866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

What to Know About The Much Anticipated ISO 27701:2019 Blog Feature
RYAN MACKIE

By: RYAN MACKIE

Print/Save as PDF

What to Know About The Much Anticipated ISO 27701:2019

For those that were monitoring the wire, ISO/IEC 27001:2019 (ISO 27701) was released the week of August 5th.  In draft form, it was previously labeled ISO/IEC 27552 (should you be wondering why that specific standard number has not been issued).  You can obtain a copy of the published version here: https://www.iso.org/standard/71670.html.

What is the Objective?

There has been much market anticipation for this standard to be released.  It is titled Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management – Requirements and Guidelines.  The objective is to provide organizations with additional requirements and guidance, specific to elements of the information security management system (ISMS) as well as for additional control guidance and implementation requirements for controls noted within Annex A (and considerations of those from ISO/IEC 27018 and ISO/IEC 29100) that would support an effective privacy information management system (PIMS) as an extension to an organization’s ISMS.  The beauty of ISO 27701 is that it is intended to be applicable to any organization that would be considered a controller or processor for personally identifiable information (PII) in the context of their ISMS.

The Structure of ISO 27701

The structure of the standard is broken down by clauses, where each provides additional requirements or implementation guidance on 1) necessary modifications to the ISMS (Clause 5), 2) additional information security controls (Clause 6), 3) additional controls for PII controllers (Clause 7), and 4) additional controls for PII processors (Clause 8).  The standard also includes six Annexes which cover:
  • Annex A – PIMS-specific control objectives and controls for an organization acting as a PII controller
  • Annex B – PIMS-specific control objectives and controls for an organization acting as a PII processor
  • Annex C – Mapping to ISO/IEC 29100
  • Annex D – Mapping of the controls in ISO 27701 to the European Union General Data Protection Regulation (GDPR)
  • Annex E – Mapping to ISO/IEC 27018 and ISO/IEC 29151
  • Annex F – explanation of how ISO/IEC 27001 and ISO/IEC 27002 are extended to the protection of privacy when processing PII.

How Would an Organization Approach 27701?

As extensions to the ISMS go, ISO 27701 is a much bigger task for organizations that may have previously included ISO/IEC 27017 or ISO/IEC 27018 into their management systems.  The effort must consider key modifications to the overall ISMS structure and requirements, modification of existing controls from Annex A, as well as the implementation of the control objectives and controls that may be relevant to either a PII processor or PII controller.  For organizations that may have a structure and processes in place to support the requirements of GDPR, the transition to conform to ISO 27701 may be a bit simpler; however, the need is still to ensure that these processes are effectively implemented into the scope of the ISMS.
 
For any scope modification, including incorporating ISO 27701 into your ISMS, there are some necessary tasks to complete.
  1. Perform a gap assessment of your existing ISMS to the requirements of ISO 27701
  2. Assign owners to identify gaps and produce an action plan as to how to address those gaps
  3. Revise the design of the ISMS to incorporate these new requirements
  4. Perform the necessary activities on the revised ISMS, including but not limited to the risk assessment, measurement, and monitoring, internal audit, management review
  5. Assess the output from the operations of the revised ISMS to ensure that it meets the existing and net-new requirements and that any areas of deficiency or nonconformance are processed through the formalized continual improvement or corrective action process

How Soon Can I Implement ISO 27701?

With the release of this standard being relatively new to the market, there will be those early adopters and market drivers.  However, it is important to note that with the criticality of the objective of this standard, ISO is looking to identify specific requirements, both in competency and in process, for certification bodies to adhere to when effectively performing an audit against ISO 27701.  These pending new requirements may necessitate certification bodies to modify their existing methodology and approach related to ISO 27701 assessments, which could lengthen the timeline for when an external audit could be properly performed.  If new requirements are issued, it may allow for additional time for most organizations to appropriately implement ISO 27701 into their ISMS.
 
Schellman will continue to monitor any updates and will be sure to communicate them as they unfold.  Additionally, we plan to provide a detailed guide to ISO 27701 that will be coming in the next month to help organizations better understand the approach and requirements of ISO 27701. 
 
You can contact Schellman's team if you need more information or would like a consultation on ISO 27701 and how it can be added to your organization's ISMS.

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.