WeSecure a Roboyo Group Company - cybersecurity and forensic analysis

Since the introduction of the General Data Protection Regulation (GDPR), and the continuous growth of comparable data protection laws worldwide, there has been an increasing need for a standard or code of conduct to support compliance.
Although there are already publications and standards discussing data protection, many of them are not international, primarily focusing on data protection requirements and best practices in specific jurisdictions.
For example, BS 10012 is exclusively based on the GDPR and the UK Data Protection Act (DPA) 2018, making it a strong candidate for organizations with a strong regional interest.
Meanwhile, an approach based on international best practices should be adaptable to other frameworks and not impose requirements dependent on specific legislation. Crucially, this means that this standard (ISO 27701) supports compliance with a broader international range of data protection and privacy legislation, including the Health Information Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA) in the U.S.
Thus, ISO/IEC 27701 (Security Techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management – Requirements and Guidelines), published in August 2019, aims to fill the assurance gap and provide a genuinely international approach to data protection as an extension of information security.
Originally based on ISO 27552, ISO 27701 provides specific requirements and guidelines for establishing, implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS) as an extension of the Information Security Management System (ISMS) defined in ISO 27001. It considers the privacy protections required for the proper processing and handling of personally identifiable information (PII).
This ISO 27701 applies to data controllers (including Joint Controllers) and data processors (including Sub-processors), regardless of the jurisdictions and sectors in which they operate.
Some considerations of this ISO 27701 standard:

It focuses on new requirements and controls in its annex, aimed at the protection of personal data;
It adds value when implemented as it allows demonstrating accountability (compliance and responsibility) with the GDPR;
It is privacy-oriented and based on ISO 27001;
Certification under this standard will first require ISO 27001 certification;

CONTACT US FOR + INFORMATION

STAGES FOR IMPLEMENTING ISO 27701

WeSecure's specialized team prepares your organization for ISO 27701 certification by implementing the requirements, policies, procedures, and controls from Annex A and Annex B, tailored to the scope and reality of your organization, with a focus on successful implementation and/or certification.
We will assess whether your role acts as a Data Controller, Data Processor (or both) and propose the appropriate privacy controls. We typically follow the following steps, which include but are not limited to:

We conduct an assessment of the current state of the existing ISMS against the requirements of ISO/IEC 27701 and promote an action plan to implement the pending actions identified.

We perform a Rapid Process Scan to identify all personal data processed by your organization across various business processes, mapping the assets with personal data and the respective processing between controllers and processors.

With a well-defined team and profiles, we understand the context of your organization, applicable requirements, and regulations, and promote all necessary documentation for governance, elevating privacy policies to the level required by ISO 27701.

Adapt the ISMS with the necessary actions for implementation, with particular focus on risk assessment and SOA, promoting continuous operationalization based on the respective improvement processes.

GET TO KNOW THE STRUCTURE OF ISO 27701

ISO 27701 presents its content by clause (similar to other ISO standards), with clauses 5 to 8 establishing the additional requirements and adjustments to be applied to ISO 27001, requiring special attention.

CLAUSULA 5 - Requisitos especificos do PIMS

Specific PIMS Requirements

This clause covers all ISO 27001 clauses and identifies where additional content is required. Most ISO 27001 clauses remain unchanged, with the exception that ISO 27701 requires the organization to recognize its need for data protection within its context, which then informs all other requirements.
Another notable addition impacts risk assessment, which must consider the organization's role concerning personal data—whether it acts as a controller or a processor—and how this affects risks to personal data. Another key aspect is the introduction of new controls, allowing your organization to align its controls with a broader set, including those from ISO 27701

CLAUSULA 6 - Orientação especifica de implementação

Specific Implementation Guidance

This section provides additional content for the guidance on controls defined in ISO 27002.
It introduces a high-level change stating that all references to "information security" should be understood as including privacy protection
Controls with a potentially significant impact on privacy and data protection have more extensive guidance (e.g., topics related to removable media, encryption, and secure development...)

CLAUSULA 7 - Orientação adicional para Controllers

Additional Guidance for Controllers

This clause 7 provides guidance on the controls in Annex A of ISO 27701, which are specific to privacy for the role of the Data Controller. These controls address many critical areas of data protection and privacy that are not covered by the controls provided in ISO 27001.
The standard therefore clearly provides controls for Controllers in Clause 7.

Cláusula 8 - Orientação adicional para processors

Additional Guidance for Processors

This clause provides guidance on the controls in Annex B of ISO 27701, which are privacy-specific for the role of personal data processor.
These controls address many critical areas of data protection and privacy that are not covered by the controls provided in ISO 27001.
The standard therefore clearly provides controls for Processors in this Clause 8.

CONTACT US FOR + INFORMATION

EXPERIENCED TEAM

We have the experience to support the implementation and/or certification (via extension of ISO 27001) to the international standard ISO/IEC 27701.

We have specialized resources available to work in this area in a senior team, using agile methodologies and holding international certifications, including but not limited to:

ISO 27701 Lead Auditor
Internationally certified DPOs
ISO 27032 Lead Cybersecurity Manager
ISO 27001 Lead Auditor
ISO 27001 Lead Implementer
ISO 27005 Senior Lead Risk Manager
Certified Information Security Manager
Certified Information Privacy Manager
Certified Information Privacy Professional

YOUR TRUSTED PARTNER

We are certified by international standards:

ISO 27001 (since 2018)
ISO 9001 (since 2003)

And all the areas of our certifications focus precisely on our specialized services.

With pride, our clients impartially testify to our work.
Know who they are and talk to them.
It's common in cybersecurity...
We're here for you.

Recursos certificados em ISO 27001 Lead Auditor