Start Implementing ISO 27001 and 27701
ISO 27001:2013
The Information Security Management System
ISO 27001:2013 is about how do you keep your organisation’s and customers’ data confidential, thus it is relevant to all industries that has high volume of data. Data is known as the “Petrol of the Future” and the harvesting of data and analysing them is part of parcel of today’s enterprises.
With ISO 27001:2013, you are guided by the standards in setting up a robust Informational security Management System in your organisation to prevent data theft.
ISO 27001:2013! ISO 27001:2013 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organisation’s overall business risks. It specifies requirements for the implementation of security controls customised to the needs of individual organisations or part thereof. ISO 27001:2013 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.
What is ISO 27001
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family.
Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
CERTIFICATION TO ISO/IEC 27001
Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed.
CHOOSING A CERTIFICATION BODY
When choosing a certification body, you should:
- Evaluate several certification bodies.
- Check if the certification body uses the relevant CASCO standard
- Check if it is accredited. Accreditation provides independent confirmation of competence. Accreditation is not compulsory, and non-accreditation does not necessarily mean the certification body is not reputable. To find an accredited certification body, contact the national accreditation body in your country or visit International Accreditation Forum CertSearch.
DISPLAYING YOUR CERTIFICATE
Remember, when labelling a product or system as certified to an ISO standard:
- Don’t say: “ISO certified” or “ISO certification”
- DO say: “ISO 9001:2015 certified” or “ISO 9001:2015 certification” (for example).
More about the ISO 27001:
https://en.wikipedia.org/wiki/ISO/IEC_27001
https://www.iso.org/isoiec-27001-information-security.html
Getting Started!
Implementing an ISO 27001-compliant ISMS (information security management system) can be a challenge. Anyway, nothing worth having comes easy, and ISO 27001 is worth having.
Here is a Step-by-Step roadmap to follow in the ISO 27001 implementation roadmap.
- Form your team
- Establish the Context, Scope and objectives; security baseline, etc.
- Establish the Management Framework
- Conduct Risk Assessment
- Implement Controls to mitigate the risks
- Conduct training to relevant staff
- Setup the various documents
- The scope of the ISMS
- Information security policy
- Information security risk assessment process
- Information security risk treatment process
- The Statement of Applicability
- Information security objectives
- Evidence of competence
- Documented information determined by the organization as being necessary for the effectiveness of the ISMS
- Operational planning and control
- Results of the information security risk assessment
- Results of the information security risk treatment
- Evidence of the monitoring and measurement of results
- A documented internal audit process
- Evidence of the audit programs and the audit results
- Evidence of the results of management reviews
- Evidence of the nature of the non-conformities and any subsequent actions taken
- Evidence of the results of any corrective actions taken
- Monitor, measures and review
- Conduct Internal Audit
- Get Certification Body to audit
Note: You can get consultant to walk you through the whole implementation, and then get a Certification Body like Tuv-Sud (SG) to do audit for the final certification.
ISO 27701:2019
The Privacy Information Management System
The protection of information across the organization has proven to require a multidisciplinary effort and cross-functional expertise. Over the past years, the privacy domain has become increasingly regulated. Privacy governance remains a complex endeavor in view of regulatory attention, evolving legislation globally and societal maturity.
The 2019 IAPP-EY Privacy Survey revealed that next to data breaches, legal and regulatory compliance – especially with the EU General Data Protection Regulation (GDPR) – assumes a high priority on the Board’s list of privacy concerns. In fact, over 40% of respondents name compliance with privacy laws and regulations as their highest priority. Yet at the same time, just over 40% of the participating privacy professionals indicate that they are only ‘moderately compliant’ with the GDPR. As such, the urgency for enhanced compliance mechanisms becomes apparent.
Across industries, we see that our clients desire a shift from project-based compliance to long-term sustainable privacy practices. The integration of privacy into overall organizational practices in order to streamline processes is a frequent ask, triggered by regulatory enforcement, social responsibility and customer satisfaction. As a means of achieving this ambition, guidance as derived from the sector-agnostic ISO 27701 standard is a way of structuring, monitoring and guiding information processed and stored at the organization.
What is ISO 27701
ISO/IEC 27701:2019 establishes guidelines and describes standards for implementing, designing, maintaining, and continuing to improve a Privacy Information Management System as a complement to ISO/IEC 27001 and ISO/IEC 27002 for the management of privacy within organizations (PIMS). The original version of this standard was ISO/IEC 27552.
The standard outlines PIMS-related requirements and provides guidance to PII (Personally Identifiable Information) controllers and PII processors who are in charge of and accountable for PII processing.
Organizations of all sizes and types can benefit from ISO 27701, including government bodies, private and public, and non-profit organizations that are PII controllers and/or PII processors processing PII within an ISMS.
What are the requirements for ISO 27701?
A privacy management system is not the same as an ISMS, but they are related. The ISO 27701 approach recognizes that information security (the preservation of information’s confidentiality, integrity, and availability) is a critical component of effective privacy management, and that the ISO 27001-documented ISMS requirements can support the addition of sector-specific requirements to the ISMS without the need for a new management system specification.
ISO 27701 specifies the additional requirements for an ISMS that address privacy and the processing of PII. These are supplemented by additional controls pertaining to data protection and privacy. As a whole, this results in what the Standard refers to as a Privacy Information Management System (PIMS).
ISO 27701 requirements, like other ISO standards, are divided into clauses. Clauses 5-8 outline the additional requirements of ISO 27001 that deserve special attention:
- Clause 5: PIMS requirements related to ISO 27001 are outlined here
- Clause 6: PIMS requirements related to ISO 27002 are outlined here
- Clause 7: PIMS guidance for PII Controllers are outlined here
- Clause 8: PIMS guidance for PII Processors are outlined here
There are also six very useful annexes:
- Annex A: Lists all applicable controls for PII Controllers
- Annex B: Lists all applicable controls for PII Processors
- Annex C: Mapping of ISO/IEC 27701 clauses to ISO/IEC 29100
- Annex D: Mapping of ISO/IEC 27701 clauses against GDPR
- Annex E: Mapping to ISO/IEC 27018 and to ISO/IEC 29151
- Annex F: Provides guidance for applying ISO 27701 to ISO 27001 and 27002
More about the ISO 27001:
https://en.wikipedia.org/wiki/ISO/IEC_27001
https://www.iso.org/standard/71670.html
Getting Started!
Why should you be ISO 27701 compliant?
Before delving into the benefits of this standard, keep in mind that compliance with ISO 27701 requires first meeting the requirements of ISO 27001; the two standards are meant to complement one another.
Organizations that integrate ISO 27701 can provide documentary evidence that they protect and secure PII, which can be used to facilitate agreements with business partners where PII processing is critical, as well as share information about the organization’s PII processing with other stakeholders. Additionally this standard can help you meet other privacy frameworks. For example, the GDPR currently lacks an accredited certification method; however, recent reports indicate that ISO 27701 may change that in the near future.
Data protection is especially useful, especially given the recent increase in fines and complaints regarding the privacy and security of personally identifiable information (PII). Furthermore, organizations must build trust with their authorities, partners, customers, and employers. Such a standard will make a significant contribution to this trust.
How to achieve compliance?
ISO 27701 is an addition to ISO 27001. ISO 27001-compliant organizations will be able to implement the requirements and controls of ISO 27701 as an extension to their existing security and privacy practices in order to achieve complete PII privacy.
The following are the steps towards compliance:
- Defining your role – either a controller, data processor or both
- Implementing the privacy principles and controls that are required by the ISO/IEC 27701 standard
- Communicating with your stakeholders and supply chain to hear feedback on your current privacy status
- Train your employees using and your entire organization to be more
- Conduct training courses to motivate and support your employees
- Review your ISO/IEC 27701 process on a regular basis to ensure that it is still effective and that you are constantly improving it
Note: You can get consultant to walk you through the whole implementation, and then get a Certification Body like Tuv-Sud (SG) to do audit for the final certification.
