What is ISO/IEC 27701:2019 Privacy Information Management Systems (PIMS)
The objective of ISO/IEC 27701 is to expand the utility of Information Security Management Systems (ISMS) by including additional requirements and/or controls to establish, implement, maintain and continually improve Privacy Information Management Systems (PIMS). ISO/IEC 27701 is a Certifiable Standard. However, in order to get a ISO/IEC 27701 Certified, an organization first needs to be ISO/IEC 27001 Certified.
PIMS, as the name suggests, is a framework intended to protect personally identifiable information (PII) and Privacy rights of individual and it is intended for both, companies who are controlling PII (PII Controllers) and companies who are processing PII (PII Processors).
Benefits of ISO/IEC 27701 Certification to your organization and your customers
A robust PIMS offers several benefits to PII Controllers and PII Processors
Following are few of the benefits
The Privacy regulatory environment is very cumbersome particularly for organization operating under multiple privacy jurisdictions. Different states and countries have different privacy laws and regulations. Matters get more complicated when your customers (data subjects) live in varied (and sometimes multiple) jurisdictions. An implementation of a standardized PIMS framework streamlines compliance work across jurisdiction
A certified PIMS environment provides all stake holders (shareholders, regulators, customers etc) the necessary peace of mind that necessary processes and controls are in place to protect PII.
A PIMS certification is valuable in communicating to all interested parties that the company complies with all privacy laws and regulations because the certification is based on international standard (including covering for GDPR, CCPA and several other Privacy regulations.)
An ISO/IEC 27701 PIMS certification provides confidence to your consumers (customers) that the company has all necessary safeguards to protect your personally identifiable information (PII) and hence they are safe to do business with.
ISO/IEC 27701: Structure of the Standard
The requirements of the standard are segregated into the four following groups:
Clause 5: PIMS requirements related to ISO/IEC 27001
Clause 6: PIMS requirements related to ISO/IEC 27002
Clause 7: PIMS guidance for PII Controllers
Clause 8: PIMS guidance for PII Processors
The Annexes of the standard includes the following
PII Controllers: Annex A - PIMS-specific reference control objectives and controls.
PII Processors: Annex B - PIMS-specific reference control objectives and controls.
Annex C: Mapping to ISO/IEC 29100
Annex D: Mapping to the General Data Protection Regulation (GDPR)
Annex E: Mapping to ISO/IEC 27018 and ISO/IEC 29151
Annex F: How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002