ISO/IEC 27701

We help you implement and maintain an Privacy Information Management System (PIMS) in accordance with the requirements of the ISO standard.

What is ISO 27701?

ISO 27701 is a privacy management standard that specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the context of an organization’s overall business risks.

It is based on the international standard for information security management, ISO 27001, and provides specific guidelines for managing privacy risks and protecting personal data.

The standard sets out requirements for the protection of personal data, including accountability, transparency, consent, individual rights, and privacy by design. It also requires organizations to establish policies and procedures for the handling of personal data and to conduct regular assessments and audits of their privacy management practices.

Your roadmap to comply with ISO/IEC 27701

Establish the scope

Determine the scope of your Privacy Information Management System (PIMS) and identify the personal data that you collect, use, store, and process.

Conduct a privacy risk assessment

Identify and assess the privacy risks associated with the personal data you collect and process. Determine the likelihood and impact of these risks and prioritize them based on their significance.

Develop and implement policies and procedures

Develop and implement policies and procedures to manage the privacy risks identified in the risk assessment. These policies should cover data minimization, consent, individual rights, privacy by design, and other key privacy principles.

Monitor and measure performance

Establish performance metrics and monitoring procedures to track the effectiveness of your PIMS. Regularly review and assess the performance of your PIMS against these metrics.

Conduct internal audits

Conduct internal audits of your PIMS to ensure that it is operating effectively and in compliance with ISO 27701 requirements.

Continuously improve

Continuously improve your PIMS by identifying opportunities for improvement and implementing corrective and preventive actions to address any issues identified.

Here is how we help organisations with their PIMS

Compliance

ISO 27701 Scoping Workshop

Establishing the scope of your PIMS for ISO 27701 is essential to ensure that you have a clear understanding of the personal data you collect and process, as well as the boundaries and jurisdictions within which your PIMS operates.

This will enable you to develop policies and procedures that effectively manage the privacy risks associated with your personal data processing activities.

To establish the scope of a Privacy Information Management System (PIMS) for ISO 27701, you should take the following steps:

  1. Identify the personal data you collect, use, store, and process: Determine what types of personal data your organization collects, uses, stores, and processes. This includes data about employees, customers, partners, and any other stakeholders who interact with your organization.

  2. Determine the boundaries of your PIMS: Define the boundaries of your PIMS by identifying the physical, technical, and organizational boundaries of the systems, processes, and people that manage the personal data you collect and process.

  3. Determine the locations and jurisdictions: Identify the locations and jurisdictions where you collect and process personal data. This includes any locations where you store or transmit personal data, as well as the jurisdictions where your stakeholders are located.

  4. Consider third-party relationships: Consider any third-party relationships that involve the processing of personal data on your behalf, such as vendors, contractors, or service providers. Determine if these relationships are within the scope of your PIMS.

  5. Consider the size and complexity of your organization: Consider the size and complexity of your organization and the resources you have available to implement and maintain a PIMS. Determine if you need to limit the scope of your PIMS to specific business units, functions, or processes.

man wearing gray polo shirt beside another guy in white shirt next to a dry-erase board

Compliance

Privacy risk assessments

The objective of a privacy risk assessments is to identify the potential privacy risks associated with your personal data processing activities, evaluate the likelihood and impact of those risks, and prioritise them for treatment.

This will enable you to develop effective policies and procedures for managing privacy risks and protecting personal data in compliance with ISO 27701.

To conduct a privacy risk assessment for ISO 27701, you should take the following steps:

  1. Identify personal data and processing activities: Identify the personal data that your organization processes and the processing activities that are involved. This includes data collection, storage, use, and transmission.

  2. Identify privacy risks: Identify the potential privacy risks associated with the processing activities you have identified. These risks can arise from a variety of sources, such as unauthorized access or disclosure, lack of transparency, or inappropriate use or retention of personal data.

  3. Evaluate likelihood and impact: Evaluate the likelihood and potential impact of each identified privacy risk. The likelihood of a risk occurring should be assessed based on the likelihood of a threat exploiting a vulnerability. The impact of a risk should be evaluated in terms of the potential harm to individuals, the organization, or other stakeholders.

  4. Prioritize risks: Prioritize the identified risks based on their likelihood and impact. Focus on the risks that are most significant and require the most attention.

  5. Identify existing controls: Identify the existing controls that are in place to mitigate the identified risks. These controls can include policies, procedures, technologies, or other measures.

  6. Evaluate the effectiveness of controls: Evaluate the effectiveness of the existing controls in mitigating the identified risks. Determine if the controls are sufficient or if additional controls are needed.

  7. Develop a risk treatment plan: Develop a risk treatment plan to address the identified risks. This plan should include specific actions to be taken to mitigate or eliminate the risks, as well as timelines, responsibilities, and resources required.

person using MacBook Pro

Compliance

Policies and procedures

Your consultant can provide valuable expertise, guidance, and support throughout the policy and procedure development process, helping you to develop effective policies and procedures that comply with ISO 27701 requirements and protect personal data in a way that is appropriate for your organization.

A consultant can help you develop policies and procedures for ISO 27701 in the following ways:

  1. Expertise: A consultant can provide expertise and guidance on the development of policies and procedures for ISO 27701. They can provide insights into best practices and industry standards, and help you tailor your policies and procedures to your specific business needs.

  2. Gap analysis: A consultant can conduct a gap analysis to identify areas where your organization may be falling short of ISO 27701 requirements. This can help you prioritize policy and procedure development efforts.

  3. Template development: A consultant can provide templates and examples for policies and procedures that are specific to ISO 27701. This can save time and resources in the policy and procedure development process.

  4. Customization: A consultant can help you customize policies and procedures to your organization’s specific needs, taking into account factors such as size, complexity, and industry.

  5. Implementation support: A consultant can provide support during the implementation phase, helping you to effectively communicate and train employees on the policies and procedures, and ensuring that they are fully integrated into your operations.

  6. Audit support: A consultant can provide support during the audit process, helping you prepare for and respond to audits and providing guidance on how to address any issues that may arise.

Virtual CISO, help other IT, PCI

Compliance

Monitoring and reviewing the PIMS

Your consultant can provide valuable support in monitoring and reviewing your PIMS for ISO 27701, ensuring that it remains effective and compliant with regulatory requirements.

They can also help you identify opportunities for improvement and provide ongoing guidance and support to help you maintain an effective PIMS over time.

A consultant can help you monitor and review a Privacy Information Management System (PIMS) for ISO 27701 in the following ways:

  1. Develop monitoring and review processes: A consultant can help you develop processes for monitoring and reviewing your PIMS to ensure that it remains effective and up-to-date. This includes identifying key performance indicators (KPIs) and metrics to measure the effectiveness of your PIMS.

  2. Conduct regular assessments: A consultant can conduct regular assessments of your PIMS to identify any gaps or weaknesses, and provide recommendations for improvement.

  3. Provide ongoing support: A consultant can provide ongoing support and guidance on the management of your PIMS, including answering questions, providing advice on best practices, and helping you navigate any challenges or issues that arise.

  4. Conduct internal audits: A consultant can conduct internal audits of your PIMS to ensure that it remains compliant with ISO 27701 requirements and identify areas for improvement.

  5. Provide training and awareness: A consultant can provide training and awareness programs to help your employees understand the importance of privacy management and their role in maintaining an effective PIMS.

  6. Support external audits: A consultant can provide support during external audits, including reviewing audit findings, providing guidance on how to address any issues, and helping you develop corrective action plans.

Virtual CISO, help other IT, PCI

Compliance

Internal audits support

Your consultant can provide valuable support in performing internal audits for ISO 27701, helping you to evaluate compliance, identify areas for improvement, and maintain an effective PIMS over time.

A consultant can help you perform internal audits for ISO 27701 in the following ways:

  1. Develop an audit plan: A consultant can help you develop an audit plan that outlines the scope, objectives, and methodology of the audit. The plan will also identify the resources required, the timeline for the audit, and the roles and responsibilities of the audit team.

  2. Conduct the audit: A consultant can help you conduct the audit by reviewing documentation, interviewing employees, and assessing the effectiveness of your PIMS. They can also identify areas for improvement and make recommendations for remediation.

  3. Evaluate compliance: A consultant can help you evaluate compliance with ISO 27701 requirements by comparing your PIMS to the standard’s requirements and identifying any gaps or areas where your PIMS may not be compliant.

  4. Provide audit reports: A consultant can provide audit reports that document the findings of the audit, including any non-conformities, opportunities for improvement, and recommendations for remediation.

  5. Support remediation efforts: A consultant can provide support during the remediation phase, helping you to address any non-conformities or areas for improvement identified during the audit. They can also provide guidance on how to implement best practices and improve your PIMS.

  6. Provide ongoing support: A consultant can provide ongoing support to help you maintain an effective PIMS over time. This can include providing training and awareness programs, conducting regular assessments, and providing guidance on best practices.

Your advisor is ready to help now.

Your details