To compare ISO 27001 vs. 27701, we need to see how both of these international standards work. While ISO 27001 focuses on information security management, ISO 27701 focuses on data privacy. They’re both used by many companies that store or process personal data and other types of information.
We’ll be looking at both of these standards to compare them and clarify the differences. Find out how they affect businesses and how to use them as part of a continuous improvement program.
What is ISO 27001?
ISO 27001 is the standard covering information security management. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides the framework for companies to protect their sensitive information.
It tells us how to protect and maintain a robust information security management system (ISMS). Any company that needs to collect, store, process, or protect sensitive data has to take this standard into account.
The full details lay out various clauses that explain how the business has to go about data protection in its end-to-end processes. It includes the creation of a plan, risk assessment, and ongoing improvement. When carried out correctly, it allows you to protect the confidentiality, integrity, and availability of the information held.
A certification body needs to verify that the company meets all the requirements. It allows them to confirm that they have achieved the necessary standard in information security management.
Open an account
in Genome online
How to obtain the ISO 27701 certification for an information security management system
This information security certification is obtained by sticking closely to the following steps.
Understand the requirements and the roles that need to be filled in this information security process.
Put in place a project to implement the processes needed to obtain ISO 27701 certification. It requires senior management buy-in and the appointment of a project manager to lead the process.
Outline the scope. This is where you confirm which parts of the business need to ensure compliance with the latest information security standards. It may include specific departments and processes that need to take part in the security controls.
Carry out a risk management assessment. By reviewing the current security and privacy policies and processes, you can conduct a performance evaluation to identify areas where changes are needed.
The next step in obtaining a Security Management System (ISMS) certification is to implement the correct controls. This is likely to involve staff training and new process creation.
A certification body can then assess the compliance measures and issue the certification, if appropriate. After this, controls should be put in place to ensure that information security continues to be an area that the company pays attention to.
What is ISO 27701?
ISO 27701 was created as an extension to ISO 27001. It is also linked to ISO 27002, since it builds on both standards. It focuses on the need to create a privacy information management system (PIMS) for sensitive data. Since it has been built on ISO 27001, companies must have this certification before they can obtain ISO 27701. In practice, you don’t necessarily need to already hold an ISO 27001 certificate first — but you must implement ISO 27001 alongside ISO 27701, and most organizations certify them together. There is no way to obtain ISO 27701 certification before getting it for ISO 27001. To clarify: ISO 27701 cannot be obtained as a standalone certification, but it can be achieved in the same audit as ISO 27001.
It extends the original international standard by adding new requirements and key terms covering data privacy. These include the details on how to handle specifically personally identifiable information (PII), including personal information such as customer data and employee details. The extension was created to meet the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as other privacy compliance requirements. More precisely, ISO 27701 was designed as a global privacy framework that maps to GDPR, CCPA, and many other regional laws, such as LGPD in Brazil and PDPA in Singapore.
How to obtain the ISO 27701 certification for a privacy information management system
To obtain this data privacy certification, the company has to complete the following steps.
Have a valid ISO 27001 certification in place. It confirms that the business meets the foundation standards. This can be achieved either before or at the same time as ISO 27701, depending on the certification body’s approach.
Put a PIMS in place. It needs to cover the compliance needs for handling PII well under ISO 27701. It has to meet the supporting standards from the start of the data collection process, all the way through to its use, storage, and deletion. This means covering the full lifecycle of PII, including lawful collection, processing, retention, and disposal.
A process to identify and mitigate any risks. An ISO 27701 incident response process and other security standards need to be put in place to ensure that all data privacy incidents are dealt with appropriately. This builds on ISO 27001’s risk assessment approach, but adds privacy-specific risks such as unlawful processing or non-compliance with data subject rights.
PII controllers and PII processors need to follow a set of controls. This part of the PIMS guidance ensures that there’s a detailed set of instructions every step of the way. These requirements are outlined in Annexes A for controllers and B for processors of ISO/IEC 27701.
Ensure ISO 27701 compliance is demonstrated by maintaining accurate documentation. It is part of the process of continuously improving and implementing additional controls as needed. Certification bodies will review this documentation during audits, and surveillance audits will continue annually to ensure compliance is maintained.
ISO 27001 vs ISO 27701: Key differences
Looking at the key differences between these standards helps show the different ways they work. The table below outlines the main areas to be aware of.
Aspect | ISO 27001 | ISO 27701 |
Overall focus | General information security requirements (ISMS) | Meeting specific privacy laws (PIMS) |
Area covered | All digital and physical information that is held | Specifically, personally identifiable information (PII) |
Type of certification | Foundational standard, which means that it can be carried out alone | As this is an extension of ISO 27001, it can only be implemented in addition to an ISO 27001 certification |
Target audience | All companies that handle data and security assets | PII data controllers and processors |
ISO 27001 vs ISO 27701: Key similarities
While there are some major differences between ISO 27001 and ISO 27701, there are also some crucial similarities to consider. These security and privacy standards can be linked in the following ways. Find out more about Genome security here. Note that Genome is both ISO 27001 and ISO 27701 certified, ensuring that we safeguard client data with robust security and privacy measures that meet the highest international standards.
Open an account
in Genome online
The ISO 27000 family structure
They’re both part of the ISO 27000 family of standards, which provide a framework for setting up and maintaining an information security management system. It is seen in the way that the ISO 27001 certification is needed before adding the 27701 certification.
This link means that some confusion may arise if the differences between ISO 27001 and ISO 27701 aren’t fully understood. Staff in the data processor and data collection roles need to understand their responsibilities in handling data security at every stage.
Continuous improvement PDCA model
Both of these standards are based on the idea of the continual improvement PDCA model as part of the certification process. Companies can use them as the basis for starting to create processes that see them improve their handling of data and other assets.
Even when the ISO 27701 certification is issued as the second of these security and privacy controls, continuous improvement is needed. It is why there is a focus on putting in place controls and processes that key personnel can follow to ensure continued compliance.
Risk assessments and audits
Both of these approaches require risk assessments and an internal audit plan to be carried out effectively. In the case of ISO 27001, the risk assessment is needed to identify and evaluate the way that they handle the information and other assets.
With ISO 27701, privacy risks must be identified and addressed. In both cases, adequate resources need to be used to carry out regular risk assessments by compliance experts. In both cases, security and privacy issues should be identified and resolved as part of the process put in place.
Dual certification is efficient and complementary
Both ways of demonstrating compliance with international standards work well together. By obtaining both certificates, businesses can show that they look after their security and privacy concerns. Rather than settling for solely ISO 27001, adding ISO 27701 helps the company to improve its data handling further.
The benefits of ISO 27701 on top of ISO 27001
While continued compliance with ISO 27001 as a standalone certification is important, the additional privacy controls in ISO 27701 make it well worth adding on top of the foundation standard.
The second certification directly addresses privacy risks to an internationally recognized standard. It is important, as privacy regulations are now more commonplace across the globe.
By obtaining the ISO 27701 certification, businesses can ensure GDPR/CCPA compliance and meet other relevant regulatory requirements. When meeting both standards simultaneously, a business boosts the level of trust it inspires in clients, partners, and regulators.
ISO 27001 vs 27701: which one to choose and when?
When considering which to choose from ISO 27001 and ISO 277001, there are several key points to take into account.
ISO 27001 is suitable for any company with cybersecurity risks. It allows their data controllers to carry out data protection and look after the other information assets held.
How ISO 27701 adds requirements for looking after sensitive data and meets various data privacy regulations. It’s needed when PII is being handled, either to process PII or control the data. The PII controller guidance in the standard allows the company to enhance its security policies to meet the latest requirements when processing personally identifiable information.
Security and privacy are enhanced when implementing ISO 27001 and ISO 27701 together for continuous improvement. It is a way to significantly lower the company’s information security risks and show a proactive approach to dealing with potential threats.
