Four Benefits of Combining ISO 27701 and ISO 27001

ISO 27701 is the first certification for privacy. By combining ISO 27701 and ISO 27001, organizations can build trust, prepare for privacy regulations, and more.

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) issue many guidelines and frameworks for organizations. These can range from cybersecurity readiness to business continuity standards and beyond. 

In 2019, ISO expanded ISO/IEC 27001:2013 (ISO 27001), a popular and longstanding cybersecurity framework, with ISO/IEC 27701:2019 (ISO 27701), a new standard focused on creating a Privacy Information Management System (PIMS). The standard has generated excitement in the compliance world, as it is the first certification for privacy. In other words, ISO 27701 represents the first way an organization can actually become certified by a third party in privacy best controls, rather than compliant with standards and regulations.  

However, ISO 27701 is not a standalone standard. Rather, the original ISO 27001 cybersecurity framework serves as a foundational chassis, and organizations can add on additional ISO standards, such as ISO 27701, that work well for the specifics of their business.  

Organizations may wonder: what are the benefits of combining ISO 27701 and ISO 27001?

We will walk through four key benefits of adding the new ISO 27701 standard onto the core ISO 27001 framework. 

1. Builds Trust with External Stakeholders 

Today, much of our personal lives and our work happen on the internet, whether through applications, websites, or other form factors. Everyone is concerned about their personally identifiable information (PII), and no one wants it to fall into the wrong hands.  Each year there are data breaches that raise new security and privacy concerns. Consent, transparency, and security are more important than ever. 

As privacy concerns continue to grow amongst regulators and consumers alike, organizations are increasingly interested in improving their privacy policies and offering proof that they take privacy seriously. While there are many cybersecurity frameworks covering data privacy, none of them provide a dedicated privacy certification. Organizations can demonstrate compliance, however, they don’t get an official certification from a governing body. 

ISO 27701 is the first certification for privacy. 

For organizations, having a certification for privacy can help build trust with partners, vendors, customers, and other stakeholders. Having ISO 27701, in combination with the internationally-respected ISO 27001 framework, demonstrates your organization’s commitment to privacy. Organizations that hold an ISO 27701 certification must undergo surveillance audits each year, so your external stakeholders can feel confident that your organization is executing against best practices in accordance with ISO standards with a formal PIMS in place. 

Organizations are recognizing the value of ISO 27701 and ISO 27001. For example, Microsoft accepts ISO 27701 and ISO 27001 as a replacement to their own Supplier Security and Privacy Assurance (SSPA) program requirements. This demonstrates Microsoft’s strong trust in ISO’s frameworks and in ISO 27701’s privacy controls and data protection measures in particular. 

2. Strategically Certify Parts of Your Business 

Data moves through organizations in different ways depending on multiple factors. No two organizations are quite the same, and in some situations, the same organization can be both the controller and the processor of PII simultaneously 

Some of the factors influencing an organization’s status as a controller and/or processor can include: 

  • Industry (or industries) served 
  • Business model, such as software-as-a-service (SaaS) 
  • Regional or international presence 
  • Partnerships and subcontractor relationships 
  • And more 

However, because an organization may be both a controller and a processor of data at the same time, their data may not be subject to the same controls, depending on how it intersects with specific business activities. 

ISO 27701 is beneficial because it can be applied only to specific portions of an organization. In other words, an organization can carve out compliance as a controller or a processor of data—it does not have to get a blanket certification for the entire business. This is helpful for organizations with complex business models, where different sets of data may or may not require the same controls, include PII, etc. 

This feature differentiates ISO 27701 from regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which apply to the entire organization. In these laws and regulations, the organization as a whole must be compliant, regardless of the type of data or the organization’s role in generating, storing, or working with the data. ISO 27701 also differs from other standards, such as ISO 27018, which is an unaccredited standard and only applies to privacy in a public cloud  a much narrower range of applications. 

Together, ISO 27001 and ISO 27701 enables organizations to strategically certify the portions of their business that require the strictest privacy protection. 

3. Supports Several Privacy Laws and Regulations 

As noted, privacy is a growing concern for regulators and consumers alike. The rise of new privacy laws and regulations has forced organizations to think differently about their privacy programs.  

In fact, our recent 2021 Compliance Survey Report found that 48% percent of organizations claimed privacy regulations generated extra work. This rise is also making organizations more aware of the controls they need: 35% said they needed a higher level of cybersecurity controls. 

ISO 27701 maps against several key privacy regulations, which enables companies to more easily and strategically meet key regulations 

For example: 

  • ISO 27701 and the GDPR: ISO 27701’s privacy controls can help an organization demonstrate compliance with certain aspects of the GDPR, though it does not equate with GDPR certification. However, ISO 27701 does map to this landmark regulation in several ways. For example, the GDPR includes certain Articles that can be mapped back to the roles, responsibilities, and controls put forth in ISO 27701.  
  • ISO 27701 and CCPA: Driven by the state of California in the U.S., the CCPA includes articles and language very similar to GDPR, which has become the gold standard on which many up-and-coming privacy regulations are based. ISO 27701 doesn’t specifically map directly to the CCPA. However, due to the law’s similarities to the GDPR, ISO 27701 can help organizations comply with the controls and requirements of CCPA. 

For organizations working to comply with GDPR, CCPA, or other privacy regulations and laws, ISO 27701 and ISO 27001 provide the scaffolding to build a strong compliance program. Again, it is not a replacement for any of these privacy laws and regulations, and it does not guarantee compliance. However, it can help your organization build an information security management system (ISMS) and a PIMS that can meet some of the requirements of the GDPR, CCPA, and others.  

4. Integrates with Your Existing Audit 

Many organizations are completing numerous audits every year  in fact, our recent 2021 Compliance Benchmark Survey also found that 85% of respondents conduct more than one audit each year. With a busy slate, the last thing anyone wants are more audits and assessments. 

Because ISO 27701 only exists in tandem with ISO 27001, the standard does not add significantly to the auditing process. Organizations with ISO 27001 in place can simply integrate ISO 27701 into their existing ISO audit and assessment.

For organizations looking to complete the core ISO 27001 framework for the first time, adding ISO 27701 is not a huge undertaking. It can be worked into the overall process of creating an ISMS, collecting the necessary evidence, and assigning responsibilities to key personnel. 

5. Grows with Your Organization 

As organizations grow, the type of data processed may expand and can result in additional compliance obligations. For example, fast-growing organizations may: 

  • Expand to new geographic areas 
  • Bring on new partners, vendors, or subcontractors 
  • Drive business in new industries or sectors (some of which may include PII and be highly regulated, such as healthcare) 
  • Work with distributed teams across countries 
  • And more 

Meeting cybersecurity and privacy requirements is an ongoing process that can be made easier by building a framework which can be expanded as regulatory requirements continue to evolve.  

Having a PIMS in place is an excellent way to ensure your organization has a defined management system that can adapt to new cybersecurity and privacy obligations. As new workstreams start up, regulations come into play, and data enters the company, you will already have the framework needed to handle everything smoothly. Together, ISO 27701 and 27001 create that framework to handle increasingly complex compliance requirements.  

ISO 27701 and ISO 27001: Better Together 

ISO 27701 and ISO 27001 represent a powerful package with many benefits to organizations. With the underlying framework of ISO 27001 creating a strong ISMS and ISO 27701 ensuring a certifiable commitment to privacy controls, organizations can clearly demonstrate their maturity relative to cybersecurity and privacy. This can give peace of mind to stakeholders such as customers and vendors. Enhance your privacy by combining ISO 27701 and ISO 27001, and continue your compliance journey. 

Connect with an ISO Expert
Contact A-LIGN