May 18, 2022

Minne Sotais

Politics Loaded For Bear

Wanted Controls for ISO 27701 Privacy Famework

Though theoretically an organization could adopt ISO 27701 as a individual standalone framework to implement to an organization’s privateness program, the framework was conceptualized as an extension of the ISO knowledge security criteria. As a end result, it is organized dependent on the assumption that an group already has a security software that is built off of ISO/IEC 27001:2013 (Information and facts safety administration techniques) and ISO/IEC 27002:2013 (Code of apply for facts security controls).

The demands and controls of the ISO 27701 framework are divided into 4 sections. The very first two sections detect which of the ISO 27701 and ISO 27002 safety controls are adopted (possibly directly or with slight modification or more guidance) for reasons of the privateness framework:

ISO 27701 Part


Selection of subparts / controls adopted from the ISO safety frameworks into the ISO privacy framework

Area 5

Amendments and modifications to ISO/IEC 27001:2013 to account for details privateness related principles. This area is intended to implement to all organizations.


Section 6

Amendments and modifications to ISO/IEC 27002:2013 to account for details privacy similar principles. This section is intended to implement to all corporations.


Most safety sections were adopted with minor modification other than to interpret the phrase “information security” as referring to “information security and privateness.” The adhering to delivers an example of a side-by-aspect comparison of the needs beneath the stability framework and the privateness framework:

ISO 27001 (safety)

ISO 27701 (privacy)

§ 5.3. Top management shall assure that the obligations and authorities for roles related to facts safety are assigned and communicated. Top rated management shall assign the obligation and authority for: (a) ensuring that the data safety administration technique conforms to the specifications of this Intercontinental Typical and (b) reporting on the performance of the info security management system to prime administration.

§ 5.3.3 Prime management shall guarantee that the responsibilities and authorities for roles suitable to information and facts security and privacy are assigned and communicated. Best management shall assign the obligation and authority for: (a) ensuring that the information and facts security and privacy management method conforms to the requirements of this International Regular and (b) reporting on the overall performance of the data security and privacy management system to best administration.

Other security sections were being adopted in conjunction with textual refinements or added implementation direction.

The next two sections identify new guidance (independent and aside from advice contained in the security frameworks) that utilize to controllers and to processors as people terms are recognized less than the European GDPR:

ISO 27701 Section


Number of new subparts / controls

Portion 7

New steerage for controllers


Portion 8

New steering for processors


©2021 Greenberg Traurig, LLP. All legal rights reserved.
National Law Evaluation, Quantity XI, Variety 174