cyBARR Chats Episode 17: ISO 27701

By October 3, 2022Videos

Director of Cyber Risk Advisory Angela Redmond explains what ISO 27701 is, why organizations might need it, and how BARR’s step-by-step approach to certification simplifies the process.


Claire McKenna: [00:00:00] Hello everyone, and welcome to today’s episode of C Bar Chats. Bar Certifications is now accredited for ISO I E C 27 7 0 1 audits as of July, and we’re excited to have this offering as part of our suite of services. We’re joined today by Angela Redmond, Director of Bar Cyber Risk Advisory Practice to discuss what ISO 27 7 0 1 is and how it might help your organization.

So Angela, welcome. Let’s kick it off. What is ISO 27701?

Angela Redmond: ISO 27701 was released in August, 2019, and it’s an extension of ISO 27,001. It outlines requirements for establishing, implementing, maintaining, and continuously improving an organization’s privacy information management system, also known as the PI m.

It is an internationally accepted [00:01:00] standard and essential for organizations that process personally identifiable information or pii. ISO 27 7 0 1 was developed to provide guidance for organizations complying with international privacy regulations such as the EU General Data Protection Regulation, or gdpr.

It’s a highly effective way of demonstrating an organization’s commitment to data privacy. Got

Claire McKenna: it. So in this context, what is the difference between privacy and

Angela Redmond: security? Privacy refers to the individual’s ability to control the access to their personal data, whereas security is the process or system in place to protect that data.

Privacy depends on. Similarly, ISO 27 7 0 1 depends on having ISO 27,001 in place. It cannot be obtained independently. [00:02:00] Got

Claire McKenna: it. And what kinds of organizations might benefit from obtaining an ISO 27 7 0 1 certification?

Angela Redmond: So similar to ISO 27,001, ISO 27 7 0 1 uses a risk based approach. Organizations adopting ISO 27 7 0 1 are not required to implement every possible control for every situation.

Instead, organizations should understand the context in which they handle data as either controllers or processors. These terms are also parts of gdpr. ISO includes both controller and processor specific controls. So regardless of the context your organization handles data You may want to consider ISO 27 7 0 1 organizations of all sizes and industries that want to demonstrate a commitment to privacy can benefit from ISO 27 7 [00:03:00] oh.

Claire McKenna: Got it. So you’ve already touched on this a little bit, but could you just explain, um, a little bit more about how ISO 27,001 and ISO 27 7 0 1 relate to each other?

Angela Redmond: Yes. So like we mentioned previously, privacy depends on security. Consider ISO 27 7 0 1 as an additional arm of ISO 27,001. It can only be implemented when an organization also has an ISO 27,001 certification.

Claire McKenna: Okay, Got it. And could you explain bars step by step process and approach to

Angela Redmond: certification? Bar begins with pre-certification activities. We’ll conduct a client evaluation and an engagement acceptance review. And as part of this process, we will need information over the p ims scope and boundaries of the system to determine fee arrangements and [00:04:00] resourcing need.

The next step is the initial certification audit, which includes two stages. Stage one is an evaluation of the management system and documentation. With primary focus on the design of the system, the stage two audit evaluates the implementation and effectiveness of the management system. This stage is performed at the client locations.

Bar certifications will then determine if it will issue certification to the. If an initial certificate is issued, it’s valid for 30 years. Surveillance audits are conducted at least annually to help ensure a certified organization is able to maintain its compliance to the standard. Before the CERT certificate expires, our certifications and the client will plan arrangements for recertification.

Claire McKenna: Got it. Thank you for that explanation. Um, what type of effort and commitment is required [00:05:00] on, uh, the behalf of an organization to obtain an ISO 27 7 0 1 certification?

Angela Redmond: So like we mentioned previously, ISO 27 7 0 1 is an extension of ISO 27,001 and thus the effort and commitment required to obtain an ISO 27 7 0 1 certification isn’t too much more than ISO 27,000 oh one.

The scope includes some additions and extensions to the ISO 27,001 annex. A.

Got it

Claire McKenna: and my last question for you today is can ISO 27 7 0 1 guarantee coverage under the gdpr?

Angela Redmond: The short answer is not completely, but it can help position your organization for GDPR compliance. There is no official certification or report that can guarantee GDPR compliance. ISO 27 7 0 1 is a management system that covers many [00:06:00] aspects of GDPR and demonstrates an organization’s commitment to protecting privacy, but it does not guarantee GDPR coverage since ISO 27 7 0 1 can.

Scoped to specific aspects of an organization and is scalable. An organization can have ISO 27 7 0 1 in place for parts of their business and still not be GDPR compliant.

Claire McKenna: Got it. That is very good to know. Well, that was my last question for you today. So Angela, thank you so much for sharing all of your valuable insight into ISO 27 7 0 1, and to our audience.

Please contact us if you’re interested in learning more about ISO 27 7 0 1, and we look forward to seeing everyone next time on Sidebar Chats.