Privacy Information Management

ISO 27701 - 2019 Overview

ISO 27701 is a standard that specifies requirements and provides guidance for managing personally identifiable information (PII) in the context of an information security management system. It is also known as a privacy information management system. ISO 27701 expands on the requirements of ISO/IEC 27001:2013 to include the protection of PII and privacy of PII principals affected by PII processing.

At Coral, we have a well-defined methodology for implementing ISO 27701/privacy information management system. Organizations can use the standard requirements to implement ISO 27701 as a standalone assessment or as an extension to an existing ISO 27001/ISO 27702 certification. We begin by identifying whether an organization is a controller and/or a processor, and then guide them through a step-by-step process to determine the applicable requirements and successfully implement the standard.

What is ISO 27701 - 2019?

ISO 27701:2019 is a privacy extension to the international standard for information security management system (ISMS) – ISO/IEC 27001:2013. It provides guidelines and requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) within the context of an organization. The standard is designed to help organizations protect personally identifiable information (PII) by extending the requirements of ISO/IEC 27001 to cover privacy management.

ERM | Onsecc

What is our approach to ISO 27701 - 2019 Implementation?

  1. Gap analysis: We start with a gap analysis to identify the current state of the organization’s privacy management practices and the gap between the current state and the requirements of ISO 27701.

  2. Scoping: Based on the results of the gap analysis, we work with the organization to identify the scope of the implementation and define the boundaries of the Privacy Information Management System (PIMS).

  3. Documentation: We then help the organization to develop and document the policies, procedures, and controls required by the standard. We provide templates and guidance on how to develop the documentation.

  4. Implementation: Once the documentation is complete, we help the organization implement the PIMS, which involves the implementation of the policies, procedures, and controls that have been documented.

  5. Training: We provide training to the relevant employees on the PIMS and how to use it effectively.

  6. Internal audit: We conduct an internal audit to determine the effectiveness of the PIMS and identify areas for improvement.

  7. Certification: Finally, we work with a certification body to obtain certification for the organization’s PIMS. We provide guidance on how to prepare for the certification audit and ensure a successful outcome.