ISO 27701 Certification Overview
About ISO 27701
ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls. An international management system standard, it provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world.
ISO/IEC 27701 is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations. It provides guidance for organizations who are responsible for PII processing within an information security management system (ISMS), specifically PII controllers (including those who are joint PII controllers) and PII processors.
ISO/IEC 27001 is an internationally recognized management system for managing information security governance risk. The standard provides a best-practice framework, ongoing governance, and good management of the system.
The benefits of ISO 27701 certification can be summarized as follows:
- Independent verification that your organization’s ISMS conforms to the requirements of the internationally recognized and accepted ISO 27001 information security standard
- Builds trust in managing personal information
- Supports compliance with privacy regulations
- Gain significant advantage over competitors who do not have a certified ISMS or be the first to market with an ISMS that is certified to ISO 27001 and ISO 27701
- Achieve cost savings by utilizing a centrally managed ISO 27001 certified ISMS that can form the core of various compliance efforts, including NIST 800-53, HIPAA, EUCS, SOC 2, Sarbanes-Oxley and more
- Supports compliance with privacy regulations
- Reduces complexity by integrating with the leading information security standard ISO/IEC 27001
Scoping of the ISO 27701
The ISO 27701 standard does not define a particular scope required for the ISMS, however a critical component of the certification process is determining the scope of the review. The ISMS scope is determined by the organization itself and can include a specific application or service of the organization, or the organization as a whole. For the ISO 27701, this is defined by your existing ISO 27001 certification.
Contact us for more information
ISO 27701 Certification Process
Assuming that you have already been certified to ISO 27001, the initial audit, certification and maintenance process has several stages:
- Initial Certification Review - Stage 1
The initial certification audit consists of a policy and process review of your existing ISO 27001 ISMS, to determine the readiness of your ISMS framework to undergo the full audit in Stage 2 of the certification review. This review would include inspection of all client documents required by the standard.
- Initial Certification Review - Stage 2
The second stage of the initial certification audit includes in-depth testing to determine that the ISMS framework has been implemented appropriately and is monitored and maintained per the ISO 27701 standard requirements and internal policies and procedures. This stage is performed at the client location, or multiple locations, if required by the scope of the ISMS. At the end of this Second Stage, Lazarus Alliance will determine whether it will issue ISO 27701 Certification to the client. There may also be gaps identified that will need to be addressed before certification can be provided.
- Surveillance Audit Stage
ISO 27701 certification is valid for a three-year term, during which time surveillance audits are required to be completed at a minimum on an annual basis. During the surveillance audits, Lazarus Alliance will conduct a brief onsite review to determine if any significant or relevant changes have been made to the ISMS, as well as perform limited testing to confirm that the organization is continuing to follow the framework and controls identified in the original certification of the ISMS.
- Re-Certification Stage
Before the expiry of the initial three-year certification term and in subsequent cycles, full re-certification audits will be performed by Lazarus Alliance, to ensure continuity of your certification. The scope of this review and audit will depend on the findings of the surveillance audits and information determined in Stage 1 of the re-certification review.
- Audit Timing
The required time for the overall certification process is strongly dependent on the extent to which the organization's Management System is in conformance to the requirements of the ISO 27001 and ISO 27701 standards. Some organizations might be able to obtain certification within a few months of the beginning of the certification review, whereas other more complex organizations and systems may require up to a year to obtain certification.
Lazarus Alliance Certification Services
As an accredited Certification Body (CB), Lazarus Alliance cannot provide any professional consulting services to assist in the design, selection, or implementation of controls to meet the ISO 27701 requirements. We are however able to provide the following services in addition to full audit and certification:
ISO 27701 Certification Pre-Assessment
A formal Readiness Assessment is not a requirement of certification to the ISO/IEC 27701 Standard, but it can be helpful in assisting organizations in the process of getting properly prepared for initial certification. The intention of the assessment is to save the organization time and money by identifying deficiencies in its Information Security Management System (ISMS) before seeking Certification to the ISO/IEC 27701 Standard.
Many organizations have found this to be an important step in the process of preparing the organization for the formal Certification Audit.
In the pre-assessment, Lazarus Alliance will perform a high-level review of your intended scope, policies, procedures, and control processes to identify gaps in the conformity of your proposed ISMS to the ISO/IEC 27701 Standard. The assessment will provide a comparison between all requirements of the Standard and the processes, procedures and controls you have in place for the design, implementation, operation, and maintenance of your ISMS. The result will be a report providing clarity on the deficiencies that will need to be addressed before a formal Certification Audit should be attempted.
For organizations considering an ISO 27701 certification, the following steps should be considered:
- Please contact us to better understand the requirements and process for certification.
- Purchase all applicable ISO 27701 series standards which best align with an organization's goals or needs, or utilize a reputable industry GRC solution, such as the Continuum GRC SaaS, which is the first and only FedRAMP Authorized assessment solution in the world.
- Perform gap analyses either internally or utilizing our services outlined above.
- Develop a plan for remediation, implementation, and certification.
Also, for additional information on Lazarus Alliance, please see our ISO 27701 business policy page.