The standard ISO/IEC 27701:2019 specifies the requirements and offers a guideline in order to always establish, implement, maintain and improve a PIMS (Privacy Information Management System) by a set of requirements, controls aims and controls which integrate and extend what it is defined into the standard ISO/IEC 27001:2013 for managing the security of information.
The organizations that have already implemented a ISMS (Information Security Management System) according to ISO/IEC 27001 will be able to use the ISO/IEC 27701 in order to extend the coverage of the security information into privacy management, also including the personal data processing (PII – Personally Identifiable Information), in order to demonstrate the compliance with mandatory legislations about personal data protection like the GDPR (see article 42 – General Data Protection Regulation (EU) 2016/679).
The organizations which have not a ISMS can also implement ISO/IEC 27001 and ISO/IEC 27701 simply extend the provided requirements by the 27001 and by its “code of conduct” (ISO/IEC 27002), and it is not necessary to realize two management systems and/or different implementation systems.
The ISO/IEC 27701 standard has been projected in order to be used by all the organizations, as data controller or processor. Like for the ISO/IEC 27001, the legislation in focused on a risks approach in order that each organization that want to be and keep in compliance with specific risks about personal data processing and privacy to which it is submitted. The legislation is applicable to all the organizations, no matter what dimensions or activity sector.
The ISO/IEC 27701 standard provides requirements and guidelines for building, implementing, maintaining and constantly improving a PIMS, whether the organization operates as the Data Controller or as the Data Processor.
SOURCE: FEDERPRIVACY