Five questions and answers about ISO 27701, the promising privacy standard

By Martin Zinke

In August 2019, ISO27701 was published. An international standard for privacy management. That sounds promising. Can we now finally get ourselves certified for the GDPR? Actually, the answer to that question is both "yes" and "no". That is not a clear answer, so that requires more explanation.


1. What is the ISO27701 standard?

The ISO27701 is a standard for a Privacy Information Management System (PIMS). ISO27701 supplements ISO27001. ISO27001 is the standard for an Information Security Management System (ISMS).

In a Management System, you define how you organize data protection: how you deal with risks, what policies you follow, and how you manage your controls. By combining the management system for information security with the management system for privacy, you ensure a combined approach to data protection.

2. Am I GDPR-compliant if I comply with the ISO27701 standard?

Complying with the ISO27701 standard does not mean that you are GDPR-compliant. It does mean that you are dealing with privacy in a structured way. The ISO standard is also not only made for Europe and the European privacy law (the GDPR). The standard is made for global use and should be a foundation for privacy management within all countries worldwide. If an organization would obtain a certificate for ISO27701, it does not say that that organization complies with the GDPR. It does say that the organization is "in control" when it comes to privacy.

The standard contains good and relatively practical guidelines for people responsible for data processing (controllers) and their processors. These are very similar to the controls from the GDPR. When these guidelines are applied to an organization, there are hardly any additional controls needed in the light of the GDPR.

3. Is it advisable to use ISO27701 separately from ISO27001?

The guidelines from the ISO27701 standard are on their own practical tools to improve privacy. The privacy officer can use these guidelines, for example, to draw up a set of requirements for a processor, or to assess the quality of the existing privacy measures. In addition, ISO 27701 contains specific requirements for the management system. These are actually identical to ISO 27001 for information security. Both, for example, use largely the same "Plan-Do-Check-Act" cycle, on topics such as risk management, assessment of incidents and the effectiveness of controls. It would simply be a waste of investment to organize this workflow differently for information security and privacy.

4. Can I get certified yet?

It is possible to have your organization audited against ISO 27701. An audit organization then determines whether you meet the requirements of the standard. But be careful: that is different from having yourself certified. Certification against ISO27701 as you can also do against ISO 9001 or ISO 27001 means that this is done by an audit organization that is accredited for this purpose. The advantage of this accreditation is that you can be sure that the certifier meets strict quality requirements. Not all auditors have this accreditation (for example, issued by the Dutch Accreditation Council). Certification against ISO 27701 is therefore possible, but be sure that the audit organization is accredited.

By the way: in the GDPR, articles 42 and 43 also mention a certification possibility, but that is different from the certification against ISO 27701. The certification possibility in these GDPR articles has not yet been worked out in practice and is not expected for the time being.

5. Is it now worthwhile to apply ISO27701?

ISO 27701 is extremely useful. Both as an addition to an existing management system, and as a stand-alone set of standards for a variety of privacy issues. The measures from the ISO27701 standard are an effective way to ensure that the necessary attention is paid to privacy within an organization. Where VKA specialists are asked "if we can set up privacy within the organization", we are increasingly using ISO 27701 as a reference framework.

In addition, directors, supervisory boards, and Data Protection Officers can already use the ISO27701 standard to assess for themselves whether an organization is handling privacy in the right way, even if this does not result in a formal certificate.

Do you want to talk to VKA about applying ISO27701, demonstrating compliance with the GDPR, or future certification? Then contact us!

Related insights