A continued commitment to achieve privacy by design and comply with the new requirements
Information security can make or break an organization. From moment to moment, millions of bytes of data stream across data networks, protected by security. However, as we know now, not all security is foolproof. The world of cybersecurity is always in flux. It is a constant arms race between malicious users and cybersecurity professionals. Data privacy is one’s (or a consumer’s) understanding of their rights regarding how their personal information is being collected, used, stored, and shared. Information privacy is the relationship between the collection and distribution of data, technology, the expectation of privacy by the public, and the legal and political issues surrounding them. Data and information privacy protection relies on effective cybersecurity implementation by organizations to secure personal data both when in transit and at rest. For businesses, especially, it is beneficial to have an international standard that focuses on privacy. ISO/IEC 27701:2019 is that standard.
This standard demonstrates why improved privacy protection in a tech-driven world is crucial. Organizations need to protect not only their own data but that of their customers as well. When ISO conceived of this certification, the impetus was to help businesses have a framework to establish a Privacy Information Management System (PIMS). But what is ISO/IEC 27701, and what does it require for a company to attain certification?
Introducing ISO/IEC 27701
The ISO/IEC 27701 standard was published in August of 2019 as an extension to the ISO/IEC 27001 and ISO/IEC 27002 standards. The standard was prompted by concerns that personal data was not conforming to privacy expectations. As with most other ISO standards, continual improvement is a core aspect of ISO/IEC 27701. However, unlike other ISO standards, there is no demand for organizations to cover all the bases for them to be compliant with it.
In this way, most security professionals consider ISO/ IEC 27701 an “add-on” rather than a standard on its own. Primarily, it deals with personally identifiable information (PII) and how an organization handles it. ISO itself notes that the standard deals with accountability and responsibility for managing PII, both from controllers and processors.
For a business to successfully be compliant with ISO/IEC 27701, it needs to understand the context in which it uses PII and how its processes may become vulnerable. Before an organization can realize ISO/IEC 27701 in its entirety, it must first pinpoint the difference between controllers and processors.
Controllers vs. Processors ‒ What’s the Difference?
When one inspects the ISO/IEC 27701 standard, it states that the standard applies to both controllers and processors. In context, the controller is any entity that provides the reason for the collection of PII. A processor may or may not be a separate entity that processes that collected PII. The law considers both entities as unique individuals. If a processor is to hire another individual or company as a sub-processor, the standard also applies. ISO/IEC 27701 is in force regardless of the business’s sector and factors in the GDPR, ISO/IEC 29151, ISO/IEC 27018, and ISO/IEC 29100 standards. Specific requirements outlined by the ISO/IEC 27701 standard that apply to both controllers and processors are as follows:
Record Keeping: Most ISO standards require extensive record-keeping and ISO/IEC 27701 is no exception. Organizations must have a written record of PII transactions, including those between jurisdictions and disclosures to third parties.
Internal Processes: In addition to documentation, the organization looking at certification needs to adopt strategies and policies regarding how they deal with specific incidents, such as security breaches, for example.
Training: Tech Republic notes that more than 40% of all corporate security breaches come from staff. Training is, therefore, a requirement to ensure that team knows the risks associated with their behavior.
Oversight: Organizations must have an individual responsible for ensuring that the guidelines of ISO/ IEC 27701 are followed throughout the organization. They are responsible for developing, maintaining, and monitoring the current and future performance of the security system.
Risk Analysis: Organizations have to perform a risk analysis to verify any PII processing risks within the company’s existing processes.
Confidentiality: At the heart of ISO/IEC 27701 is confidentiality. Businesses must have a confidentiality agreement in place that each individual or entity accessing PII needs to understand and sign.
Requirements Related to Controllers Only
While the abovementioned requirements apply to both controllers and processors, a subset of requirements apply just to controllers. These are:
Privacy by Design/Default: Controllers are required to adopt processes that rely on privacy by default and privacy by design. Privacy by design refers to designing technology that addresses privacy as one of its core concerns. Privacy by default means that controllers should assign a high-default security value to PII.
Individual’s Rights: Empowering the individual is also high on the list of considerations for ISO/IEC 27701. The standard allows individuals the right to access, erase, and correct their PII if they so choose. They are also entitled to object to or restrict the use of their PII by organizations if they want to.
Requirements in Processor Contracts: Controllers need to have a written contract in place with their chosen processors which address certain items such as limiting the processing of PII to the specific reason it was collected and requiring processors to state if breaches of security occurred that may have impacted the protection of the collected PII.
Privacy Policies: All organizations must have a privacy policy in place which outlines how the entity will collect, process, and use the data. Processing can ONLY be done within those tightly defined parameters.
Requirements Related to Processors Only
Processors have to maintain the ISO standard on behalf of the controller. In essence, the controller is the processor’s client. There are a handful of requirements that only apply to processors outlined in the ISO/IEC 27701 standard. Among these are:
Disclosures and Transfers: If the processor intends to transfer PII between jurisdictions for any reason, they are required to inform their clients of that decision.
Subcontractors: Processors can only hire subcontractors that conform to the terms of the customer contract. Anything that applies to the processor should also apply to the subcontractor.
Assisting with Individuals’ Rights: The controllers are required to ensure that the individuals’ rights are respected. The processor has a requirement to help ensure that the controller can do so.
Limitations to Processing: As the controller is only allowed to use the PII for a specific purpose, the processor is only allowed to process the PII along those guidelines.
Benefits of ISO/IEC 27701
Since ISO/IEC 27701 is based on ISO/IEC 27001, a company must first fulfill the requirements of this standard. As mentioned before, ISO/IEC 27701 can be considered an extension to the ISO/IEC 27001 standard. Entities that decide to conform to ISO/IEC 27701 will create documentary evidence related to their handling of PII throughout their business processes. This documentary evidence will further serve to make it easier for business partners to understand how the company handles PII processing.
As with other ISO standards, third-party accreditation offers stakeholders peace of mind. To acquire ISO/IEC 27701 certification, a business needs to conform to the requirements that apply to its data processing and handling. While this may not be every requirement listed on the standard, it does cover all the essential needs associated with how a business processes PII. A third party must certify that the company conforms to the requirements at a certain level of competency for accreditation.
ISO/IEC 27701 is also extremely rigorous in how it deals with privacy. Most jurisdictions are playing catch-up with privacy laws, and ISO/IEC 27701 offers a global standard that a company can refer to that may surpass any local legislation. Because of the complex nature of ISO/IEC 27701, businesses benefit from a standard that is in tune with the concerns of individuals about how their data is being collected and used. One of the more progressive local standards that the standard references is the GDPR from the European Union.
ISO/IEC 27701 and the GDPR
Immediately, when one looks at Article 42 of EU’s General Data Protection Regulation (GDPR), the terminology stands out as familiar to ISO/IEC 27701. Terms such as controller and processor also exist here and carry the same meanings as in the standard. The standard (so far) lacks the formal backing of the GDPR, and without that, compliance with the standard will not necessarily mean compliance with the GDPR. Businesses within the EU will also need acknowledgment of their certification from at least one supervisory body.
For businesses with problems with allowing access to their PII for remote teams, this might be an excellent time to consider getting ISO/IEC 27701 certification. Additionally, companies that conform to the standard are more likely to get the nod from clients as caring about their customers’ personal data. While there is not any official link between the GDPR and ISO/IEC 27701 as of yet, they both have the same goal in mind. Businesses may not want to leap into certification with both feet just yet since there is not any supervisory body that presently recognizes the standard. However, with such a close relationship with the GDPR, it may only be a matter of time before the EU starts recognizing and asking for this certification as a prerequisite for doing business.
Breach Management and Control
Organizations that comply with the ISO/IEC 27701 standard will have measures in place to deal with breaches. The standard is flexible enough to be used in any jurisdiction and allows for contacting the requisite personnel to report the violation. By following the standard, a company can have peace of mind that it is doing everything possible to ensure its data privacy. The ISO standard serves as a guarantee that the organization is ready and willing to act in case a breach does occur. As any security professional can attest, it is impossible to foresee when and where a violation will happen most times. An organization, therefore, simply needs to be ready to deal with the fallout and mitigate any potential damage that may result.
Another close similarity between the GDPR and ISO/IEC 27701 is breach management. ISO standard’s incident management controls are almost the same as GDPR’s. There is one glaring exception, however, and that is the notification window. The GDPR has a standardized 72-hour window for companies to report a data breach, while the ISO standard does not include this window. However, there are workarounds for this shortcoming of the standard. Organizations can still fulfill the GDPR requirement by having a system that allows them to notify a regulator independently of the standard. In this way, the standard retains its usefulness outside of the EU but still has a failsafe in place that a company can use if they operate within the extended European state’s boundaries.
Acquiring ISO/IEC 27701 Certification
For organizations looking for a pathway towards certification, there are a few significant steps that the company must take:
1. Understand ISO/IEC 27001:2013
This standard deals with establishing an information security management system (ISMS) which will be the basis for getting ISO/IEC 27701 certification.
2. Establish a management framework
The management framework outlines the requirements an organization must meet to comply with ISO/IEC 27701. A company cannot seek ISO/IEC 27701 certification unless it already conforms to ISO/IEC 27001.
3. Perform a risk assessment
Where are the risks in your system? A risk assessment is a crucial step in figuring out where your data is most vulnerable. The organization must have a security baseline set up and then perform its risk audit in reference to that baseline.
4. Implement risk-management controls
Dealing with risk requires figuring out the best way to manage them. The organization should document its intention to address its risk and complete a Statement of Applicability report and a risk treatment plan. These reports are crucial as documentary evidence of risk assessment and mitigation.
5. Train employees
As mentioned before, employees are one of the weakest points of entry into a corporate system. Extensive employee training must be undertaken and documented.
6. Pinpoint the processes that apply to ISO/IEC 27701
As noted before, since ISO 27701 doesn’t require businesses to conform to every aspect, companies need to pinpoint which procedures apply.
7. Ensure the processes conform
The organization must go through the guidelines outlined in the standard and deal with any issues they encounter.
8. Monitor and review
After a single cycle, the organization headed by the ISO/IEC 27701 champion should outline the information they collected and review it to see where the system can be improved.
9. Implement changes
The organization should be able to discuss and develop relevant changes to improve the organization’s handling of PII, and those changes should be implemented in the relevant processes.
10. Seek external certification
Audits by a third-party are necessary for an organization to achieve final certification.
The ISO/IEC 27701 certification works on the principle of constant improvement. It is still a relatively new standard, and many businesses have not realized how important it can be as a selling point. However, with so many users concerned about what goes on with their PII, it may become even more vital to twenty-first-century businesses.