Skip to content

ISO 27701 PIMS

SERVICES

Helps secure your data, minimise risks, and ensure business continuity.

ISO 27701 As an extension to ISO 27001

Processes and communication increasingly take place in digital form, which makes information security so important. Many organisations therefore consider a good management system to be essential in this area.

ISO 27001 provides an excellent basis for this and allows you to demonstrate that your valuable information is suitably protected.

However, recently a new standard was published as an extension to ISO 27001, namely ISO 27701. This standard not only protects your own information, but also shows that you protect the privacy of others.

Defined roles in data protection management

The roles defined in ISO 27701 are Controller (organization responsible for PII – personally identifiable information) and Processor (responsible for PII processing on behalf of another organization). These roles are defined in Article 1 Paragraph (4) and (5) of the Law of the Republic of Indonesia No. 27 of 2022 (PDP Law) and in ISO 29100.

 

Processor

"Any legal person, public authority, and international organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

The controller collects personal data and determines the purposes for which they will be used and the means of the processing. More than one organization can act as PII controller for the same processing, and these are then generally referred to as Joint Controllers. In this case, agreements on data exchange is necessary.

Benefits of the PII Controller role

  • The Controller receives guidelines for preferred ways of working
  • The role facilitates transparency between PII Controllers
  • It also ensures effective management of PII processes

Controller

"Any legal person, public authority, and international organization which, alone or jointly with others,  which processes personal data on behalf of the controller".

The Processor processes personal data for the PII Controller, and only works according to the controller’s instructions.

Benefits of the PII Processor role

  • Receives guidelines for preferred ways of working
  • Provides customers with reassurance that PII is handled effectively 

Content of ISO 27701

ISO 27001 and ISO 27002 contain requirements and guidelines for an Information Security Management System (ISMS). ISO 27701 adds requirements and guidelines specific to privacy and expands them into a Private Information Management System (PIMS).

ISO 27701 acts as an extension of the requirements and controls of ISO 27001 and the implementation guidelines of ISO 27002 and does not function as a stand-alone. Therefore it necessarily has the same or a smaller scope as the ISO 27001 management system on which it is based.

The first substantive part of PIMS is chapter 5 and connects privacy (ISO 27701) to information security (ISO 27001) be means of specific privacy requirements on top of the requirements of the (already existing) information security management system. These additional PIMS-specific requirements are limited to chapters 4 (Context of the organization) and 6 (Planning). For example, the people whom the personally identifiable information (PII) relates, the so called PII principals, must now also be included in the interested parties along with their needs and expectations. More important the risk management approach must now also include the potential impact on the privacy of these principals. In order to mitigate the risks, which are now information security as well as privacy risks, the organization now has to take the additional privacy controls into consideration that are set out in the appendices. Appendix A for controllers and appendix B for processors. Represented in a statement of applicability (SOA) in the same way the organization is familiar with in the (existing) ISMS.

Chapter 6 is dedicated to giving additional privacy specific guidance on top of the implementation guidelines in ISO 27002. Helping the organization by integrating privacy into the (already existing) information security controls. For example in appointing an independent privacy expert as part of the implementation of the organizations roles and responsibilities.

The chapters 7 and 8 act as implementation guidelines for the controls in the appendices A and B of ISO 27701. The equivalent of ISO 27002 towards Appendix of ISO 27001. There is no ISO 27702. It is all covered in ISO 27701.

 

Benefits of ISO 27701 certification

  • Reduces risks regarding the privacy of the affected persons and improves protection against privacy breaches
  • Provides evidence of observance of privacy laws and regulations
  • Demonstrates commitment, insight and control with regard to privacy
  • Creates certainty and trust for those involved in the information chain
  • Reduces the time and cost needed for Compliance projects and eliminates the need for privacy audits
  • Protects data protection knowledge, reputation and competitiveness
DOWNLOAD
PDB ISO 27701 3011 final EN 1.0
PDF
367 KB
Self Assessment Checklist for ISO/IEC 27701
PDF
975 KB

FAQs

An ISO 27701 certificate is suitable for every organization which processes personally identifiable information (PII), regardless of size. It applies for public and private organizations, governmental authorities and charitable bodies which process PII within the framework of an ISMS as Controller or Processor.

Above all if you have to demonstrate that your organization has a deliberate policy with regard to this type of personal data, the certificate offers a structured solution:

  • Every organization that processes personal data, regardless of its size and type, can benefit from the introduction of ISO 27701.
  • Organizations wishing to alleviate the financial and regulatory risks involved in privacy breaches
  • Private, public and even governmental authorities which have to follow a risk-based approach to the storage and processing of personal data

Organizations with an ISMS who wish to further develop their role as Controller and/or processor and increase their professionalism

Organizations that are subject to Indonesian law, e.g. because they are Indonesian or are active in the Indonesia, can make use of ISO 27701 in order to examine their observance of the PDP Law more closely. This applies to the following, for example:

  • Organizations who seek a way of fulfilling the requirement that they have used suitable and technical and organizational means in order to ensure observance of the requirements of the PDP Law.
  • Organizations wishing to (further) process personal identifiable data on behalf of customers who by law are only permitted to subcontract to organizations which can sufficiently demonstrate that the processing fulfils the requirements of the PDP Law and protects the rights of those affected.

In order to achieve ISO 27701 certification you must already operate a functioning ISMS which fulfils the requirements of ISO 27001. This means that you already have certification to ISO 27001 or are in the process of gaining it. The reason is that ISO 27701 is an extension to and augments ISO 27001.

This additional standard is certainly relevant for every organization which works with sensitive personal information.

If you already hold an ISO 27001 certificate (through TÜV NORD or another certification body), you will first be subject to a separate audit for ISO 27701. The ISO 27701 certificate will have the same term of validity as your current ISO 27001 certificate. When this expires, or if you begin with ISO 27001 and ISO 27701 at the same time, the audits for ISO 27001 and ISO 27701 are synchronised.

The ISMS and the PIMS are then integrated and the audits for both systems can be combined.

 

Handle your business matters quickly, our best team is ready to support you!

Contact Us !