The ISO 27701 Episode

Transcript

Introduction to the Guest and Topic:

Host Ally Krings introduces Suzette Corley, a Privacy Auditor at Kirkpatrick Price. The conversation focuses on ISO 27701, an international standard that extends ISO 27001 to include privacy management. Suzette shares her experience earning the ISO 27701 certification and explains its significance for organizations seeking to strengthen privacy practices.

What is ISO 27701?

ISO 27701 is an international standard designed to help organizations establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). It supports compliance with global privacy regulations such as GDPR and CCPA by adding a privacy layer to the existing ISO 27001 security framework.

Why was ISO 27701 Created?

While ISO 27001 addresses information security, it offers limited coverage of privacy. ISO 27701 was introduced to fill this gap, providing a unified standard for multinational organizations to manage personally identifiable information (PII) effectively. It ensures global recognition and enhances trust with customers and regulators.

What does ISO 27701 Certification Involve?

Suzette explains that earning the certification is a rigorous process. It includes a full week of online training with exercises and coaching, followed by a four-hour essay-based exam with 12 detailed questions. After passing the exam, candidates submit work references, audit hours, and professional credentials for review by the certifying board. The process can take several weeks and is considered one of the most challenging certifications.

How does ISO 27701 Relate to ISO 27001?

There is approximately a 60% overlap between ISO 27701 and ISO 27001. While ISO 27701 can stand alone, most organizations benefit from implementing both standards together. Adding ISO 27701 to ISO 27001 demonstrates accountability in handling PII, aligns with global privacy laws, reduces regulatory risk, enhances trust with customers and regulators, and streamlines privacy operations by integrating with existing security systems.

Who Should Consider ISO 27701?

Organizations that would benefit include financial services firms expanding into the EU, healthcare technology providers handling patient data, companies processing large volumes of PII, and global enterprises seeking alignment with diverse privacy laws across regions such as APAC and EMEA.

Does ISO 27701 Guarantee GDPR Compliance?

No. ISO 27701 is a voluntary standard, whereas GDPR is a legal regulation. ISO 27701 helps organizations operationalize GDPR requirements but does not replace legal compliance. Key differences include nature (ISO is voluntary; GDPR is mandatory), scope (ISO is global; GDPR applies to EU member states), and enforcement (ISO compliance is verified through audits; GDPR compliance is enforced through regulatory fines).

How to Prepare for ISO 27701 Certification?

Organizations should start with a readiness or gap assessment to identify deficiencies and areas for improvement. This involves reviewing people, processes, and procedures against ISO 27701 controls. Based on findings, organizations can implement recommendations and resources to achieve certification readiness.

Final Thoughts:

Suzette emphasizes that ISO 27701 is a natural complement to ISO 27001 and provides organizations with confidence in their compliance posture. It is especially valuable for companies expanding globally or handling sensitive data. As privacy concerns grow alongside advancements like AI, adopting ISO 27701 positions organizations for success.

Additional Expert Insights:

Mike Wise, Principal Cloud Security Architect at Kirkpatrick Price, highlights the importance of configuration standards in cloud environments. He recommends using CIS Benchmarks to establish a strong security baseline and ensure resources are configured according to industry best practices.