Relatively little has been written about the International Standards Organization’s global privacy standard, ISO/IEC 27701, released this past August. I thought it worth exploring what it is, why it matters and how it works. Here goes.
What It Is
ISO/IEC 27701 is a standard designed to guide organizations in establishing, implementing, maintaining and continually improving a privacy information management system.
More technically, it is a privacy information management extension to two existing security standards ISO/IEC 27001 and ISO/IEC 27002. One of the two security standards with which it is paired, ISO/IEC 27001, has already been widely adopted by the business community. Certification to ISO/IEC 27001 is generally required of government contractors, an expectation that has helped drive more than 60,000 organizations to become 27001-certified to date. The architects of this new global privacy standard undoubtedly chose this structure intentionally to help forge alignment between widely adopted security protocols and privacy controls. The pairing should also help forge collaboration between organizations’ privacy and security teams.
So, what does 27701 include? Following the necessary introductions of scope, definitions and the like, the standard is broken down into four sets of requirements: those keyed to ISO/IEC 27001, those paired with ISO/IEC 27002, requirements for controllers and requirements for processors.
Privacy Requirements Related to ISO/IEC 27001 (Section 5)
The first set of requirements are extensions of ISO/IEC 27001, which is an information security management standard. They cover context of the organization, leadership, planning, support, operation, performance evaluation and improvement. In each instance, the stated expectation is that wherever the term “information security” is used, “information security and privacy” applies instead. In two of these areas, context of the organization and planning, unique privacy-specific requirements that need to be considered beyond this general interpretation are presented in greater detail. Those cover issues such as legal and contractual requirements, needs, roles and responsibilities of interested parties; and privacy risk assessment and mitigation. Overall, this is the process management piece of the standard.
Privacy Guidance Related to ISO/IEC 27001 (Section 6)
This section presents privacy-specific guidance on implementation of ISO/IEC 27002. The guidance address policies, organizational structures, HR-specific needs, asset management, access control, cryptography, communications, development, supplier relationships, incident management, business continuity, compliance and more. The only area in which privacy-specific guidance is not presented is business continuity, since those needs are relatively consistent across security and privacy. This section is more technical in nature than the preceding one because ISO/IEC 27002 focuses on techniques rather than management.
Additional Privacy Guidance for Controllers and Processors (Section 7-8)
These sections will be most familiar to privacy professionals, as opposed to their security colleagues. They present additional guidance on implementation of ISO/IEC 27002 that is specific to an organization’s role as a data controller or processor, respectively. These two sections map directly to the EU General Data Protection Regulation and were informed by GDPR requirements and other data protection laws from around the world. They cover issues such as consent, data accuracy, collection limitation, data minimization, automated decision making, disclosures to third parties, privacy impact assessments, records of processing and handling of individual requests. In some cases, both sections seven and eight will be applicable to a single organization that is serving as a processor in some instances and as a controller in others.
Why It Matters
This new standard matters for at least two reasons. First, with the profusion of data protection laws globally, privacy professionals need a common rubric to guide their privacy programs. ISO/IEC 27701 may offer such a map. Second, privacy professionals today recognize that privacy is now a team sport that requires collaboration across an organization. ISO/IEC 27701 could provide the game plan.
Given the constantly growing number of data protection laws, it is increasingly difficult to track requirements across jurisdictions and develop a privacy program based on those laws alone. Privacy laws around the world often include divergent or even conflicting requirements. Mapping those requirements to a single standard or framework and building a privacy program based on common principles with localized differences where needed can sometimes help. Microsoft, for instance, is working to map eight different laws from around the world to ISO/IEC 27701 and is talking with EU authorities about using the standard as a basis for a future GDPR-certification. Other companies base their programs on internal mappings or are looking to other frameworks, such as the developing NIST Privacy Framework to serve this growing need. So, ISO/IEC 27701 is not the only solution, but it is certainly a useful option.
Focusing solely on the legal requirements is also ineffective. Providing strong privacy in practice means building privacy into the design of products and services. It requires collaboration between legal, technical, business, design and security teams and a common language to engage. This is the idea behind privacy by design and is part of what ISO/IEC 27701 aims to provide. By pairing privacy requirements with both security management and security techniques, ISO/IEC 27701 should help privacy professionals across an organization implement privacy by design from both a process management and a technical needs perspective.
How to Do It
The how is where it gets complicated. So far, no entity has received an accredited ISO/IEC 27701 certifying body designation. This is normal. ISO must still develop the formal process to enable such designations. However, in the meantime, accredited ISO/IEC 27001 certifying bodies have begun working to certify organizations to this new privacy standard by assessing their privacy programs against ISO/IEC 27701 audit criteria. This begins with an organization’s certification to ISO/IEC 27001 and 27002 with 27701 serving as an add-on. Once these certifying bodies receive more formal accreditation with regard to 27701 specifically, some adjustments to certifications may be needed. Recertification is required every three years, but annual audits or reviews are the norm.To help organizations understand the skill set necessary to implement a global privacy standard, the IAPP’s Westin Research Center also mapped ISO/IEC 27701 to the bodies of knowledge for a Certified Information Privacy Professional/Europe and a Certified Information Privacy Manager. You can learn more about this work and ISO/IEC 27701 in general during the privacy engineering and standards pre-conference workshop hosted by IAPP at RSAC 2020 USA in February.