Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Standard

ISO 27701

The ISO 27701 establishes requirements and guidance for developing, managing and improving a Privacy Information Management System (PIMS) for activities in privacy management involving personally identifiable information (PII). ISO 27701 focuses on security techniques and is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management.

Who should use ISO 27701?

The requirements of ISO 27701 apply to all types and sizes of data controllers and/or processors who process PII including private and public entities, government entities, and non-profit organizations.

Key requirements of ISO 27701

Designation of privacy leader

Organizations should appoint one or more privacy officials to develop, implement and manage an organization-wide privacy governance program/policy to outline procedures to comply with relevant data protection laws and regulations. Privacy officials shall also be responsible to provide support to all organizational stakeholders on their responsibilities related to data protection tasks.

Prioritize privacy by design and default

Organizations should apply principles and related tools of privacy by design and default into all layers of the information system for the secure management of PII (e.g. practicing data minimization to collect and process only the necessary PII).

Mechanisms for data deletion

Organizations should establish policies and technical mechanisms to permanently delete, de-identify, return and/or transfer PII when the purpose of processing becomes obsolete or the PII retention period has expired.

Vendor Management

Where PIMS will be outsourced, organizations should regularly assess the vendor’s privacy and data processing practices for compliance to organizational objectives and relevant data protection laws, verify the vendor’s security posture, and consider applying privacy by design and default principles to the outsourced PIMS.

Implementation of security protocols

Organizational and technical security policies and procedures shall be implemented to safeguard confidential PII, including, but not limited to, access controls to prevent unauthorized copying of PII by terminated employees/contractors during the notice period of termination, and segregating overlapping areas of responsibilities and privileges to prevent unauthorized access.

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

PrivacyCentral

Privacy program development and compliance management

Automatically identify gaps and track compliance with PrivacyCentral for PC DSS v4.0, SOC2, ISO (e.g. 27701, 31700-01, 27550, etc.), NIST, and other privacy and security standards.
Nymity Research

Guidance and operational templates

Stay ahead of framework changes with expert guidance, ensuring your security and program practices remain compliant and up to date. Operationalize quickly with expert written operational templates for sample policies, checklists, training, and more.

Data Inventory Hub & Risk Profile

Complete risk management process

Automate your data inventory mapping with TrustArc’s Data Inventory Hub. Save time and reduce risk with automated data flow mapping, risk analysis, and remediation for personal data processes and general activities associated.
Assessment Manager

Mitigate risks for vendor management

Use pre-built DPIAs, risk, and vendor assessments to mitigate risks with TrustArc’s Assessment Manager.

FAQs

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top