How does ISO/IEC 27701 differ from ISO/IEC 27001?

With the advent of GDPR, came a real need to take 27001 and provide greater assurance to the organization, to our customers, and to our clients that we have got the necessary controls in place. Not just to manage information in general, but specifically to look at and to concentrate on personally identifiable information that we’re either going to have to process or control.

To facilitate this additional assurance that organizations felt that they needed, ISO/IEC 27701 was created. So, what is it?

It is a Privacy Information Management System (PIMS) that is an extension of your current information security management system. It’s still information, but you’re looking at that specific information with regard to privacy and privacy management. As with all management system standards, it is not legislative, but what it does allow you to do, is put controls in place with a focus on specific pieces of legislation.

We, as an organization, or you, as an organization, can determine what pieces of legislation are related to the implementation of the PIMS extension. By definition, it’s an extension, so you are required to have ISO/IEC 27001 already. You’re taking those processes, those policies and procedures that we already have in place and just applying additional consideration when acting as a Personally Identifiable Information (PII) controller, or a PII processor.

You have got to apply the exact same set of requirements for 27701 as you do for 27001. You just have to apply that consideration when processing personally identifiable information to those requirements. There are also some additional considerations around the context of the organization. For example, there may be a change to your internal and external issues. There may also be additional interested parties that you need to consider. There are enhancements to your risk assessment and risk treatment processes as well.

Other differences? 27701 is not set out as our Annex SL high-level structure as 27001 is. So, the numbering system is slightly different, but it follows the same format.

What organizations need to consider is what their role is, with regard to this framework. Depending on what you’re acting as there are further clauses to consider:

• A PII Principal-  Principals provide their PII for processing to PII Controllers
• A PII Controller- Controllers determine why (purpose) and how (means) the processing of PII takes place
• A PII Processor- Carries out the processing of PII on behalf of, or in accordance with, instructions of PII Controller
• Third-party- Receives PII from a PII Controller or PII Processor

Although ISO/IEC 27701 is an extension to ISO/IEC 27701, can you gain a separate certification?

Yes. Simple as that- it is an extension, but it is a certification in its own right. If you are successful in your certification audits, you will have a certificate for 27001, and you will have another certificate for 27701. But you cannot have 27701 without being certified to 27001. Additionally, the scope of your 27701 management system cannot exceed the existing scope of your 27001 ISMS. It could be a subset, but can’t exceed it.

Are all organizations acting as a PII controller due to the fact that they have their own employees’ personal data?

Yes. As the custodian of that personal data, we decide how it is to be used. As a result of that, we would be seen as acting as the PII controller.

But I guess from a certification perspective, does that have to be within the scope of your ISO/IEC27701 management system? Not necessarily, that would be a decision for the organization to take. If you process client data and the only data you control is your employee data, the business drive is to satisfy your customers and your clients rather than purely GDPR, then you may say, “Right, okay. We’ll concentrate on the processor aspect.”  That said if you can’t protect your own, how can you protect others?

For more information on ISO/IEC 27701, please visit our pages

About our expert:

Mike Edwards

Mike specializes in information security, business continuity and quality management systems. He has extensive security experience and has been a regular speaker at international conferences on information security in the defence sector. Mike is one of our tutors and regularly teaches delegates about ISO 9001, ISO 22301 and ISO/IEC 27001. Prior to becoming a BSI tutor, Mike spent over 20 years in the Royal Navy in a variety of information security roles.