As the title below identifies, ISO 27701 is a data privacy EXTENSION to ISO 27001. PIMS can provide greater clarity and assurance to the compliance around the protection and privacy of personal data along with legislative and regulatory requirements.
If an organization wishes to certify to ISO 27701, it must first have (or concurrently implement) ISO 27001:2013 certification.
If your organization acts as either a data controller or a data processor (or both), this standard extends the context of your organization within an information security management system (ISMS) under ISO 27001 with additional requirements and controls. Through a privacy impact analysis, the organization identifies its risks to an individual’s data privacy and data protection of personally identifiable information (PII). Personal data is information that relates to an identified or identifiable individual.
Why Implement And Certify To A Privacy Information Management System (PIMS)?
- The basis of a functional PIMS is balanced between data protection and data privacy.
- Data protection means keeping data safe from unauthorized access.
- Data privacy means empowering individuals to make their own decisions about who can process their data and for what purpose.
- PIMS are systems that help give individuals more control over their personal data.
- PIMS allow individuals to manage their personal data in secure, local or online/hardcopy environments and share these details when and with whom the individual chooses. Personal data is information that relates to an identified or identifiable individual.
- The requirement for a privacy impact analysis allows an organization to identify its risks to an individual’s data privacy and data protection.
- Specific Annex controls in ISO 27701 are added to the ISMS and managed as part of a larger information and privacy management system.
- PIMS helps to ensure compliance to growing global privacy requirements.