Many companies are looking for a certificate to demonstrate careful and effective data protection precautions. The EU General Data Protection Regulation also provides for data protection certification. With ISO 27701, a new standard for proving the implementation of data protection regulations was published in August 2019. This new international standard is now also certifiable.
CONTENT
Ideally, data protection management is designed with the help of an international standard, in tandem with ISO 27001.. The well-known standard ISO/IEC 27001 deals with the requirements for an information security management system (ISMS) and can also be certified for this area of application. The new ISO/IEC 27701 standard for data protection management builds on ISO 27001 and adds data protection criteria to it. This extension integrates the requirements for a data protection information management system (DSMS or Privacy Information Management System, PIMS) into an ISMS.
The full title of the international data protection standard is:
ISO/IEC 27701:2019 - Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines.
The standard is available from the ISO website.
Like ISO 27001, ISO 27701 also takes into account the management system approach and refers to the basic structure of modern management system standards, the High Level Structure (HLS).
Stephan Rehfeld, data protection expert and auditor at DQS
The new international standard is part of ISO 29100, which contains all data protection principles. It was initially to be titled ISO 27552, but was then renamed ISO 27701. The background to this is the decision by the International Organization for Standardization (ISO) to have all major certifiable standards end in 01.
Instead of "information security," the new data protection standard talks about "information security and data protection." Moreover, there are additions to the content. For example, when considering the context of the organization, the inclusion of relevant data protection laws and judicial decisions is required. Likewise, criteria for the processing of personal data must be taken into account in the risk assessment - with the protection of affected persons and a possible impact assessment always in mind.
In addition, ISO 27701 includes supplements to ISO 27002, the guidance for implementing the measures from Annex A of ISO 27001.
The ISO standard also provides the following guidance on data protection management:
Data protection in the context of information security - an exciting topic? More expert knowledge on the ISO 27701 standard in our free White Paper.
The annex of ISO 27701 contains a detailed allocation table of measures to the requirements of the GDPR. Here it becomes clear what influence the EU General Data Protection Regulation has on this international standard for data protection.
Information security management systems (ISMS) and privacy information management systems (PIMS) are closely intertwined.
Privacy and data security are about personal data. The ISO 27000 series of standards is primarily about protecting information, with personal data being a subset. So the perspective determines if something is a data breach or an information security incident, or even both?
Stephan Rehfeld, data protection expert and auditor at DQS
Where the term "information security" is used in ISO 27001 or ISO 27002, it is called "information security and data protection" in ISO 27701. This addition makes data protection a part of the information security management system.
However, there are also deviations where a PIMS functions differently than an ISMS. One example: the different understanding of the context of the organization. In ISO 27701, in Clause 4.1, there is an additional requirement to ISO 27001 that "the organization should define its role as a responsible party or joint controller for shared responsibilities and/or as a contract processor."
This requirement is not present in the Information Security Management System because the ISMS does not recognize the distinction between "Controller" and "Processor." Consequently, ISO 27701 contains two additional annexes with data protection-specific measures for "controllers" and "processors".
ISO 29100 defines the data protection principles that the company's own management system should fulfill. Article 5 of the General Data Protection Regulation (GDPR) shows which data protection objectives are to be achieved with the operational articles of the GDPR. The principles and objectives are largely congruent. This is because the OECD defined data protection objectives in 1980. These served as the basis for both ISO 29100 and the GDPR.
In the Information Security Management System (ISMS), the information security objectives confidentiality, integrity, availability are found. This is also found in Article 5 and Article 32 DS-GVO respectively. A major difference, however, is the definition of "interested parties" in the ISMS. This includes, for example, the company's own employees, customers, suppliers, investors or authorities. In data protection, on the other hand, the interested party is only the data subject.
Thus, data protection risk management also differs from information security risk management. As a result, the ISMS cannot be used one-to-one as a PIMS with its data protection-specific processes. Nevertheless, there are opportunities for integration so that, for example, joint internal audits can take place.
In terms of certification, the new ISO 27701 standard will complement ISO 27001 in the future - and it will be the first standard to confirm data protection by certificate. To this end, DQS is currently in the accreditation process with the German Accreditation Body (DAkkS) and expects to receive approval soon. Since ISO 27701 is designed as an extension of ISO 27001, the data protection management system according to ISO 27701 cannot be certified without an information security management system according to ISO 27001.
Anyone who has developed and implemented a systematic data protection management system (PIMS) in accordance with ISO 27701 - in other words, anyone who systematically protects and manages their personal data - will find it easy to ensure and demonstrate compliance with legal requirements. Companies can use the new standard to establish largely data protection-compliant information security and corresponding data protection.
When implementing the new ISO standard, companies cannot avoid defining clear responsibilities in the area of data protection. This advantage should not be underestimated. In most companies without a systematic data protection management system, responsibilities are too often formulated in a soft way out of misunderstood politeness ("Could you take this over in the future?"). Or responsibilities are shared, according to the motto "We'll do it together!" Both inevitably lead to no one taking responsibility in the end. With a well-structured data protection management system, there are clear guidelines, and that is priceless.
Stephan Rehfeld, data protection expert and auditor at DQS
The new ISO standard is by no means based solely on the principles of the General Data Protection Regulation, but is also intended to support companies in complying with global data protection standards. The goal is to establish, implement, maintain and continuously improve a PIMS.
There is another plus point in favor of integrating ISO 27701 with ISO 27001. With the introduction of ISO 27701, companies are virtually "forced" to take a risk-oriented approach to the protection of personal data. This includes, for example, fully defining and assessing risks and estimating the probability with which they will occur.
This risk assessment then forms the starting point for reducing the concrete potential for damage to an acceptable level. Incidentally, we also find this wonderfully pragmatic approach in a similar form with the GDPR, so that the circle is also closed in terms of practical relevance.
If you want to navigate safely through the shoals of national and international data protection regulations, you cannot avoid approaching the topic in a structured and systematic way. In this context, ISO 27701 offers high added value.
Data protection and data security can thus also be mastered by medium-sized companies and provides an excellent blueprint for compliance-compliant data protection. This includes a comprehensive collection of best practices that companies can use to confidently document that they are exercising due diligence when handling critical data.
What are the requirements for ISO 27701 certification and what are the costs? Find out. Free of charge and without obligation.
In the interplay of dynamics and stability, certified management systems are becoming more and more important - a development that DQS feels in a positive way. This is because successful companies and organizations use the findings from our audits to continuously improve their results. They also use our globally recognized certificates as objective proof of their quality capability. This creates trust - both internally and externally to your company.
Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the text content or our services to our author, please contact us.
Product manager and expert for information security and software development. Holger Schmeken also contributes his expertise as an auditor for ISO 27001 with KRITIS audit procedure competence and Chief Information Security Officer of DQS BIT GmbH.
