Private security standards like those from the International Organization for Standardization (ISO) generally seek some alignment with major regulations so that certified organizations can effectively adapt to new and rigorous standards. Accordingly, the ISO 27701 standard seeks to refine the standard ISO cybersecurity certifications to match evolving security laws in jurisdictions like the EU.
In this article, the first of three parts, we will look at ISO 27701, how it impacts ISO 27001 controls, and how certified organizations will deploy their Information Security Management Systems.
Privacy Information Management and Regulatory Compliance
Consumer protections and cybersecurity are evolving to meet new challenges and expectations in a data-driven world. There needs to be more than just a checklist of simple controls to protect user data before calling it a day. In modern security, organizations and consumers expect privacy, risk management, and transparency to be paramount.
This evolution is evident in new regulations emerging in more tech-advanced locales. Two of the most notable include:
- General Data Protection Regulation (GDPR): This privacy and security regulation covers consumers and businesses in the EU. Citizens of the European Union can expect that companies must meet stringent requirements for gaining consent, processing Personal Identifiable Information (PII), and reporting that data to consumers.
- California Consumer Privacy Act (CCPA): Based, in part, on GDPR, CCPA requires more strict controls around privacy and consent than other regulations throughout the U.S. While these controls are head and shoulders above what is needed in other jurisdictions, they don’t go quite as far as those in GDPR.
The most significant components of these regulations focus on data ownership, and the obligations businesses and other organizations have to educate and inform consumers. As such, their overall implementations involve strict privacy and confidentiality controls that are just as robust, if not more so, than specific cybersecurity features.
What Is a Privacy Information management System (PIMS)?
Private organizations will invariably find it desirable to prepare for these more rigorous regulations. Many of these organizations will also have existing standards with which they comply–an excellent opportunity to leverage existing compliance efforts across different standards and regulations.
Those organizations that adhere to the core cybersecurity requirements under the International Organization for Standardization (ISO) standard may find that regardless of the actual controls they have implemented, they may not align with privacy-focused standards like those listed above. Namely, while thorough, ISO 27001 and ISO 27002 don’t focus on privacy or meeting consumer obligations.
Thus, ISO 27701 fills the gap. Specifically, this standard defines best practices for businesses large and small to augment their existing Information Security Management System (ISMS, as described in ISO 27001) with a Privacy Information Management System (PIMS).
What is a PIMS? Simply put, it is the collection of technologies, processes, policies, and people that take part in a coordinated infrastructure that ensures that PII remains private, protected, and controlled. Furthermore, PIMS will define how an organization addresses its obligations to data owners–namely, requirements for changing, reporting, updating, or deleting PII.
ISO 27701 and PIMS-Related Guidance for ISO 27001
ISO 27701 covers refinements and extensions to the requirements found under both ISO 27001:2013 and ISO 27002:2013. These refinements are relatively extensive, touching most or all of these documents’ control and practice categories.
These refinements fall under two general categories:
- General Refinements: ISO 27701 Section 5.1 defines “general” refinements as those in which any requirements in ISO 27001 that mention “information security” must be extended to include data privacy if it is threatened or affected through the processing of PII.
- Specific Requirements: More in-depth refinements are specified on a per-item basis as necessary.
Businesses must understand the context in which they hold accountability for the privacy and security of PII, including jurisdictional requirements that might define obligations to consumers or other parties:
- Understanding Context and Stakeholder Interests: Organizations must determine how they fit the role of a PII controller and/or a PII processor. To differentiate, a controller is a party that makes decisions about the handling, storage, or processing of PII, while the processor is the organization that actually processes PII. Each category comes with different and unique requirements.
- Contextual Factors: To accurately determine their context, an organization must consider all relevant factors. These include relevant privacy legislation and regulations, legal decisions, internal governance and business policies, administrative decisions, or contractual requirements.
- Determining Scope of ISMS: When developing a PIMS, the organization must implement a comprehensive ISMS and include all parts of that system that process PII.
By and large, factors of leadership line up with ISO 27001 Section 5 with the general refinement listed above. These requirements include:
- Enactment of policies and procedures
- Designation of roles, responsibilities, and authorities
- Defining role duties and accountability
Planning under ISO 27701 adheres to ISO 27001 Section 6 with some specific refinements:
- Information Security Risk Assessment: Any security risk assessments must be expanded to include the identification of risks that could impact the confidentiality, integrity, and availability of PII within the PIMS.
- Information Security Risk Treatment: Organizations must follow the requirements for treating risks (including implementing mitigation and recovery measures) defined in ISO 27001 for any control in the PIMS. Additionally, the organization must produce a Statement of Applicability that includes all necessary rules, justification for inclusion, whether the controls are currently implemented, and a justification for any control exclusion.
Support controls are aligned with those found in ISO 27001 Section 7, with general refinements required as listed above. These requirements include:
- Ensuring suitable resources, competence, and awareness as to the operation and potential risks of the PIMS
- Enabling proper communication between all stakeholders in or using the PIMS
- Keeping proper documentation for the operation of the PIMS
Performance evaluation controls will align with those in ISO 27001 Section 9, including requirements for:
- Monitoring and analyzing the performance of PIMS components based on predefined metrics
- Conducting regular internal audits
- Including regular management review of PIMS performance issues
Improvement also follows ISO 27001 requirements (Section 10) with general refinements, specifically those applying the:
- Execution of corrective action for nonconforming PIMS behaviors
- Implementation of continual improvement mechanisms
Stay Ahead of Evolving ISO Requirements with Lazarus Alliance
The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s important to understand how those changes result in a unique PIMS infrastructure.
Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.