Meeting the demand for PIMS certification


A new international technical specification has just been published for certification bodies which offer audits and certification of privacy information management systems and those which are intending to do so. This blog post outlines why the standard came about and what it covers.

Given the proliferation of personally identifiable information (PII) online, the rapid of growth of criminality to exploit this, and parallel defensive developments in the regulatory environment globally, the ISO and IEC recognised the importance of producing a standard dedicated to personal information management security.

The new accreditation requirements are encapsulated in the Technical Specification, BS ISO/IEC TS 27006-2:2021 which specifies requirements and offers guidance for bodies which audit and certify a privacy information management systems (PIMS) according to ISO/IEC 27001 in combination with ISO/IEC 27001, in addition to the requirements stipulated within ISO/IEC 27006 (accreditation requirements for bodies offering audit and certification services for information security management systems) and ISO/IEC 27701 (Extension on privacy information management). In essence, BS ISO/IEC TS 27006-2:2021 primarily aims to support the accreditation of certification bodies providing PIMS certification by stating the requirements which need to be fulfilled in order to demonstrate the body’s competence and reliability to conduct a PIMS certification. .

The impetus for accredited guidance

Not unsurprisingly, following the publication of BS ISO/IEC 27701:2019, users of the standard wanted to gain certification to increase the security with which they were handling the personal information of employees, clients and customers. In doing so, this demonstrates their commitment in taking active steps towards safeguarding personal information through a standard that provides a systematic and cohesive approach.

As a result, some accreditation bodies responded by designing their own schemes to meet the increasing market requirements. This highlighted a growing demand for an accredited certification to the standard to provide a consistent certification approach globally.

The ISO and IEC needed to move quickly to provide an international standard to ensure global alignment between accreditation bodies and establish a robustly accredited certification process. They opted for the time-efficient process of developing a Technical Specification offering the flexibility of immediate use while concurrently obtaining feedback. The result is BS ISO/IEC TS 27006-2:2021 Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems.

Market Confidence: Valid and meaningful certificates

This new document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to BS ISO/IEC 27701 in combination with BS EN ISO/IEC 27001, in addition to the requirements contained within BS EN ISO/IEC 27006 and BS ISO/IEC 27701.

It is primarily intended to support the accreditation of certification bodies providing PIMS certification. This in turn better equips certification bodies with a consistent global approach for certifying companies against BS ISO/IEC 27001:2019 with certainty and confidence. The accreditation requirements laid out in BS ISO/IEC 27006-2 will give assurance that BS ISO/IEC 27701 certificates issued by accredited certification bodies are valid and meaningful.