What are the ISO/IEC 27701 implementation steps?
There are three steps to help you gain an introduction to ISO/IEC 27701 requirements and privacy information management certification.
The first step is understanding requirements;
If your organisation already has ISO 27001 ISMS, you can get started with ISO 27701. If not, you have to start with implement ISMS.
The guidance and requirements for ISO/IEC 27701 Privacy Information Management System (PIMS) go across 8 different clauses and 6 annexes, including personally identifiable information (PII) controls and mappings related standards and the GDPR.
It’s vital you understand all the guidance, requirements and controls and ensure they are appropriately implemented across your organization.
Once you have the standard and understand the requirements, you’re ready to move onto Step 2 Implementing ISO/IEC 27701 and show you take protecting personal information seriously.
Here are some top tips for successful ISO/IEC 27701 implementation:
- Establish a project team to implement PIMS to get the best results,
- Secure commitment across your organization, including your leadership team, employees and supply chain,
- Regularly engage with your leadership team and key stakeholders,
- Clearly define your organisation’s role as a data processor, controller or both,
- Compare your existing privacy processes and controls with ISO/IEC 27701 requirements,
- Get supply chain and stakeholder feedback on your current privacy processes and controls,
- Adapt the basic principles of the ISO/IEC 27701 standard to your organization
- Motivate and support your staff through training courses,
- Create a more consistent approach throughout the data processing supply chain by encouraging others to implement ISO/IEC 27701,
- Regularly review your ISO/IEC 27701 system to make sure it remains effective and that you are continually improving it
Step 3 Certification
Once you have implemented the requirements you are ready to begin the certification process for ISO/IEC 27701.
First, you need to find a certification body accredited by UKAS or any other national accreditation body in your country.
There are two stages, where we assess the implementation of your privacy information management system. We’ll check the procedures and controls within your organization to make sure that they are working effectively as required for certification of ISO/IEC 27701 in those two stages.
When your PIMS achieve certification, you’ll receive your ISO/IEC 27701 certificate which is valid for three years.