Cyber Risk Advisory

Waking up to the new realities of privacy risk and the need for focused expertise

David Forman Grayscale jpg

David Forman

VP, Privacy and International Assurance, Coalfire

Blog Images 2022 Data Privacy tile2

Last month, Coalfire announced that our certification body was awarded yet another of many “firsts.” In this scenario, Coalfire was the first to expand its registration to a second accreditation body as part of its certification services related to ISO 27701, a framework that governs the activities of privacy information management.

This particular standard was released in August 2019 and was later made available as an accredited service beginning in February 2020. More than a year later, there are less than a dozen audit providers in the world that have become accredited to this rule affecting this booming field of data privacy. We’re proud of our achievement, but are left wondering why aren’t our competitors keeping up in the face of increasing privacy risk? After all, we preach to our clients to remain proactive against the evolving regulatory landscape – why is the same message not a minimum expectation of nearly every provider whose business is to evaluate risk as well?

Privacy: a good indicator of which companies are keeping up with change

For all compliance professionals, the principal trend of the last five years is the emergence of data privacy. The General Data Protection Regulation (GDPR) effectively forced worldwide participation. More recently, we’ve seen the evolution of longstanding privacy rules, agreements, court precedents, and regulations designed to increase transparency, protect the consumer, classify and inventory data, and enforce alignment of business practices on a global scale.

Companies scrambled proactively against a quickly developing landscape of laws and minimum best practices to maintain data privacy. For many years, any privacy audit was either a self-assessment or a one-off, third-party assessment by a CPA firm or similar that would give you an opinion report on how they thought your organization matched up to specific criteria. These assessments lacked weight, as they were only as good as the actual assessor staff performing them and, undoubtedly, that staff member was likely not doing that many of these unpopular inspections.

In August 2019, data privacy made its debut in the form of ISO 27701, which meant organizations could now certify to data privacy – more accurately, demonstrate conformity to the requirements of a Privacy Information Management System (PIMS). This was big news, as there was no single attestation or certification framework being accepted by commercial organizations globally until this publication.

Coalfire immediately received inquiries and met the new demand for data privacy assurance. There was apparently an appetite for an objective benchmark.

While interest started off strong, the real adoption of ISO 27701 would show up about six months later when accreditation was made available to the market. Without accreditation, a certificate issued against ISO 27701 was nothing more than an opinion on conformity from that auditor. With accreditation, there is credibility to the certificate, as accreditation dictates that common criteria. These rules include minimum knowledge and experience requirements for the assessor, or the amount of time the auditor must spend inspecting a system, as well as sampling methods before determining an assessment conclusion.

At Coalfire, we believe certification should be irrefutable. Applicants are motivated to seek third-party assurance to demonstrate to their customers that they do not also need to perform their own audit of the service provider, as that activity was already performed by an independent auditor against a recognized scheme (in this case, ISO 27701).

First in substantive certification

The ANSI National Accreditation Board (ANAB) released an accreditation rule in February 2020, which was the only accreditation program for ISO 27701 in the world at the time. That next month, Coalfire had completed the application workflow and was announced as the first group of accredited certification bodies for the ISO 27701 standard. Only one other certification body had taken similar interest in this development and shared the designation as world’s first accredited certification body for ISO 27701.

One year later, Coalfire has added to that accreditation with an alternate accreditation body registration through the United Kingdom Accreditation Service (UKAS).

Why did Coalfire need a second accreditation for the same standard? We heard it from our customers, and we responded with immediate action.

Step one of implementing any management system is understanding the context of your organization and the needs of your interested parties. Our customers were our interested parties, and they were giving us the heads-up that our certificates were being challenged after issuance with questions like:

“What is the ANAB?”

“How does an auditor based in the USA understand data privacy laws affecting the type of data that we manage within the jurisdictions that we operate?”

Each of these questions are real concerns and should be formally alleviated with any accreditation. However, they were not being satisfied and were causing heartache to our certified organizations who had already completed a thorough audit of their PIMS; and so, we were now being tested by their end customers in receipt of the certification after the fact.

Our customers told us that ISO 27701 is being viewed as the closest thing to certification to the European Union GDPR (spoiler: ISO 27701 is not GDPR certification). They told us that their Europe-based customers were more interested in UKAS certificates than ANAB. And, our customers told us that the ANAB is viewed as the accreditation body of the United States and carries a reputation that comes with being American, whether that be residual from Snowden’s disclosures or the policies of the Trump Administration.

In many circles, UKAS is viewed as the most reputable accreditation body in the world. This is a result of its tenure working with British Standards (BS) that eventually became ISO 9001 and ISO 27001 (among others) as well as UKAS’s rigor in how it manages its certification bodies.

Coalfire sought dual accreditation for ISO 27701 because it meant providing our customers a more substantive certification that would truly be accepted and recognized globally. Considering which regions’ data privacy actions are most active, we are simply surprised that a US-based certification body was the first to receive dual accreditation for this standard and was also the first to receive this expansion decision with the UKAS distinction. The accreditation rule for UKAS was first made available in July 2020 and then later updated in November 2020.

One of the certification divisions associated with the Big 4 announced last month that they had finally received accreditation via Raad voor Accreditatie (RvA), a lesser known accreditation body in the Netherlands. This was the first certification body associated with any Big 4 firm to receive accreditation for ISO 27701, and it came a year after accreditation became available.

Are these audit providers playing a wait-and-see approach before deciding to pursue a lengthy path of accreditation expansion that requires time, resources, and investment? While speed should not be a determinant of the legitimacy of any certification body, these delays do point to a certain prioritization that these bodies may be demonstrating. This consequence is a byproduct of being spread too thin and having only a generalist view of ISO standards.

Would you prefer your auditor demonstrates the same sense of urgency that your own product teams exhibit when releasing new features, or one that waits to see what the rest of the market is going to do?

The challenge we pose to our customers and prospective clients is to view your auditor as a partner similar to any other critical vendor. We want partners that understand privacy is a risk right now.