Home → News & Resources → Experts Talk

Why should you integrate ISO/IEC 27701 into your existing ISO/IEC 27001 Certification? 


Every day the world becomes more technological and with this rapid development of technology, there is no doubt that the protection of information is a must. In addition to this, while everything goes online, we are leaving footprints in this tech world and we are sharing and exchanging more and more information in it, even private and sensitive information. 

Whether we are sharing it unconsciously or giving such information willingly for a service that we need, we are all concerned about where this personal data goes and how it is maintained. Since there might be sensitive information involved and knowing that cyber threats are always at bay ready to attack, organizations need to convince their customers that they have taken all the necessary steps to protect their information.

There is no debate whether an organization should consider implementing information security and privacy practices within its systems. The question is, which information security and privacy practices are the best for an organization to follow? 

ISO standards provide a strong starting point for organizations that want to implement the best practices within their management systems and prove their excellence and commitment to offering secured services and products.

For an organization to operate efficiently and effectively, it should ensure that they are following the industry trends and are in line with what the market is offering. Hence, while information technology is a core basis for almost any organization nowadays, adapting the best practices of ISO/IEC 27001 and ISO/IEC 27701, would help them ensure that they have created a secure infrastructure to protect information assets against the risk of loss, damage, or any other threats.

ISO/IEC 27701 and its relation to ISO/IEC 27001

Organizations that implement an Information Security Management System (ISMS) based on an internationally recognized standard such as ISO/IEC 27001 will ensure the confidentiality, integrity, and availability of information, and they would convince the interested parties that their risk of processes has been assessed and is adequately managed, among others.

However, despite that ISO/IEC 27001 ensures interested parties that their information is secure, the issue of the privacy of information has been a matter of discussion these past few years. 

Thus, in August 2019, ISO presented the first international standard that deals with privacy information management – ISO/IEC 27701, which provides requirements on how to implement a Privacy Information Management System (PIMS) and helps organizations that identify themselves as Personally Identifiable Information (PII) Controllers and/or PII Processors, regardless of their type, size, or the country they operate. 

Organizations that implement a PIMS based on ISO/IEC 27701 requirements, ensure to third parties that they take into consideration all the necessary steps to properly review, evaluate, and maintain the privacy of information.

“To explain it from another perspective, ISO/IEC 27001 relates to the way an organization keeps data accurate, available, and accessible only to approved persons, while ISO/IEC 27701 relates to the way an organization collects personal data and prevents unauthorized use or disclosure.” 

– Oludare Ogunkoya, MSECB Auditor for both, the ISO/IEC 27001:2013 and ISO/IEC 27701:2019 standard.

Therefore, while ISO/IEC 27001 addressed the issue of information security and helps organizations to protect their information assets, ISO/IEC 27701 focuses specifically on the issues of privacy information.

6 reasons to integrate ISO/IEC 27701 to ISO/IEC 27001

In this article we discussed the relationship between these two standards, but why is it important for organizations that have an ISO/IEC 27001 certification to get certified with ISO/IEC 27701 as well?

Let us start by naming a few reasons:

  1. ISO/IEC 27701 – Privacy Information Management System (PIMS) is not a standalone standard but an extension of ISO/IEC 27001.
  2. ISO/IEC 27701 cannot be certified as a separate/standalone management system.
  3. ISO/IEC 27701 helps to continually improve the ISMS by giving more emphasis to the protection of Privacy Information.
  4. ISO/IEC 27701 provides more details on the term “information security”, mentioned in ISO/IEC 27001.
  5. The privacy and the protection of personal data mentioned in ISO/IEC 27001, have a further extended scope in ISO/IEC 27701 and include the protection of privacy as potentially affected by the controlling/processing of PII.
  6. ISO/IEC 27701 helps in ensuring that an organization has effectively designed and managed an ISMS.

How do ISO/IEC 27701 and ISO/IEC 27001 help organizations meet legislation and regulations?

The protection of PII, as a debating point, has made many countries create legislation and regulations that organizations should follow, for instance, GDPR, CCPA, NY Shield Act, etc. All these regulatory and legal requirements help organizations ensure the protection of PII, however, having ISO/IEC 27701 certification will help organizations demonstrate that they are operating in accordance with the regulatory requirements as well.

As explained in our Q&A session: “The ISO/IEC 27701 has a very detailed and clear mapping of GDPR clauses, therefore, when the standard is implemented with GDPR as a primary focal point, it ensures that all the clauses of GDPR have been taken into consideration. Thus, organizations can demonstrate alignment and governance to the GDPR requirements, though they should not claim certification to GDPR.”

Integrating ISO/IEC 27701 into your existing ISO/IEC 27001 will help your organization become compliant with data privacy regimes while increasing transparency of the process and procedures. In this way, you will ensure that you maintain the integrity of information to your customers and other interested parties, as this will build more customer trust and increase customer satisfaction.

MSECB is here to help you

Receiving an internationally recognized certification from a globally renowned certification body, such as MSECB, has proved to have a multidimensional impact on previously certified organizations, and ultimately has increased the market share and recognition of those organizations.

Our certification process is separated into two stages:

  • During the Stage 1 Audit, MSECB would conduct a review of the ISMS/PIMS to verify whether the client is ready for the Stage 2 Audit.
  • After the Stage 1 is completed successfully, the Stage 2 Audit will be conducted. The Stage 2 Audit is a more in-depth audit to verify whether the client has met all the requirements of the standard.

Upon verifying that your organization is in conformity with the requirements of the ISO/IEC 27001 and ISO/IEC 27701, the certifications are granted by MSECB. The certifications are then maintained through scheduled annual surveillance audits conducted by MSECB, with the recertification audit performed on a triennial basis. 

Furthermore, considering that ISO/IEC 27701 is an extension to the ISO/IEC 27001, the audit and certification process for PIMS can be initiated in any given cycle, whether it is initial, any of the surveillances, recertification or as a scope extension audit.

Start your ISO/IEC 27701 audit and certification today by getting a Free Quote.

Other Articles