The business case to expand ISO 27001 certification with privacy controls

Third-party assurance for managing privacy risks is becoming table stakes for service organizations

Third-party inspections of organizational privacy risk remain a novel trend. Only five years ago, the most basic of common controls frameworks for this risk taxonomy did not even exist. Today, privacy has captured the collective global consciousness. Every segment, from regulators and industry watchdog groups to business customers and consumers, now asks questions on behalf of their processors about how are you not only handling, but using my personal data to provide your service?

For the mature enterprise, a Privacy Information Management System (PIMS) is now a requirement, not an option. Organizations with their Information Security Management System (ISMS) defined by ISO 27001 can and should extend their programs by including the new ISO 27701 criteria to support their PIMS.

A recent study by Cisco found that customer concerns related to a company’s data privacy practices have skyrocketed, and a third of those surveyed have switched providers over problems associated with compliance performance. The privacy benchmark study indicated that 90% of companies said external privacy certifications are a factor when selecting a vendor or a product. This means that organizations with internationally recognized privacy certifications, such as ISO 27701, hold a key advantage over uncertified competitors.

Since the release of the ISO 27701 standard in 2019, this accredited controls extension for data privacy requirements has been quickly adopted by the largest cloud providers and has formed a basis for several schemes in consideration as an approved General Data Protection Regulation (GDPR) certification (Art. 42).

Major cloud providers, like Microsoft, routinely ask for ISO 27701 certificates as part of their vendor due diligence process. By having an ISO 27701 certificate issuance, organizations can save time and effort during the procurement phase or approval stages toward being listed as a trusted partner. Instead of having a prospective vendor fill out lengthy privacy questionnaires that must be carefully reviewed, more companies are simply asking contractors to provide an accredited ISO 27701 certificate to bypass this heavily manual procedure.

Due to the co-requisite relationship between the two ISO standards, existing ISO 27001 certified organizations have a significant head start with meeting these requirements for ISO 27701. Establishing a PIMS and obtaining ISO 27701 certification is a proactive step that can be taken now to prepare for what’s coming and what customers already expect from their vendors.

Ease of implementation

For those companies that have yet to expand scope to ISO 27701, the hesitation is understandable. Business naturally avoids allocating resources to ever-expanding frameworks and regulations. We’ve experienced a monumental year of activity within the privacy regulatory landscape, and the constant demand for new demonstrations of conformity can be a burden. The good news is what we’re seeing: The ROI benefits of implementing PIMS and upgrading existing programs far outweigh risk and resource allocations.

A PIMS aligned to the ISO 27701 standard can be handled effectively and efficiently. It immediately provides an organization with the means to demonstrate to business partners and customers that it has a mature privacy program that has been certified by an impartial and respected third party. Additionally, it provides a universal privacy control framework that can be mapped to emerging and existing regulations to reduce the effort required to comply with disparate privacy legislation. Here are the first steps your organization should take to integrate a PIMS into your existing ISMS.

Personally Identifiable Information (PII) Controller vs. PII Processor: The most significant scoping factor to consider when establishing a PIMS is the organization’s role as a PII Controller and/or a PII Processor. First, determine all the processing activities included within the scope of the PIMS. Then, consider whether there are any processing activities that should be removed from the scope based on requirements from interested parties. This results in a complete list of processing activities justified for inclusion.

The next step is to determine whether the organization acts in the role of a Controller or Processor for each activity. PII Controllers decide the purpose (a.k.a., the “why”) and the means (a.k.a., the “how”) by which the personal data is processed. PII Processors receive instructions from the PII Controller on how to perform the processing activity, and why they are performing it. The International Standard provides helpful guidance to aid this exercise; however, work with your legal department to ensure the appropriate determination that your role as a PII Controller and/or PII Processor is mutually agreed upon and corroborated with objective evidence.

Clause 5.1: Although Clause 5.1 of ISO 27701 is a single sentence, it contains the bulk of what you need to know about the standard’s requirements. Clause 5.1 mandates that all of the ISO 27001 requirements in Clauses 4-10 must be performed when establishing a PIMS, but with the focus on privacy instead of information security. Fortunately, the standard allows and encourages the organization to leverage existing ISMS processes when establishing a PIMS. In practice, this means existing governance documentation and processes can be updated to incorporate privacy considerations, instead of having to create entirely new processes. This integrated approach significantly reduces the level of effort it takes to stand up a PIMS.

Additional and Refined Requirements: The ISO 27701 standard includes eight additional or refined requirements that organizations need to address when implementing a PIMS. These requirements also build on existing ISMS processes and are intended to ensure sufficient privacy considerations have been implemented within certain critical areas, including risk assessment, risk treatment, internal audit, and management review.

Customer trust challenge

In recent years, the vast majority of the world’s major jurisdictions have enacted privacy legislation, and for enterprises, privacy budgets have doubled. Despite dramatic spending increases, only 35% of companies surveyed have a high-maturity privacy program. And, though around 70% of those feel equipped to handle changing privacy requirements without undue stress to their organization, those numbers drop off dramatically as we move down the privacy program maturity spectrum. Only 42% of medium maturity privacy programs claimed to be equipped to handle changing privacy requirements without significant stress. A meager 24% of low-maturity privacy programs felt adequately prepared.

The era of data privacy is still in its early stages; however, there exists increasing pressure from a number of end user sources to quickly adopt privacy best practices while remaining competitive as customer patience wears thin. Cisco’s data claims that now two-thirds of consumers surveyed believe that how a company treats their data has a direct correlation with how that company will deliver services and value them as customers.

Businesses, consumers, and governments are demanding more from privacy programs beyond the traditional self-attestation and alignment statements. Establishing a PIMS and obtaining ISO 27701 certification is a preemptive step that can be taken now to prepare for the evolving privacy environment and the expectations its data subjects carry.