Cloud

Will ISO 27701 Be the New GDPR Certification?

Coalfire Assessment Team

November 20, 2019

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.

On August 6, ISO published the ISO/IEC 27701:2019 ( “ISO 27701”) standard, which lays out the requirements for implementing an organizational program to govern the handling of personally identifiable information (PII), known as a Privacy Information Management System (PIMS). In many ways, the new standard is a melding of the traditional ISO 27001 framework with a host of European Union’s General Data Protection Regulation (GDPR) controls, and it even references GDPR within it. The implications of ISO 27701 could be quite significant on the world of privacy compliance.

To understand its potential ramifications, we must first look at what has come to pass in the wake of the passing of the GDPR, which was transformative in setting a very new, very high bar for privacy rights for citizen data. For companies that service EU citizens, non-compliance has come, in some cases, at a shockingly high price—companies like Marriott, Facebook, and Google have seen hundreds of millions of dollars in fines from the Member States for privacy breaches. To date, there has been no certification standard against GDPR, making it harder for companies to get cyber insurance against such fines.

Given the rigor of the privacy controls laid out in ISO 27701 and their alignment with GDPR, and should the new framework be accepted by governing bodies of Member States, ISO 27701 could well become the “certification mechanisms” foreshadowed within GDPR’s Article 42.

Let’s look at some of the key takeaways from the standard:

  • Many experts and privacy leaders anticipated the release of this framework due to the possibility of a related third-party audit program being aligned to this publication. If accepted by governing bodies of Member States, ISO 27701 could be synonymous with the “certification mechanisms” described within GDPR Article 42.
  • Within Annex D, the ISO 27701 standard details overlapping requirements between its provisions and Articles 5 – 49 with the GDPR, while excluding Article 43, which details requirements for bodies providing certification to GDPR.
  • While ISO 27701 is not yet governed by accreditation bodies, such as the United Kingdom Accreditation Service (UKAS) or ANSI National Accreditation Board (ANAB), which are inferred within Article 43 of the GDPR, it is expected that certification bodies will begin to audit against this new international standard almost immediately despite no established scheme being defined at the International Accreditation Forum (IAF) level.
  • This landmark international standard builds on the existing ISO/IEC 27001:2013 (“ISO 27001”) requirements for an Information Security Management System (ISMS) and expands the embedded objectives to address privacy-related risks.
  • ISO 27701 references two roles that an organization could align: the function of a PII Controller and a PII Processor, which replaces the EU GDPR terminology for a Data Controller and Data Processor, respectively.
  • If the organization serves as a PII Controller, ISO 27701 describes an additional thirty-one (31) controls that could be applicable based on risk, while an additional eighteen (18) controls have been defined for the PII Processor beyond the expanded ISO 27001 objectives.
  • Similar to ISO 27001, the PIMS permits organizations to select controls based on inherent risks through the use of a Statement of Applicability, which has been refined within Section 5.4.1.3 and requires relevant justifications for exclusions, such as exceptions made by legislation and regulation including those affecting the PII Principal (i.e., “Data Subject” as described by the GDPR).

Should ISO 27701 become a certification framework for the GDPR, organizations will gain specific potential benefits. Where the GDPR requirements once had no mechanism for demonstrating compliance, having a standard with a rigorous third-party audit requirement would allow enterprises to concretely demonstrate their adherence to its controls as well as the rigor of the well-respected ISO program. And, an attested compliance program is far easier to leverage in cyber insurance contracts, enabling better protections for organizations against enforcement body investigations and fines.

Regardless of whether ISO 27701 becomes the framework for the GDPR or not, Coalfire views this new standard as an important milestone that continues to push privacy-related risks into the continuous improvement cycle championed by ISO standards, while aligning with requirements of the GDPR.

We believe third-party conformity assessment bodies, such as Coalfire, will be best equipped to inherit these new provisions and develop integrated audit programs that will be accepted by the international community.