. Additional focus is required on the roles of Controllers and Processors. There are new policies and registers, e.g. privacy policies, records of processing, etc as well as the introduction of privacy impact assessments.
In the same way as ISO27001 focuses on incident management, ISO27701 focuses on breach management. However, because ISO27701 is an extension, aspects such as supplier review will need to be expanded to consider whether suppliers manage data in a way that reflects the requirements of the controlling organisation.
Finally, there is a requirement to be able to respond to the rights of the data subject and, given that this is an ISO standard which follows the principles of Plan-Do-Check-Act, the requirement to demonstrate continual improvement.
Having been involved in the committee review meetings of the draft standard, our MD, Helen, wanted to be one of the earliest adopters of the standard in the UK. We’re always happy to talk about our experience or you can read our case study.
ISO27701 was released in 2019. It will probably be revised in four to five years, possibly earlier if there’s a significant change in requirements, such as additional legislation in other countries or a major revision to ISO27001. We’ll automatically notify clients and newsletter subscribers of any changes so they can transition within the customary three-year window.
Similar to ISO27001 which focuses on Security by Design, ISO27701 focuses on Privacy by Design and how personal information is managed from ‘cradle to grave’, or from collection to deletion/return. In line with the other standards, and as an extension of ISO27001, it follows Annex SL and therefore will be reflected in your organisation’s objectives, your risk register, your operational processes and so on.
Additional requirements are added for suppliers, for internal audits and for management reviews. For those who are familiar with ISO27001 and the Statement of Applicability, there are additional controls for Data Controllers and Data Processors. Don’t be daunted, we can help you through the certification process.
Whether you have ISO27001, or need to implement both standards at once, we’ll put together a step-by-step plan to help you achieve compliance. Find out more about our four-step ISO certification process.
Our goal is for you to have the confidence and knowhow to operate your management systems with as little help as possible. However, we recognise that in the early days you may welcome some additional support. We can help you map your data, run effective internal audits and manage your policies and procedures. You may also benefit from our Compliance as a Service which provides telephone and email support across a range of subjects including ISO, GDPR, H&S and Cyber Essentials.
If you’re ready to improve your data security and safeguard your reputation, contact us today.
Testimonials
Anonymous
Our clients appreciate that we practice what we preach and can share real-life experience of running an ISO certified business. We’re certified to ISO9001 and were the first UK client of NQA to certify to both ISO27001 and ISO27701.
Anonymous
Helen represents the small business community effectively and with vigour as the Cyber Crime Ambassador for FSB Coventry and Warwickshire, working alongside local and national government to ensure small businesses have a voice.
Anonymous
Customer feedback gained as part of our ISO9001 certification has led to the development of popular new services including GDPR Critical Friend.
- SIS Systems (UK) Ltd
- Adam Middleton
- Managing Director
We do recommend Risk Evolves. Not only do they offer great service and value for money they have also imparted valuable knowledge, understanding and belief across the organisation. The net result is more business.
Anonymous
ISO9001 was an achievement, an even bigger deal was to raise the health and safety culture of the organisation.
Anonymous
We are in a safer place now than we were 12 months ago. Starting with two factor authentication. The culture of the organisation is in a better place and we were in a better place for lockdown too.
Anonymous
GDPR compliance will increase our value to clients.
Anonymous
Very quietly thrilled to bits to get our accreditation under the new standard without any issues. Helps the business with proposals to blue chip clients.
- Jay's Logistics (South West) Ltd
Anonymous
Our ISO9001 certification has enabled us to deliver logistics services to Hinckley Point and to its suppliers as well as operating at a more efficient and safe level. The power station isn’t due for completion until 2025 so this contract has provided stability at a time of great for the logistics industry.
- Transcription City
- Sam Wood
- Director
It made a massive difference to have ISO explained in layman’s terms. It’s very easy to ask questions and you aren’t left understanding less! You just call or email and it’s in a way that’s simple to understand.
Anonymous
The internal audit and IASME application has been a positive experience for The Changing Education Group… made possible by the high quality support and guidance offered by the Risk Evolves team.
- Transcription City
- Sam Wood
- Director
It was more work than I’d expected. I soon realised I needed help to fully understand the requirements and embed the standards so they would work for my business. I approached British Assessment Bureau for help. They recommended Risk Evolves. Twelve weeks later, we passed our remote audit and achieved certification.
Anonymous
Cyber security is scary! Helen gave me the confidence to know we could… minimise these types of risks. She has given me peace of mind.
Anonymous
Friendly and informative.
