July 29, 2021

Volume XI, Number 210

Advertisement

July 28, 2021

Subscribe to Latest Legal News and Analysis

July 27, 2021

Subscribe to Latest Legal News and Analysis

July 26, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Thinking Beyond the Law: If Our Organization Adopts the ISO 27701 Privacy Framework, How Many Controls Do We Need to Address?

While theoretically an organization could adopt ISO 27701 as a separate standalone framework to apply to an organization’s privacy program, the framework was conceptualized as an extension of the ISO data security standards. As a result, it is organized based upon the assumption that an organization already has a security program that is built off of ISO/IEC 27001:2013 (Information security management systems) and ISO/IEC 27002:2013 (Code of practice for information security controls).

The requirements and controls of the ISO 27701 framework are divided into four sections. The first two sections identify which of the ISO 27701 and ISO 27002 security controls are adopted (either directly or with slight modification or additional guidance) for purposes of the privacy framework:

ISO 27701 Section

Description

Number of subparts / controls adopted from the ISO security frameworks into the ISO privacy framework

Section 5

Amendments and modifications to ISO/IEC 27001:2013 to account for data privacy related concepts. This section is intended to apply to all organizations.

21

Section 6

Amendments and modifications to ISO/IEC 27002:2013 to account for data privacy related concepts. This section is intended to apply to all organizations.

114

Most security sections were adopted with little modification other than to interpret the term “information security” as referring to “information security and privacy.” The following provides an example of a side-by-side comparison of the requirements under the security framework and the privacy framework:

ISO 27001 (security)

ISO 27701 (privacy)

§ 5.3. Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management shall assign the responsibility and authority for: (a) ensuring that the information security management system conforms to the requirements of this International Standard; and (b) reporting on the performance of the information security management system to top management.

§ 5.3.3 Top management shall ensure that the responsibilities and authorities for roles relevant to information security and privacy are assigned and communicated. Top management shall assign the responsibility and authority for: (a) ensuring that the information security and privacy management system conforms to the requirements of this International Standard; and (b) reporting on the performance of the information security and privacy management system to top management.

Other security sections were adopted in conjunction with textual refinements or additional implementation guidance.

The next two sections identify new guidance (separate and apart from guidance contained in the security frameworks) that apply to controllers and to processors as those terms are understood under the European GDPR:

ISO 27701 Section

Description

Number of new subparts / controls

Section 7

New guidance for controllers

31

Section 8

New guidance for processors

18

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 174
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement