ISO 27701 was published on August 6, 2019 as an extension of ISO 27001:2013. It was a framework for management of Privacy of Personal data and included requirements for Privacy Risk Assessment, Privacy Impact Assessment, Data Protection Impact assessment and Privacy by Design.
It identifies PII controllers and PII processors as two categories of organizations which process Personal Information and PIMS (Personal Information management System) as a System within an ISMS system.
For certification purpose, only ISO 27001 is considered the Certification standard and ISO 27701 is considered a guidance document. Hence for any organization whose PIMS needs to be certified under ISO 27701, they need to be also compliant with ISO 27001 and certified for “ISO 27001 with extension of ISO 27701”.
ISO 27001:2022 is itself considered a “Privacy” related standard and under Annex A 5.34 states ” The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements”. Hence ISO 27001:2022 certification requires a consideration of the applicable law and its requirements. Hence ISO 27701 can only be a guidance. But it would be more appropriate if a new version of ISO 27701:2019 is released since the current version to which it is mapped is ISO 27001:2013.
Before ISO 27701 was published there was already another privacy standard ISO 29100 (2011) and also ISO 27018 (2014/2019). ISO 29100 is a framework that defines basic privacy terminology, defines roles of different organizations and contains a list of 11 Privacy principles. ISO 27701 makes a normative reference to ISO 29100. ISO 27018 is a PIMS framework and applicable only for PII processors. We can now consider ISO 27701 as a more comprehensive PIMS framework and applicable for both PII controllers and PII processors.
Additional PIMS requirements that ISO 27701:2013 requires as an extension of ISO 27001 are as follows:
Under Clause 5 the ISO 27701 provides PIMS specific requirements appropriate to an organization acting either as a PII Controller or a PII processor.
Clause 6 gives the PIMS specific guidance acting as either a PII Controller or PII Processor.
Clause 7 and 8 gives additional ISO 27002 guidance for PII Controller and Processor respectively.
In ISO 27002, PIMS specific guidance is found in clauses 5,6,7,8,9,10,11,12,13,14,15,16 and 18.
The additional control objectives and controls introduced for a PII Controller in the annexe 7.2 are to determine and document that processing is lawful, with legal basis as per applicable jurisdictions and with clearly defined and legitimate purposes.
Under this control guidance is provided through sub controls for determining the legal basis, obtaining consent, conduct of privacy impact assessment, security of PII etc.
Clause A.7.3 is the next additional control with the objective to ensure that the PII principals are provided with appropriate information about the processing of the PII and to meet any other applicable obligations to PII principals related to the processing of their PII.
Under this Controls for protecting the rights of PII principals such as providing information , right to withdraw consent, right to erasure etc.
Clause 7.4 addresses the objective of ensuring that the processes and systems are desgned such that the collection and processing are limited to what is necessary for the identified purpose, by default.
Clause 7.5 addresses PII sharing, transfer and disclosure which includes cross border transfer requirements.
Table B provides similar guidelines applicable to Data Processors.
Thus ISO 27701 extends ISO 27001 to cover controls identified with Privacy protection as per laws such as GDPR. The annexures also provide mapping with different aspects of GDPR.
Though ISO 27701 does not directly address the needs of the Indian requirement like what PDP CMS does, since the principles of privacy covered in the ISO 27701 are similar to any other data protection laws, ISO 27701 can be used along with ISO 27001 for an ISMS-PIMS establishment along with a well constructed Statement of Applicability.