ISO27701ISO27701 certification

What is ISO27701 certification (Privacy Information Management System)?

ISO27701 is an add-on standard to the current ISO27001. This add-on standard is dedicated to privacy information management, which is not addressed in the existing ISO 27001 standard.

It contains requirements and implementation procedures for businesses that handle personal information to ensure that the information is handled appropriately.

In Europe, the introduction of GDPR in 2016 and the resulting update of the Data Protection Act in 2018, with significantly stricter penalties, has increased the need for organizations to ensure that privacy is managed and legally acknowledged. Therefore, MASON recognizes that this certification qualification is considerably beneficial for companies that have or are considering global expansion.

Status of ISO27701

ISO27701:2019 is the privacy add-on standard to ISO27001, adding privacy information management to the 27001 Information Security Management System (ISMS) to achieve an Information Security & Privacy Management System (ISPMS).

MASON's Strengths in ISO27701 Certification

MASON’s consultants are familiar knowledgeable with global standards (ISO27701, GDPR, CCPA, and national security standards). Therefore, MASON is capable of establishing information security and privacy mechanisms that are in harmony with the different standards and specifications required in each global country.

Responding to Privacy Risks by Linking ISO27701 and ISO27001

ISO 27701 states the difficulty in fully managing and protecting personal information with ISO 27001 alone. To address this issue, ISO27701 provides updated controls and additional guidance for 13 of the 14 Annex A domains to ensure that the necessary controls are in place to manage privacy-specific risks.

Our ISO 27001 and 27701 consulting services include:

1. Selection of a Privacy Information Management System (PIMS) strategy / framework

Defining the ideal approach to PIMS development based on the customers' industry, regulatory compliance, and certification requirements.

2. Scope Determination

Determining the scope of coverage is key to the essential task of "data mapping," which is the foundation for a successful ISO 27701 implementation. The scope should be broad enough to meet the needs of key stakeholders (customers, shareholders, etc.), but narrow enough to make the initial effort manageable.

3. Risk Assessment / Data privacy Impact Assessment

Risk assessment/management is the foundation of all ISPMS; ISO27701 extends the risk assessment methodology so that it can be used for both information security and privacy risk management.

4. PIMS Gap/Control Maturity Assessment

Assessing the gap between the current privacy protection system and the ISO 27701 ideal privacy protection system will be a crucial activity in developing a risk treatment plan and a corrective plan for the gap.

5. Development of a Risk Treatment Plan

The risk treatment plan specifies the controls required in the ISPMS (including the scope of those required and the difficulty of achieving them) to mitigate privacy risks to a level acceptable to the organization's management team.

6. Facilitate Gap Remediation

The PDCA cycle will be turned into a full operational phase by implementing the Risk Treatment Plan and closing the gaps identified in ISO27701.

7. Privacy Metrics

Metrics are central to the implementation of a robust ISPMS because they are essential to demonstrating continuous improvement (a key tenet of ISO 27001 certification). This service focuses on simplifying the process of measuring, reporting, and systematically improving ISPMS effectiveness.

8. Revision of Privacy Policies, Standards, and Procedures

This step is the core to our support of ISO 27701 certification. The key points to address are document structure, author, and version control. If the author of a document cannot easily find all the information relevant to the particular issue at hand, the likelihood of nonconformity is high.

9. ISO 27701 Internal Audits

ISO 27701 internal audits are conducted to determine whether internal privacy management methods, processes, and procedures comply with requirements, are effectively implemented and maintained, and are functioning as expected.

10. Pre- and Post-certification Audit Support

Reduces the risk of nonconformity by conducting an interviews and mock audits.

11. Support for Ongoing Operation of ISO27701

Involving knowledgeable consultants in Security & Risk Management is critical to the continuous improvement of the Risk Management function, which in turn is critical to the continuous improvement of the ISMS and PIMS. Many customers benefit from including independent, objective third-party members with extensive organizational and industry expertise on their risk management committees.

MASON's ISO27701 Consulting Services

1. ISO27701 add-on certification support service

This service is for customers who are already ISO 27001 certified. MASON will help the customers to obtain certification by evaluating the customers’ current ISO 27001 operation, clarifying differences, and taking corrective actions for the differences.

Service Fee
480,000 yen (Initial Fee)

2. Transition support service from P Mark to ISO27701

This is a support service for transitioning from P Mark to ISO 27017 with minimal man-hours while identifying the differences between P Mark and ISO 277017.

Service Fee
780,000 yen (Initial Fee)

Frequently Asked Questions on ISO27701

What is ISO27701?

ISO 27701 is part of the ISO 27000 series of international standards that help organizations keep their data secure and defines a set of "best practices" for privacy information management systems (PIMS). These practices include policies, procedures, and technical controls that organizations can utilize to effectively manage privacy-related risks.

Can my company obtain ISO 27701 certification?

Yes, ISO 27701 is an extension of ISO 27001.

What is the ISO27701 Privacy Information Management System (PIMS)?

PIMS is a systematic, risk-based approach to protecting personal information and managing personal information in accordance with privacy laws and guidelines.

What is ISO 27701 Risk Assessment?

The ISO27701 Risk Assessment is essentially a data privacy impact analysis and is a requirement of regulations such as the CCPA and GDPR.

What types of companies are recommended to obtain ISO27701 certification?

MASON recommends the following customers to obtain ISO27701 certification:

• Although the company is expanding globally, it has not been able to establish company-wide standards for personal information protection laws and regulations because each country's laws and regulations are handled on an individual basis.
• There is an excessive number personal information protection and cyber security laws and regulations in each country, making it difficult to grasp them on a company-wide basis and to ensure that governance is effective.
• Although the company has already obtained ISO27001 & P-Mark double certification, it is taking a lot of time and effort to operate the system, so the company wants to simplify it.

Significance of ISO 27701 Certification

In Japan, nearly 6,000 companies have obtained ISO27001 certification for the protection of information assets in general.

ISO 27701, on the other hand, is a certification that certifies a management system to establish a system to appropriately protect personal information and even privacy related to personal information.

ISO27701 is categorized as an add-on standard to ISO27001. Although it is categorized in the same way as ISO27017 and ISO27018, ISO27701 clearly states what companies handling personal information must do in order to handle personal information appropriately.

The differences between ISO27701 and P-mark in terms of "features", "scope", and "our recognition" can be compared as follows:

	ISMS/ISO27701	P Mark
Features	Considers personal information protection regulations (e.g., GDPR) in global countries.	Based on Japan's Personal Information Protection Law.
Scope of Certification	Limited to departments that handle personal information.	All departments need to be certified.
MASON's Conception:	MASON can obtain global standard personal information protection certification, which has a strong similarity with ISO27001, and can significantly reduce man-hours required for preparation for audits (in case of change from P Mark). If a company is double-certified with ISO27001, a certification qualification with high recognition in Japan, man-hours required for preparation for audits are high. In addition, when the timing of the audit is different, it is necessary to invest a lot of man-hours to maintain the certification.