SQA Certification - Trusted ISO Certification Body in India

Introduction of Privacy Information Management System:

ISO/IEC 27701:2019 is an international standard for a Privacy Information Management System (PIMS). Published in August 2019, it functions as a privacy extension to the widely adopted ISO/IEC 27001 standard for information security. The standard provides a framework for organizations to manage and process personally identifiable information (PII) in a systematic and accountable manner.

Purpose and function

Extend information security: The standard is designed to extend an organization's existing Information Security Management System (ISMS), defined by ISO/IEC 27001, with specific requirements and controls for protecting personal data. Organizations must either already be ISO/IEC 27001 certified or implement both standards together to gain certification for ISO/IEC 27701

Provide guidance for privacy regulations: It offers actionable guidance to help organizations demonstrate compliance with a variety of global privacy laws, such as the EU General Data Protection Regulation (GDPR). While it does not guarantee legal compliance, it provides a strong framework to assist with regulatory requirements.

Define roles for handling PII: The standard clarifies the specific requirements and responsibilities for both PII controllers (who determine the purpose for processing data) and PII processors (who process data on behalf of a controller).

Key components and requirements

ISO/IEC 27701 provides a structured, risk-based approach for managing personal data. It includes additional PIMS-specific requirements and controls that build upon the information security controls of ISO/IEC 27001 and ISO/IEC 27002. These include requirements for:

Organizational context: Understanding the organization's activities and their impact on privacy.

Leadership commitment: Involving top management in implementing and maintaining the PIMS.

Risk assessment and treatment: Identifying and addressing risks related to the processing of PII.

Operational planning: Defining specific procedures for how PII is processed.

Performance evaluation: Monitoring, measuring, and auditing the PIMS to ensure its effectiveness.

Continual improvement: Ensuring the PIMS is continuously enhanced to respond to evolving threats and regulatory landscapes.