ISO 27701:2019 Security Techniques
We are delighted to announce that Antaris has been recommended for certification to ISO 27701: 2019 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – requirements and guidelines, by the National Standards Authority of Ireland (NSAI), and we are the first company in the country to be so approved.
We are now fully certified as being fully compliant with the General Data Protection Regulation (GDPR) because certification to ISO 27701 requires the implementation of a robust and comprehensive Privacy Information Management System (PIMS). Antaris has been certified to ISO 27001: Information security management system requirements for over 15 years. ISO 27001 is an Information Security Management System (ISMS).
ISO 27701 is a bolt-on to ISO 27001 for specifically managing personal data processing risks, which are in addition to any other information security risks we are managing.
A PIMS assists in compliance with Article 5 through to Article 49 of the GDPR. There is a very useful table at the end of the standard which shows the linkages between GDPR and ISO 27701.
Implementing ISO 27701 in addition to ISO 27001 requires the implementation of these additional requirements:
- 6 additional sub-clauses: 2 for Clause 4 (Leadership) and 4 for Clause 6 (Planning)
- 34 of the 27001 Annex A controls are extended to include privacy requirements
- 31 new controls for data controllers
- 18 new controls for data processors
Therefore as a data controller and a processor Antaris may need to include 83 extra controls in our Statement of Applicability (SoA), all of which are mapped to GDPR articles. There is also a requirement to include ‘and privacy’ in all references to information security, such as ‘Information Security and Privacy Risk Assessment’.
Over the next few weeks I propose to do a series of blogs detailing our experience of implementing ISO 27701, the benefits thereof, and how it is possible to bolt on its requirements to ISO 27001.