Strike Graph security compliance blog

ISO 27701 basics

Written by Michelle Strickler | Apr 7, 2022 7:00:00 AM

As you may have recently heard, Strike Graph now supports ISO 27701. In this post, we wanted to explain a little bit more about what ISO 27701 is, why it’s important, and how Strike Graph can help your organization achieve certification.

Without further ado, let’s get to it!

ISO 27701 is a privacy add-on to ISO 27001. Whereas ISO 27001 establishes a framework for an organization’s Information Security Management System (ISMS)—helping manage the security of data overall—ISO 27701 helps specifically manage Personally Identifiable Information (PII).

PII

PII is considered any data that can be used to specifically identify a person; this can include an individual’s:

  • Name
  • Address
  • Email address
  • Phone number
  • IP address
  • Birthday
  • Etc.

ISO 27701 helps organizations manage PII by showing them how to design, set up, manage, and continually improve a Privacy Information Management System (PIMS).

PIMS

A PIMS covers the methods an organization has for:

  • Collecting,
  • Processing,
  • Storing, and
  • Destroying PII

It achieves this by providing new controller- and processor-specific controls and establishing a point of convergence between what could be two different functions. This helps organizations overcome some common privacy and security challenges.

ISO 27701 is important primarily because it can assist in privacy compliance with laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Both require companies to provide consumers with the right to know about the PII they collect, the right to delete PII, the right to opt-out of the sale of their PII, and more.

Additionally, because it’s so new, very few organizations have adopted it. This means obtaining ISO 27701 certification now will help you get—and stay—ahead of the privacy compliance curve.

Once certified, you’ll also enjoy a plethora of benefits, including:

  • Demonstration of a commitment to information security
  • A safeguarded reputation
  • An increase in stakeholder trust and consumer confidence
  • Targeted and supported compliance for other standards
  • Agreement facilitation
  • And more!

Seeing as ISO 27701 builds on ISO 27001, you will need to obtain ISO 27001 certification simultaneously with ISO 27701, or already have the ISO 27001 certification.

The ISO 27701 audit itself requires organizations to declare applicable laws and/or regulations in its criteria for the audit. This way, the standard can be mapped to the requirements of CCPA, GDPR, or other standards. Next, your organization will need to implement an effective PIMS complying with the requirements of said standard.

That’s where we come in. Strike Graph can help you build a simple, reliable, and effective compliance program so that you can get your ISO 27701 certification quickly. We achieve this by:

  • Taking a risk-based approach to compliance
  • Mapping controls to framework criteria so you don’t have to 
  • Ensuring you don't over-scope your program
  • Helping you understand security gaps so you can not only achieve a clean report, but grow and scale your business securely 

If certification is granted, it will be subject to annual surveillance audits, and after three years your organization will have to undergo a recertification audit. Throughout this process, your organization will need to conduct periodic risk assessment reviews, perform internal audit management reviews, and take corrective actions on nonconformities; but don’t worry, we can help with that too.