BARR Certifications is excited to announce the addition of ISO/IEC 27701 to our suite of certification services. BARR recently earned this accreditation by the ANSI National Accreditation Board (ANAB), the largest multidisciplinary accreditation body in North America, which approves BARR to perform certification services to both ISO/IEC 27001 and 27701 standards.
Let’s take a look at some highlights for the recently acquired ISO 27701 and BARR’s certification process.
ISO 27001 versus ISO 27701—What’s the Difference?
Established in 2005, ISO 27001 defines requirements for an Information Security Management System (ISMS). The framework helps organizations manage the security of services, data, intellectual property, or any information entrusted to you by a third party.
As an extension of ISO 27001, ISO 27701 was implemented in August 2019 as a way to outline requirements for establishing, implementing, maintaining, and continually improving an organization’s Privacy Information Management System (PIMS).
ISO 27701 provides guidance for organizations complying with international privacy regulations such as the General Data Protection Regulation (GDPR). It’s a highly effective way of demonstrating an organization’s commitment to data privacy.
Understanding the difference between security and privacy is important when looking at both ISO 27001 and ISO 27701. Security is the process or system in place to protect that data, whereas privacy refers to the individual’s ability to control the access to their personal data.
Privacy depends on security, therefore ISO 27701 depends on having ISO 27001 in place—it cannot be obtained independently.
Take a look at some key differences and similarities between ISO 27001 and ISO 27701 below.
Source: BARR Advisory
Who Benefits from ISO 277001?
“For organizations eager to stand out in a crowded market of cloud service providers, these certifications serve as differentiators that not only demonstrate the maturity of your information security management systems, but also affirm your commitment to protecting and securing consumer and third-party data,” said BARR founder and president Brad Thies.
Similarly to ISO 27001, ISO 27701 uses a risk-based approach, which means organizations adopting ISO 27701 are not required to implement every possible control for every situation. Instead, BARR will work with you to identify, prioritize, and mitigate risks according to your organization’s specific needs.
Organizations should also understand the context in which they handle data as either controllers or processors which are terms that are part of the GDPR. A data controller is the entity that determines the “why” and “how” for processing personal data, while the data processor is the entity that performs the data processing.
You’ll want to consider ISO 27701 if your organization:
- Handles both controller and processor-specific controls
- Wants to demonstrate a commitment to privacy
- Is small to medium-sized or enterprise level—all sizes can benefit from this certification
- Needs to comply with GDPR standards
- Already has an ISO 27001 certification in place
The ISO 27701 Certification Process
BARR serves as your trusted partner throughout each step of the way. See below for our step-by-step approach to ISO 27701 certification.
- Pre-Certification: BARR begins with pre-certification activities. We will conduct a client evaluation and engagement acceptance review. As part of this process, we’ll need information over your PIMS scope and boundaries of your system to determine fee arrangements and resourcing needs.
- Pre-Assessment (optional): BARR offers an optional pre-assessment. This is not a required step but a formal readiness assessment against the ISO/IEC 27701 standard and can be helpful in assisting organizations prepare for initial certiﬁcation. The desired outcome is to identify deficiencies in the client PIMS seeking certification to the ISO/IEC 27701 standard prior to the assessment.
- Initial Certification Audit: The next step is the initial certification audit, which includes two stages. Stage 1 is an evaluation of the management system and documentation with a primary focus on the design of the system. The Stage 2 audit evaluates the implementation and effectiveness of the management system. This stage is performed at the client location(s). BARR Certifications will then determine if it will issue certification to the client.
- Surveillance Audit: If an initial certificate is issued, it’s valid for three years. Surveillance audits are conducted at least annually to help ensure a certified organization is able to maintain its compliance to the standard.
- Recertification: Before the certificate expires, BARR Certifications and the client will plan arrangements for recertification.
- Notice of Changes: If during the 3-year certification cycle there are changes in scope of the certification (i.e., reduction or expansion) or changes to requirements, this will be discussed with the BARR Certifications team.
“We’re excited that our recent accreditation for certification to ISO/IEC 27701 gives us another tool in our belts to help companies achieve their security and compliance goals,” Thies said. “In the months and years to come, we look forward to continuing to find new ways to work toward our mission of creating a more secure world.”
Interested in learning more about obtaining your ISO 27701 certification? Contact us for free today.
Read SuperbCrew.com’s interview with Brad Thies.