TAMPA, Fla., April 15, 2020 -- Tampa-based CPA firm and leading provider of attestation and compliance services, Schellman & Company, LLC (Schellman), announced today that it has become one of the first certification bodies to receive accreditation to perform accredited assessments against ISO/IEC 27701:2019 (“ISO 27701”). The accreditation was issued by the ANSI National Accreditation Board (ANAB), and includes the requirements for an organization to implement and maintain a Privacy Information Management System (PIMS) as an extension of their ISO/IEC 27001:2013 (“ISO 27001”) Information Security Management System (ISMS).
“Becoming accredited for ISO 27701 was a critical component of extending Schellman’s reputation as one of the only companies in the marketplace that allows service providers to obtain assessment services related to both security and privacy through a single vendor,” says Avani Desai, President of Schellman.
There has been much market anticipation regarding the release of this standard, which was formally published in August 2019 and titled Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management – Requirements and Guidelines. Now in place, the standard’s objective is to provide organizations additional guidance and requirements that are specific to elements of the ISMS, as well as additional control guidance and implementation requirements for controls noted with Annex A. Also included are considerations from ISO/IEC 27018 and ISO/IEC 29100 that would support an effective PIMS as an extension to an organization’s ISMS.
As such, these factors introduced by the new ISO 27701 represent a bigger task for any organization that may have previously included ISO/IEC 27017:2015 (“ISO 27017”) or ISO/IEC 27018:2019 (“ISO 27018”) into their management systems, but should benefit those that would be considered a controller or processor of personally identifiable information (PII) within the context of their ISMS. However, for organizations that may have instead a structure and process in place to support the requirements of GDPR, the transition to conform to ISO 27701 may be a bit simpler, and vice versa. However, the need is still to ensure that these processes are effectively implemented into the scope of the PIMS/ISMS.
“ISO 27701 allows an organization to validate their privacy program as a certification across any jurisdiction worldwide. This is something new for the privacy world, where one certification for a privacy program is not yet in place outside of ISO 27701,” says Debbie Zaller, Principal and Privacy Practice Lead with Schellman.
Because, unlike ISO 27017 and ISO 27018, ISO 27701 includes these specific requirements related to management system components, accreditation bodies saw the need to implement an accreditation scheme to ensure that certification bodies were competent and capable of performing assessments on an organization’s PIMS relevant to ISO 27701.
“Accreditation allows a deeper sense of confidence in the market, ensuring that a certification body has undergone a formal review to account for performing assessments with an effective methodology and qualified professionals,” says Ryan Mackie, Principal and ISO Practice Director with Schellman.
Nevertheless, ISO 27701 remains an extension of ISO 27001—not a separate certification. Organizations who complete a successful audit can expect to receive their ISO 27001 certificate that would include reference to conformance with ISO 27701 as a component of their scope statement, demonstrating that they meet the requirements and implemented effective controls relevant to their privacy program.