INTRODUCTION TO ISO27701- PRIVACY INFORMATION MANAGEMENT SYSTEMS | Muneeb Imran Shaikh

Muneeb Imran ShaikhSenior Information Security Consultant
CERTIFIED EXPERT
Information Security | Cyber Threat Intelligence Specialist | Governance, Risk Management Specialist
Published:
Updated:
INTRODUCTION TO ISO27701- PRIVACY INFORMATION MANAGEMENT SYSTEMS

Data has become one of the most valuable assets for Organizations & States which poses significant Governance challenges for organizations. We as individuals are providing our information on various fronts, whether through electronic means or by conventional means. Regardless of how the data is provided, our data does get to the digital shores and once it reaches the digital shores, it begins to pose privacy, confidentiality, integrity and availability challenges.

Think of a simple Complete Blood Count (CBC) test that you undertook, a medical examination that you went through and the hospital informed provided those medical reports to you from their official website, such information in the security realm is considered as Personal Health Information (PHI) and is amongst the most sought after data by attackers.

 

Information Privacy is therefore a basic human right which entitles everyone to the protection of their privacy, dignity and freedom to make decisions without being subjected to any discrimination or profiling.


To deal with such challenges, countries have established overarching Data Protection laws which regulate industries and businesses that collect, process or store personal data in any form. Any Organization that intends to collect the personal data (particularly sensitive data) from its users is required to seek users’ consent, notify the users of the purpose of the data collection and where it will be used and ultimate responsibility of the Data Protection lies with the Organization collecting the Personal Information which in security realm is considered a “Data Collector”.

The European Union (EU) has already put forward the most stringent Privacy Law named as the “General Data Protection Regulation – GDPR” which considers the Privacy of Personal data as a basic human right and prohibits the processing & storage of EU citizens’ data in countries outside Europe or in countries that do not conform with the EU GDPR. 

ISO recently published an ISO/IEC 27701 Privacy Information Management Systems which is an extension to its ISO/IEC 27001 and ISO/IEC 27002.

ISO 27701 provides a standard approach to organizations in controlling and managing personal data. This standard has its roots and mappings associated to ISO/IEC 29100 Privacy Framework which is applicable to any system or service requiring processing of Personally Identifiable Information.

ISO/IEC 27701 in contrast to its predecessor ISO/IEC 27001 – Information Security Management Systems provides “requirements” as well as “guidance” to establish, maintain and continuously improve its privacy information management system whereas ISO/IEC 27001 only provides the requirements and the general guidance related to ISO/IEC 27001 is provided by ISO/IEC27002.

ISO/IEC 27701 builds on a multitude of other standards and regulations which are given below.


MAIN STRUCTURE OF ISO 27701:

Clause

Description

1

Scope

2

Normative References

3

Terms & Definitions

4

General

5

PIMS Requirements related to ISO/IEC 27001

6

PIMS Guidance related to ISO/IEC 27002

7

Guidance for PII Controllers

8

Guidance for PII Processors


EXPLANATION OF ANNEXES IN ISO 27701:


Annex

Description

A

Reference Control objectives for Controllers

B

Reference Control objectives for Processors

C

Mapping to ISO/IEC 29100

D

Mapping to GDPR

E

Mapping to ISO/IEC 27018 & ISO 29151

F

How to apply ISO/IEC 27701 to ISO/IEC 27001and ISO/IEC 27002


Guidance of Clause 6

Clause 7 of ISO/IEC 27701

Annex A Controls

Applicable to PII pontrollers

Clause 8 of ISO/IEC 27701

Annex B Controls

Applicable to PII processors


MAPPING OF ISO/IEC 27701 WITH ISO/IEC 29100 Privacy Framework:


ISO/IEC 29100 is a Privacy framework having 11 principles which are given below.  

1

Consent and choice

2

Purpose of legitimacy and specification

3

Collection limitation

4

Data minimization

5

Use, retention and disclosure limitation

6

Accuracy and quality

7

Openness, transparency and notice

8

Individual participation and access

9

Accountability

10

Information Security

11

Privacy compliance


ISO/IEC 27701 has its different controls applicable to PII controllers and PII processor. These controls are mapped to different privacy principles enunciated in ISO/IEC 29100 privacy framework. 

ISO/IEC 27701 Annex C

(Mapping to ISO/IEC 29100)

Clause 7 of ISO/IEC 27701

Annex A Controls

Applicable to PII controllers

Clause 8 of ISO/IEC 27701

Annex B Controls

Applicable to PII processors


MAPPING OF ISO/IEC 27701 WITH GDPR:

 

ISO/IEC 27701 Annex D provides the mapping with General Data Protection Regulation. Therefore compliance with the requirements of ISO/IEC 27701 helps in attaining the requirements for GDPR as well. 

However it is important to note that Annex D in ISO/IEC 27701 is informative in nature and it is left to organization diligence to determine the legal obligations applicable upon them and how they need to be complied with.

Adoption and implementation of ISO/IEC 27701 can help in reducing the privacy risk by ensuring the rights of PII principals and implementation of privacy controls. This subsequently protects the organizations from any potential data breaches that may cause further risk to enterprise reputation and customer dissatisfaction. 

Successful establishment, maintenance and continual improvement of this management system can reap the benefits of increased competitive advantage, customer trust and confidence in how an organization conducts itself in protecting the privacy rights of their PII principals. 


APPENDIX
PII - Personally Identifiable Information
PII Principals - Individuals to whom the private information is related


References: 

https://www.youtube.com/watch?v=-NUfTDXlv30

https://www.youtube.com/watch?v=74wguqglnHA

https://www.youtube.com/watch?v=ilw4UmMSlU4

https://www.itgovernance.co.uk/blog/iso-27701-unlocks-the-path-to-gdpr-compliance-and-better-data-privacy



Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Muneeb Imran ShaikhSenior Information Security Consultant
CERTIFIED EXPERT
Information Security | Cyber Threat Intelligence Specialist | Governance, Risk Management Specialist
1
985 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
Continue Growing Your Skills and Your Career
  • Interact with leading experts on your specific technology problems.
  • Receive the guidance of experienced professionals.
  • Learn from troubleshooting others have experienced.
  • Gain knowledge from a library of courses, all included.