What is ISO/IEC 27701?

Image

If you have a familiarity with any information security frameworks and certifications, it’s more than likely you have heard of International Organisation for Standardisation (ISO) and possibly the International Electrotechnical Commission (IEC). From my experience, the most commonly referred to business-level security related certifications are ISO/IEC 27001 and ISO/IEC 27002. These industry-recognized certifications for information security management systems (ISMS) have been either required or mentioned for all Request for Proposals (RFP) I have ever worked on. Simply put, these certifications indicate that organizations have theoretically taken preemptive action to design their infrastructure with foundational security practices in mind. As with other security-minded persons, I do not believe being compliant makes you secure, it’s also important to note, organizations can choose to limit the scope of compliance within their infrastructure. However, compliance shouldn’t be seen as a negative, either, and an organization should not be put down for actively seeking to enhance its infrastructure and align it with best practice. Having worked with organizations going through the certification process for 27001, I can attest to some essentials of a security program addressed within these required controls. Most recently, ISO and IEC have come out with a new addition, ISO/IEC 27701:2019 (27701). This is not a completely new framework; consider it more like an expansion pack to a game. It adds amendments and controls that address privacy by design and by default. The language varies slightly from the General Data Protection Regulation (GDPR), but 27701 was designed in response to GDPR’s privacy needs with the idea of transforming an organization’s ISMS into a Privacy Information Management System (PIMS). Instead of referring throughout to “information security management,” 27701 reminds organizations to also consider “Information security and privacy management.” At this time, organizations cannot become certified with 27701 but can receive the 27001 certification that includes the additional controls within the Statement of Applicability (SoA). Due to the current popularity of 27001 certifications and infrastructure aligned with their ISMS, going this route will still be cost-effective to organizations, as they will not need to re-design their infrastructure but will simply need to add the privacy practices and controls on top of it. That being said, one notable limitation is highlighted within the IT Governance Green Paper “ISO 27701 Privacy Information Management System September 2019":

"ISO 27701 certification will not meet the GDPR’s requirements for a certification scheme. Article 43 of the GDPR requires that any certification scheme be operated under an ISO 17065-accredited scheme. ISO 27701, however, will fall under ISO 17021-1 and therefore not meet the GDPR’s requirements. There is a good chance that an eventual ISO 17065 scheme will include ISO 27701 certification, but overall, it will be more robust and hence more expensive. Those organizations that want to demonstrate a degree of assurance without the expense of an ISO 17065-accredited scheme might opt for ISO 27701 certification as an economical compromise."

What reason is there to include 27701 amendments within the 27001? Whilst the certification is still labeled as 27001, organizations adding in additional controls and re-aligning their infrastructure for privacy practices are making a positive step towards improving their environment. By doing so, they could show their effort to build more secure solutions. As mentioned above, I have worked with organizations attempting to certify; I know the massive time, money, and effort that goes into this process. Therefore, it makes financial sense to enhance but not redesign the entire approach. Michael R. Overly makes a great point within the article Why every business should consider ISO 27701 compliance for their vendors, simply put that as cybersecurity matures, and organizations are required to align with more privacy and security frameworks, it makes sense to choose something overarching. ISO 27701 was designed to be this, and by aligning with this internationally compliant framework – you’re making it easier on your organization to not have to continuously update as further requirements and laws come out. What reason do consumers have for interest in this? Just as GDPR states, 27701 tells processors that they must collect only required information, they must be transparent and use this data for only the stated reasons, and controls must not only be “by design” but also “by default.” This means implementing the controls and having these privacy controls turned on for all cases from the very beginning, creating a culture of consumer privacy and safety from the start.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.