“You can do security without privacy, but you can’t do privacy without security”
Since the enforcement of privacy laws, and in Europe, more specifically the GDPR, we have seen an increase in the number of ISO 27001 certifications as well as a shift in the type of companies getting certified. Why? Because privacy compliance cannot be efficiently achieved without a proven security governance.
But if the ISO 27001 certification can improve the security posture of organisations and better prepare them to face privacy regulatory obligation, the worldwide information security management system (ISMS) doesn’t provide frameworks and specific privacy control measures. This is why the new ISO 27701 standard came up.
During the Swiss Cybersecurity Days 2021, we were invited to speak about the ISO 27701 standard: What are its benefits in the current business landscape? How to initiate a successful and sustainable privacy compliance program whilst avoiding common roadblocks and pitfalls?
Laurent Deheyer, Approach Director who has already conducted many successful ISMS and ISO 27001 certification projects at clients, shared tips and tricks.
What is the ISO 27701 standard?
ISO 27701 is an extension to ISO/IEC 27001 (specifying the requirement for information security) and ISO/IEC 27002 standard (providing implementation guidance for information security) for privacy management.
It specifies PIMS (Privacy Information Management System)-related requirements and provides guidance for data controllers and data processors holding responsibility and accountability for personal data processing.
It also includes mapping to:
- ISO/IEC 27018 which gives further information for organisations acting as processors and providing public cloud services.
- ISO/IEC 29151 which gives additional controls and guidance for the processing of personal data by controllers.
- The EU General Data Protection Regulation.
The use of this standard, in conjunction with ISO/IEC 27001 can, if desired, provide independent verification of this evidence.
How can ISO 27701 help your organisation in your privacy challenges?
Your organisation has to deal with multiple and/or changing privacy law(s), which create significant operational overhead to achieve, maintain and demonstrate privacy compliance? The adoption of an international and recognised standard gives you the opportunity to first build a single management framework and then add local specificities. This results in a gain of efficiency and reduced operational costs.
Are you adopting cloud technologies as a consumer or as a provider? In this case, the importance of privacy and data protection is a critical element of your cloud adoption strategy. Standards such as ISO 27018 and ISO 27701 provide interested parties with sufficient assurance.
The ISO 27701 standard adds requirements such as defining clear roles and responsibilities between data controllers and data processors, unifying privacy risks with information security risks. It includes guidance for controls such as awareness, classification of information, access control and encryption. And provides direction for the implementation of supplier management and other specific measures such as ‘privacy by design’.
How to drive a successful implementation?
First and foremost, you need to define your objectives for implementing ISO 27701. It will depend on the level of maturity that you want or need to achieve in a given timeframe.
As an extension of ISO 27001, you have several trajectories:
- You already have an ISMS aligned with ISO 27001: plug the privacy components into your existing management framework.
- You don’t have an ISMS. You could either start with the ISMS and then the PIMS or do them in parallel. Running both in parallel is the most efficient option but it will depend on your company’s ability to digest change.
In either scenario, implementing a management system implies a continuous improvement lifecycle.
Secondly, finding key enablers is essential to succeed. These may vary depending on the size and complexity of your organisation:
- People: Find allies within your organisation because this is all about change management.
- Methodologies: Adopt project management methods in-line with your company’s culture. Create visibility through a well-defined communication plan and focus on quick wins.
- Tools: Depending on the size and complexity of your company, select tools that apply to you.
How to tackle roadblocks and pitfalls?
Typical roadblocks you may encounter when launching such a project include:
- Organisational priorities: ISMS or PIMS projects can become secondary as they don’t generate tangible direct revenue stream, until your customers impose it.
- Change management: Implementing an ISMS and PIMS means changing our behaviours. You will always find people reluctant to change.
- Lack of understanding: An issue when you try to explain the value of such initiatives.
- Budget: Estimation is not a trivial exercise for such initiatives.
In terms of pitfalls, we usually observe problems when roles and responsibilities are not clearly set, in which case conflicts of interest may appear during the implementation.
Secondly, it is crucial to select the right scope: trying to go for the largest scope may create hurdles, especially for a low maturity organisation. It is better to select a smaller scope and extend it over time.
When selecting a scope, you should be careful for two main reasons:
- Make sure that the chosen scope brings value for your interested parties.
- Be sure not to exclude parts of your system that are mandatory for a proper management of your security and privacy.
Finally, as with any project, bad planning will affect your ability to deliver on time, on quality and on budget. Ensure someone with project management skills is involved to keep things on track.