Where the term "information security" is used in ISO 27001 or ISO 27002, it is called "information security and data protection" in ISO 27701. This addition makes data protection a part of the information security management system.
However, there are also deviations where a PIMS functions differently than an ISMS. One example: the different understanding of the context of the organization. In ISO 27701, in Clause 4.1, there is an additional requirement to ISO 27001 that "the organization should define its role as a responsible party or joint controller for shared responsibilities and/or as a contract processor."
This requirement is not present in the Information Security Management System because the ISMS does not recognize the distinction between "Controller" and "Processor." Consequently, ISO 27701 contains two additional annexes with data protection-specific measures for "controllers" and "processors".
Data protection objectives and information security objectives: Similarities and differences
ISO 29100 defines the data protection principles that the company's own management system should fulfill. Article 5 of the General Data Protection Regulation (GDPR) shows which data protection objectives are to be achieved with the operational articles of the GDPR. The principles and objectives are largely congruent. This is because the OECD defined data protection objectives in 1980. These served as the basis for both ISO 29100 and the GDPR.
In the Information Security Management System (ISMS), the information security objectives confidentiality, integrity, availability are found. This is also found in Article 5 and Article 32 DS-GVO respectively. A major difference, however, is the definition of "interested parties" in the ISMS. This includes, for example, the company's own employees, customers, suppliers, investors or authorities. In data protection, on the other hand, the interested party is only the data subject.
Thus, data protection risk management also differs from information security risk management. As a result, the ISMS cannot be used one-to-one as a PIMS with its data protection-specific processes. Nevertheless, there are opportunities for integration so that, for example, joint internal audits can take place.