ISO releases New Privacy Compliance Standard, ISO/IEC 27701:2019 – Privacy Information Management System (PIMS)
Personal data, known as personally identifiable information (PII), refers to information revealing the identity of a person. The information security management systems which address the protection of privacy as potentially affected by the processing of PII are referred to as privacy information management systems (PIMS).
Personal data, known as personally identifiable information (PII), refers to information revealing the identity of a person. The information security management systems which address the protection of privacy as potentially affected by the processing of PII are referred to as privacy information management systems (PIMS). Considering that privacy of information has become a global issue, lawmakers have responded to this issue through the adoption and enforcement of laws and regulations that govern privacy of personal data.
On the 6th of August of 2019, the International Standardization Organization (ISO) and the International Electrotechnical Commission (IEC) have released a new standard regarding privacy compliance, ISO/IEC 27701. ISO/IEC 27701 offers guidance over the protection of PII by specifying requirements and providing guidance for establishing, implementing, maintaining and continually improving a privacy information management system.
This standard offers guidance for PII controllers and PII processors accountable for the processing activities of personal information and privacy management. It is applicable to organizations of all types and sizes, private and public, governmental bodies and non-profit organizations, which control and/or process PII within an ISMS.
ISO 27701 acts as an extension to information security management system standard, ISO/IEC 27001 and information security controls standard, ISO/IEC 27002:2013. While ISO/IEC 27001 provides the controls for general security measures, ISO/IEC 27701 builds on that foundation by further including new requirements and controls, guidance on implementation, and by targeting personal information protection and privacy. Therefore, ISO/IEC 27001 certification is a prerequisite to ISO/IEC 27701 certification. Organizations that have implemented ISO 27001 are able of integrating ISO 27701 in their security efforts by extending coverage of privacy management of personally identifiable information.
The PIMS Standard includes mapping to:
- ISO/IEC 29100 – Information Technology – Security Techniques – Privacy Framework
- ISO/IEC 27018 – Information Technology – Security Techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 29151– Information Technology – Security Techniques – Code of practice for personally identifiable information protection
- EU GDPR Data Protection and Privacy– General Data Protection Regulation
The PIMS standard is compatible with other management system standards, creating cross-standard alignment. ISO 27701 is intended to coordinate privacy information management in different organizations, and act as a comprehensive approach for data protection for organizations. Integrating a PIMS may help organizations demonstrate that efforts have been made to comply with other privacy standards or regulations, such as the GDPR. However, it does not act as proof of compliance.