No, it won’t automatically make you GDPR compliant, but it will help…

If you’re about to embark on the journey to ISO 27001, or if you’ve achieved the certification and are now in the process of maintaining it, then the new privacy information management extension to ISO 27001 could be something you may want to consider.

It was purposefully developed to address and assist organisations in meeting the various new and improved privacy regulations being introduced across the globe. This very much includes the EU GDPR. It’s referred to as ISO/IEC 27701 and is essentially a management framework for protecting personal data – a Privacy Information Management System (PIMS)

Can I just have ISO/IEC 27701 on its own?

No, you can’t have ISO/IEC 27701 standalone, you need ISO 27001. There is a good reason for this. It has been designed to work harmoniously alongside the good work you will be doing, or are doing, in building, maintaining and continuously improving your ISO 27001 Information Security Management System (ISMS).

In GDPR terms, the PIMS will provide a framework of guidance & process within your existing ISMS for controllers & processors of personal and special category data.

Is ISO/IEC 27701 made to help me with GDPR/DPA 2018 compliance?

Yes and no. Undoubtedly the EU’s introduction of GDPR provided much of the impetus to get ISO 27701 done and dusted, but you need to bear in mind that ISO is an international standards organisation*, not a European one. Subsequently, you will see that there is some breakaway from GDPR terminology; such as PII – Personally Identifiable Information as opposed to Personal Data, and while the two definitions share a lot of the same DNA, they are not directly interchangeable. As with a lot of things GDPR, interpretation and understanding of the spirit of the regulation is required.

*Contrary to popular belief, ISO does not stand for International Standards Organisation.

Are Other Organisations Adopting ISO 27701?

Yes, many companies such as Microsoft see the benefit in implementing PIMS alongside ISO 27001. Julie Brill, Corporate Vice President and Deputy General Counsel of Privacy and Regulatory Affairs at Microsoft said: “We applaud the ISO/IEC technical committee for developing this ground-breaking standard for privacy so that organizations of all sizes, jurisdictions, and industries can effectively protect and control the personal data they handle. As the next chapter of Microsoft’s commitment to extend the rights provided in the European Union’s General Data Protection Regulation to our customers globally, Microsoft Azure and Office 365 will implement the PIMS standard and will assist our customers and partners in adopting this interoperable model.”

How can Risk Crew help?

Glad you asked! The first thing you need is to become ISO 27001 certified – we’ve been helping clients of all shapes & sizes establish, implement, maintain and continuously improve ISO 27001 compliant ISMS’s for many years and have helped 100’s of companies achieve UKAS accredited ISO 27001 certification.

All our ISO 27001 compliance services are delivered by certified and seasoned practitioners and auditors who possess a host of industry-recognised information security governance, risk & compliance certifications such as CSX, CISSP, CISM and CRISC, ensuring they consider and address your business objectives throughout the compliance cycle.


Risk Crew