ISO27701 – The Privacy Information Management Standard

Protect your data

Data is one of your organisation’s most valuable assets.
ISO27701 helps you safeguard data effectively so you can protect your reputation whilst meeting the requirements of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA). Achieving ISO27701 will help your team understand the value of data and take personal responsibility for keeping it safe.
Animated Shape

Benefits of ISO27701

ISO27701 will enable your organisation to:

Meet the requirements of GDPR and the UK DPA

Reassure stakeholders that their data is safe

Stand out from competitors when tendering for new business

Minimise the risks of fines, customer loss and reputational damage

How we can help you achieve ISO27701 certification

ISO27701 is a privacy extension to the increasingly popular ISO27001, the Information Security Management Standard (ISMS). It is not possible to achieve ISO27701 without ISO27001. If you already have ISO27001, we’ll help you establish what needs to be done to meet the requirements of ISO27701. If you are already GDPR compliant, achieving certification may be easier than you think.

If you don’t have ISO27001, we can help you implement a step-by-step plan to achieve both certifications simultaneously.

Please note: this service, including ISO certification audits, can be delivered remotely. 

Animated Shape

Getting started with certification

Approaching audits with confidence

How we can help you maintain ISO27701 compliance

No one likes getting to audit and having a panic about whether you’ve done enough to get through the process. We can help by conducting regular internal audits against the requirements of the standards and help you manage your privacy paperwork and record keeping.

If you’re confused about Controllers, Processors, DPIAs, ROPAs and International Transfers, find the maintenance of your privacy policies and privacy notice never quite make it to the top of your ‘to do’ list  or don’t know how to explain to staff what data privacy is and why it’s important, then we can manage this on your behalf.

If you subscribe to Compliance as a Service, you’ll also have access to an experienced ISO consultant who can help you resolve any unexpected queries or situations.

Animated Shape

FAQs

ISO27701 is an extension to ISO27001, the Information Security Management Standard (ISMS). Where ISO7001 focuses on data security, ISO27701 covers data privacy – the other side of the same coin.

ISO27701 helps organisations implement measures which drive compliance with both the EU General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA) and other international data privacy regulations. By implementing ISO27701, you can demonstrate that you have taken appropriate steps to comply with both pieces of legislation.

ISO27701 will help any organisation that controls or processes personal data. If you want to reduce the risk of your valuable data getting into the wrong hands and causing embarrassment, operational disruption and reputational damage (not to mention the risk of costly fines and compensation claims), ISO27701 is a great choice.

No. If you don’t yet have ISO27001, we can help you implement both standards at the same time. If you do have ISO27001, we can help you achieve certification to ISO27701.

The short answer is no. As with ISO45001 (Occupational Health & Safety), the standard does not guarantee compliance. However, standards provide a framework and management system that support compliance.

ISO27701 will help you:

  • Comply with the GDPR and Data Protection Act
  • Reduce the risks of non-compliance, including reputational damage and fines
  • Shortcut complicated and time-consuming supplier questionnaires
  • Reassure potential clients that their data is safe in your hands

This will depend on whether we help you implement ISO27701 at the same time as ISO27001 and how much data you are processing. Our prices start at £2,500 for ISO27701.

No, ISO27701 is also known as the Privacy Information Management System, aka PIMS. The terms are interchangeable. It is also sometimes referred to as the Personal Information Management System.

You will need to be externally audited on an annual basis, usually at the same time as your ISO27001 audit. Please note that some certification bodies don’t offer ISO27701 so you may need to transfer to a new organisation. If you’re confused by this, then please call and we’ll guide you through the process.

The scope of ISO27001 is expanded to include Information Security & Data Privacy. Your existing information security policy will need to be expanded to meet requirements re privacy. Additional focus is required on the roles of Controllers and Processors. There are new policies and registers, e.g. privacy policies, records of processing, etc as well as the introduction of privacy impact assessments.

In the same way as ISO27001 focuses on incident management, ISO27701 focuses on breach management. However, because ISO27701 is an extension, aspects such as supplier review will need to be expanded to consider whether suppliers manage data in a way that reflects the requirements of the controlling organisation.

Finally, there is a requirement to be able to respond to the rights of the data subject and, given that this is an ISO standard which follows the principles of Plan-Do-Check-Act, the requirement to demonstrate continual improvement.

Having been involved in the committee review meetings of the draft standard, our MD, Helen, wanted to be one of the earliest adopters of the standard in the UK. We’re always happy to talk about our experience or you can read our case study.

ISO27701 was released in 2019. It will probably be revised in four to five years, possibly earlier if there’s a significant change in requirements, such as additional legislation in other countries or a major revision to ISO27001. We’ll automatically notify clients and newsletter subscribers of any changes so they can transition within the customary three-year window.

Similar to ISO27001 which focuses on Security by Design, ISO27701 focuses on Privacy by Design and how personal information is managed from ‘cradle to grave’, or from collection to deletion/return. In line with the other standards, and as an extension of ISO27001, it follows Annex SL and therefore will be reflected in your organisation’s objectives, your risk register, your operational processes and so on.

Additional requirements are added for suppliers, for internal audits and for management reviews. For those who are familiar with ISO27001 and the Statement of Applicability, there are additional controls for Data Controllers and Data Processors. Don’t be daunted, we can help you through the certification process.

Whether you have ISO27001, or need to implement both standards at once, we’ll put together a step-by-step plan to help you achieve compliance. Find out more about our four-step ISO certification process.

Our goal is for you to have the confidence and knowhow to operate your management systems with as little help as possible. However, we recognise that in the early days you may welcome some additional support. We can help you map your data, run effective internal audits and manage your policies and procedures. You may also benefit from our Compliance as a Service which provides telephone and email support across a range of subjects including ISO, GDPR, H&S and Cyber Essentials.

If you’re ready to improve your data security and safeguard your reputation, contact us today.

Testimonials