Comparing ISO 27001 & ISO 27701: Differences, similarities, and dual certification process

As one of the first compliance software companies to offer the ISO 27701 framework after having offered ISO 27001 for a few years, we thought we’d dig into what really sets these two standards apart and what the certification process looks like for each.

What is ISO 27001?

ISO 27001:2022 is a global standard for creating and supporting information security management systems (ISMS). Certification in ISO 27001 shows that a company has the tools and processes to protect data and comply with laws. ISO 27001:2022 updates the older version, ISO 27001:2013.

In addition to helping companies, non-profits, and public sector institutions safeguard information and conform to regulations, ISO 27001 also sets companies up for risk awareness. When an organization understands the nature and severity of cybersecurity risks, it can proactively defend against them. 

ISO 27001 and 27701 are part of the ISO 27000 family of standards, which provides a framework for best practices in information security management. The ISO 27000 series is the joint work of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It applies to organizations of all sizes and sectors.

Key takeaways:

• ISO 27001 focuses on securing information, while ISO 27701 extends it to include managing and protecting personal data privacy.
• Combined ISO 27001 and ISO 27701 compliance can bolster your organization’s data security and privacy, which builds trust with customers and partners.
• Knowledgeable compliance consultants can ease your transition from an information security culture to a security and data privacy culture.
• A dual certification process can harmonize your information security and information privacy systems and streamline the auditing process. 
• Organizations can save time and money by doing ISO 27001 and ISO 27701 together.
  
  

ISO 27001 purpose

The standard’s purpose is to support companies as they build their ISMS. An information management system protects and enhances an organization’s data CIA (confidentiality, integrity, and availability). 

• Confidentiality: Protecting data from unauthorized people, processes, software, or organizations. 
• Integrity: Ensuring that data assets are accurate and complete. 
• Availability: Ensuring that authorized people, processes, software, or organizations can access data when they need it. 

By creating a dedicated ISMS, an organization moves beyond inconsistent efforts to structured, repeatable, documented security processes. Instead of reacting to incidents, an ISO-27001-compliant organization anticipates, identifies, and resists threats. A solid ISMS promotes security consciousness throughout an organization. Importantly, it shows partners, customers, and users that it has the processes and acumen to protect data.

ISO 27001 scope

The scope extends to anything the ISMS protects for an organization, from data to devices to systems and services. 

ISO 27001 scope includes:

• Data: Protect all forms of data, including sensitive or confidential information, from unauthorized access, modification, or deletion. This includes structured and unstructured data, whether stored, processed, or transmitted.
• Devices: Secure hardware used in processing or storing information, such as servers, computers, mobile devices, and other connected equipment, against unauthorized access or tampering.
• Employees: Employee behavior and actions are critical to information security. Training, awareness, and clear roles and responsibilities ensure that employees contribute positively to the ISMS and comply with security protocols.
• Equipment: Secure physical equipment, including networking infrastructure, data storage devices, and backup systems. Protect equipment from theft, damage, or misuse.
• Geographic locations: Include different office locations, data centers, or cloud infrastructure in the scope to ensure that physical and environmental security controls are in place across all relevant sites.
• Information: This covers not just data but also intellectual property, organizational knowledge, and any information asset that requires protection from threats to its confidentiality, integrity, or availability.
• Products: Secure products developed or sold by the organization, particularly those with embedded software or those that handle customer data. This ranges from design through delivery, ensuring they meet ISMS standards.
• Processes: Internal processes, such as software development, incident response, and risk management, should be aligned with the ISMS framework to ensure consistency in how information security is maintained across all operations.
• Services: Any service provided by or to the organization that handles data must comply with ISMS requirements. This includes outsourced or cloud-based services that must be subject to the same level of scrutiny and control as in-house operations.
• Software: The security of all software applications used or developed by the organization is critical. This includes safeguarding against vulnerabilities, ensuring proper access controls, and maintaining software integrity through regular updates.
• Systems: This includes the overall IT infrastructure, such as servers, databases, networks, and other systems that store or transmit data. Ensure their security from internal and external threats.
  
  

ISO 27001 compliance requirements

To comply with ISO 27001, you must meet requirements regarding the organization's security needs, leadership support, regular assessments, training, operations, and more.

The seven essential compliance requirements of ISO 27001 are: 

• Clause 4, Context of the organization: Clause 4 specifies that organizations must understand their unique information security needs. They must ascertain the relevant stakeholders, such as partners, customers, and internal and external users, and their security requirements. Security requirements inform the scope of the ISMS, which is captured in a scoping document.
• Clause 5, Leadership: To guarantee the success of an ISMS, an organization must secure the support of senior leadership. It must also determine ISMS roles and create security management policies. 
• Clause 6, Planning: Organizations must conduct regular risk assessments and review mitigation processes to achieve security objectives.
• Clause 7, Support: Clause 7 calls for organizations to provision the ISMS, and refers to ISO 9001:2015, the business process and quality management standard, for guidance on system administration. Effective support includes ISMS documentation that is always available to employees and stakeholders, and employee information security training and awareness programs to highlight each employee’s role in ensuring a secure ecosystem. 
• Clause 8, Operations: All organizational processes and activities should occur with awareness of and reference to ISMS needs and security risk management. In essence, nothing in an organization should happen without the consciousness of information security and possible risks. 
• Clause 9, Performance evaluation: Under Clause 9, an organization must regularly measure and audit data security performance. Upper management must monitor system performance, conduct regular risk assessments, and seek continuous improvement.
• Clause 10, Continuous improvement: Clause 10 works in tandem with Clause 9 and calls for organizations to look for opportunities to improve all aspects of their information security framework. 

In addition to those seven requirements, ISO 27001:2022 outlines 93 controls in Annex A. A control is a policy or procedure used to mitigate a security risk. However, as is typical for any ISO standard, 27001 does not specify exactly how an organization should comply, offering organizations the flexibility to choose from the specified controls or create additional controls as needed.

What is ISO 27701? 

ISO 27701 extends ISO 27001 with a focus on privacy. ISO 27701 specifies that companies use a privacy information system (PIMS) to support their ISMS. It also helps companies demonstrate compliance with the General Data Protection Regulation (GDPR).  

ISO 27701 developed as concerns about data privacy grew and new privacy laws emerged, such as:

• The European Union’s GDPR, which significantly overlaps with ISO
• The California Consumer Privacy Act in California
• The Health Insurance Portability and Accountability Act (HIPAA) in the United States

ISO 27701 specifications provide a convenient, streamlined approach to complying with various international standards. That’s critical for borderless organizations, such as ecommerce companies. Importantly, the standard also helps differentiate organizations in the marketplace by showing their attention to data privacy. 

ISO 27701 Purpose

The purpose of ISO 27701 is to provide organizations with guidance on collecting, processing, and storing personally identifiable information (PII).

Personally identifiable information can include the following:

• Name
• Address
• Social Security number or identification number
• Telephone number
• Email address
• Passport number
• Driver's license number
• Taxpayer identification number 
• Financial account or credit card number 
  
  

“ISO 27701 puts a formal program in place that supports building both internal governance practices and monitoring and governance down through the supply chain,” explains Michelle Strickler, Lead Product and Compliance Experience Strategist at Strike Graph.

“For example, to mitigate the risk of a breach of PII, an organization may require that all entities in the supply chain implement the highest level of encryption at rest on the market. If any downstream organization in the supply chain cannot implement this high standard, the organization may choose not to use them, accept the risk, or require other mitigating controls to protect sensitive PII.” 

The standard defines the two main data-handler roles as data controllers and data processors:

• A data controller is any individual or entity that determines the use and means of processing PII. 
• A data processor is any individual or entity that processes PII. Processors can be internal or third-party entities. Processing includes collecting, storing, using, or disclosing information and data. 

As an example of how this works, consider an office supply store that contracts with a third-party fulfillment firm to deliver web orders. Customer information is collected on the store’s website and sent to the shipping firm to complete the order. In this scenario, the store is the PII controller, and the fulfillment company is the PII processor. 

ISO 27701 scope

ISO 27701's scope describes the information, structures, and activities the PIMS controls in an organization. It also specifies who manages and maintains the PIMS. In addition, the scope notes the pertinent laws, regulations, and business commitments that govern an organization’s data protection approaches.  

ISO 27701 compliance requirements

ISO 27701 builds on the security provisions of ISO 27001 and includes additional requirements for ensuring data privacy and security. 

The ISO 27701 compliance requirements include the following:

• Clause 5, PIMS: An organization must establish a PIMS.
• Clause 6, Cybersecurity controls: Organizations must be aware of additional privacy requirements for data processing. They must also train employees to recognize PII, control PII access, and manage removable media.
• Clause 7, PIMS controllers: PII controllers must provision resources and training to support their PIMS. 
• Clause 8, PIMS processors: PIMS processors must provide adequate privacy controls, prepare to mitigate privacy incidents, and continually monitor and track PIMS operations. PII processors must also establish a means for users to manage personal data. It also requires a defined and documented risk management strategy, including how risk assessments should be carried out.

ISO 27701 builds on and updates the controls listed in 27001 Annex A with 184 controls, 49 of which are PII-specific. ISO 27701 Annex A details PII controls for data controllers and Annex B covers PII controls for data processors.

The ISO 27701 controls comprise five domains:

• Security management
• Information security controls
• Information security management
• Information security incident management
• Business continuity management

Similarities between ISO 27001 and ISO 27701

The similarities between ISO 27001 and ISO 27701 start with the fact that they’re in the same ISO family of standards. Both standards aim to protect data assets through risk-based management and require third-party certification and continuous improvement of data protection systems.

Can you get ISO 27701 certified without an ISO 27001 certification?

You cannot get certified in ISO 27701 without first being certified in ISO 27001. ISO 27001 forms the security foundation for the privacy requirements in 27701. However, you can apply for certification for both at the same time. 

“The advantage to dual certification is streamlining the programmatic elements of the information system-privacy management system (IS-PMS) covered by all the clauses. This makes auditing the clauses very efficient,” says Strickler. 

“The challenge comes when the certification body is not well-versed in both information security and privacy practices. This forces them to split up the audit between available staff with the appropriate skill set and, in more than a few cases, this extends the audit by one to three weeks.”

Differences between ISO 27001 and ISO 27701

ISO 27001 and ISO 27701 differ in their focus. ISO 27001 addresses information security and describes an ISMS. ISO 27701 addresses user privacy and PIMS creation. ISO 27001 also details more security areas than ISO 27701.   

“ISO 27001 provides a foundation for overall information security practices, and ISO 27701 builds on this foundation to address specific privacy concerns, which are especially important for organizations handling personal data,” explains Stephen Ferrel, CISA CRISC, Chief Strategy Officer at Strike Graph. 

“For example, a financial services company might implement ISO 27001 to secure all their information assets, and then extend to ISO 27701 to specifically address how they handle customer personal data in compliance with privacy regulations like GDPR.”

Benefits of combining ISO 27001 and ISO 27701 certification

There are significant benefits to combining ISO 27001 and ISO 27701 certification. One benefit is it creates an integrated security and privacy framework. A combined certification process also streamlines internal and third-party auditing. 

Strickler says that if an organization has the staff to plan and prepare for the ISO audit, a combined audit can shorten the time the teams are under audit. “If you have back-to-back Annex testing, you reduce duplicate reviews of clause conformity by separate auditors.”

When you certify simultaneously, you can also realize additional advantages:

• Align information security policies with privacy policies from the start.
• Harmonize information security and privacy education and training.
• Optimize security resources to improve your security and privacy posture while reducing costs to manage and audit systems.
• Expedite expansion and adaptation of the IS-PMS as the organization grows.
• Adapt more efficiently to regulatory changes.
• Mesh with current auditing cadence and processes.
• Certify only those parts of the organization that need strict privacy controls.

The bottom line: If you have the staff and resources to do IS0 27001 and 27001 together, strongly consider it.

Expert tips for implementation of 27001 and 27701 together

Implementing and managing ISO 27001 and ISO 27701 together can present challenges and rewards. Ensure you have strong managerial support for your efforts. Then, thoroughly understand your company's security context before you certify. 

If you’re considering a combined ISO 27001 and 27701 certification process, follow these additional tips from Ferrell and Strickler:

• Conduct a thorough gap analysis against both standards before you implement.
• Develop an integrated ISMS and PIMS (IS-PIMS) that addresses both standards simultaneously. Overlap scope when possible, and delineate system boundaries, responsibilities, and internal and external stakeholders. 
• Ensure strong leadership support and allocate adequate resources for the project.
• Provide comprehensive training to staff on both security and privacy principles.
• Use technology solutions that can support both ISMS and PIMS requirements. 
• Engage experienced consultants who are familiar with both standards.
• Plan for a phased implementation if resources are limited.
• Choose an accreditation body that is well-versed in both ISO 27001 and 27701. 
  
  

Combined ISO 27001 and ISO 27701 Certification Checklist

1. Define the scope of the ISMS and PIMS and identify overlapping roles, responsibilities, and resources for each system.
2. Conduct a gap analysis to determine the state of information security and privacy in your organization. Consider documentation for policies and procedures and environmental controls. 
3. Conduct a risk assessment and define mitigating controls for your unique situation.
4. Compile a statement of applicability (SOA), noting which 27001 Annex A and 27701 Annexes A and B you include or exclude in your IS-PMS and why. 
5. Implement your IS-PMS. Inform internal and external users about the system. Continually monitor progress.
6. Train your team on new security policies and procedures.
7. Conduct your internal audit.
8. Conduct the Stage 1 audit. Your external auditor reviews documentation and interviews key personnel to ensure your organization is ready for the Stage 2 audit.
9. Conduct the Stage 2 audit to verify that your IS-PMS is correctly and effectively implemented. Incorporate any Stage 2 feedback on nonconformities.
10.  Monitor, audit, and improve. 

Download our ISO 27001 and ISO 27701 Certification Checklist

How to automate 27001 and 27701 compliance to save time and money

Strike Graph automates your ISO 27001 and ISO 27701 compliance processes. Strike Graph tools and expertise save you time and resources. They help you bolster your information security and privacy stance.

“Including privacy in an existing framework requires a cultural shift in an organization,” says Ferrel. “An outside compliance consultant with deep subject matter expertise like Strike Graph can help smooth the transition.” 

Strickler adds, “The Strike Graph platform provides cloud-based features to map controls and track evidence for your organization, and help you monitor and maintain your ISMS and PIMS. It comes preloaded with policy and procedure and checklist templates to build your documentation library and streamline auditing. Plus, Strike Graph has the information security experts to guide you through the ISO 27701 accreditation process.”

Want to learn how the controls and evidence for ISO 27001 and ISO 27701 map specifically for your organization? Set up a time to chat with a Strike Graph compliance expert. Bundling ISO 27001 and ISO 27701 using Strike Graph can save you hundreds of dollars and hours of wasted time.