Watch the Webinar: ISO 27701 New Privacy Standard: How We Got Certified & How You Can Too!
Learn how OneTrust achieved the world’s first ISO 27701 certification.
The Value of ISO 27701
ISO 27701 is a privacy extension to ISO/IEC 27001 that establishes additional requirements and provides guidance for the safeguarding of privacy as potentially affected by personal data processing. As the overlap of privacy and security regulations increases, so do the calls for new ways for these two teams to collaborate, communicate more effectively, and use common tools. Technology is needed for the maintenance and continual improvement of a privacy information management system (PIMS) in accordance with ISO 27701 (formerly known as “ISO 27552”), as well as the planning and implementation of global privacy laws and frameworks.
How OneTrust Helps
Privacy Information Management System (PIMS) Decision-Making
ISO 27701 includes a roadmap for determining both the internal and external issues that might affect privacy (including taking the interests of third parties into account) to determine scope and context, and then creating policies and procedures to match. Use the ISO 27701 Privacy Information Management System (PIMS) Planning template in OneTrust to assist with PIMS decision-making according to clause 5 of the ISO 27701 standard, including evaluating your organization and its context, understanding the needs and expectations of interested parties, determining the scope of the PIMS, identifying leadership roles and responsibilities, establishing and tracking objectives, defining risk criteria, and more.
PIMS Documentation
ISO 27701 requires a substantial amount of documentation to be created, reviewed, updated and properly controlled over the life of the PIMS. This documentation is vital to the effectiveness and continuous improvement of the PIMS, as well as to achieving and maintaining certification. Use the Document Repository in OneTrust to store and organize PIMS documentation in a central location for access by the PIMS Team and other need-to-know personnel.
Privacy Training, Testing and Attestation
ISO 27701 Clause 5.5 requires that employees and contractors be made aware of the organization’s privacy policy, their individual contributions, roles and responsibilities in the PIMS, and the consequences of not conforming to requirements. Annex A/B requires that all employees and contractors receive information privacy awareness education and training, as well as regular updates on applicable policies and procedures. OneTrust training templates, such as the “Privacy and Security Training Quiz and Attestation” template, can assist with testing the effectiveness of awareness training, as well as to record employee attestations to acceptable use policies or employee responsibility documents.
Internal Audits
Clause 5.7 requires that you conduct internal audits of the ISMS against the ISO/IEC 27701:2019 standard (including all of clause 5 and applicable Annex A/B controls). Additionally, Clause 5.7.3 calls for management reviews of the PIMS at planned intervals. Use the OneTrust ISO 27701 Audit Checklist template, a fully customizable questionnaire based on ISO 27701, to assist in conducting internal or external audits to evaluate the maturity and overall effectiveness of the PIMS, and to track corrective action plans. After completing an audit, OneTrust allows you to easily generate an audit report showing an overview of your answers, comments and evidence attachments.
Records of Processing Activities
Annexes A.7.2.8 and B.8.2.6 recommend organizations establish what records are necessary in support of its processing obligations, as well as maintain and preserve them. Organizations should create and maintain an inventory or detailed list of all the personal data processing activities it executes. With OneTrust, you can create and maintain inventories of your organization’s assets and vendors, the risks associated with each, and their owners within the organization. With Data Mapping Automation, collect information about the purpose, type and process by which personal data is being collected, used, stored, and transferred, as well as generate visualizations and data flow diagrams as tools for easier analysis and executive communication.
Risk Assessment and Treatment
Clause 5.4 requires the creation of a detailed risk assessment methodology that includes criteria for how to identify different levels of risk. Clause 5.6 then requires the implementation of these plans, for example, following the risk methodology when conducting risk assessments, setting risk treatment plans and tracking them to completion, calculating residual risk, and ensuring that all of this is documented in a controlled manner. Use OneTrust Assessment Automation, and an extensive gallery of questionnaire templates, to identify and calculate risks to individuals as a result of processing their personal information, and to craft and track risk treatment plans.
Supplier, Processor, and Vendor Management
According to clause 6.12.1.2, organizations should include specific terms in contracts between themselves and any subcontractor. Clause 7.2.6 states that contracts between the organization and any personal data processor should require implementation of the appropriate Annex B controls. Clause 7.5 recommends that organizations determine and document the applicable basis for international transfers of personal data. Use OneTrust Vendorpedia, third-party risk management software, to automate the vendor engagement lifecycle, from onboarding to offboarding, to help obtain and maintain ISO 27701 certification.
Incident & Breach Response
Clause 6.13.1.1 states that an organization’s incident management process should feature the responsibilities and processes related to identifying and recording breaches of personal data processing. Enable self-service reporting of security incidents and weaknesses, maintain incident and breach records, evaluate against breach notification obligations, and analyze overall risk with connections to your underlying inventories of data, processing activities, assets and vendors. OneTrust can be used to put incident management policies and procedures into action.
Data Subject & Consumer Rights Management
Annex A.7.3 details that individuals should be provided with the proper information about the processing of their personal data. An organization should establish, document, and uphold their obligations to Individuals as demanded by legal and business requirements. OneTrust provides a standardized way for privacy programs to receive requests and manage them in a centralized system. Additionally, to tailor a branded web form – linked from your company’s privacy policy web page – as well as the ability to receive notification of a submitted request, validate the identity, and automatically file an extension if a deadline is approaching.
Consent & Preference Management
Under ISO 27701, consent must be obtained, where applicable, from individuals and recorded so that details, such as when consent was provided, proof of identity of the individual, and the consent statement, can be provided on request. Use OneTrust Consent Management tool to demonstrate compliance with granular records of consent. OneTrust provides the platform and instruments necessary to collect valid consent as required by ISO 27701, as well as privacy regulations such as GDPR, CCPA, and LGPD.