The Value of ISO 27701
ISO 27701 is a privacy extension to ISO/IEC 27001 that establishes additional requirements and provides guidance for the safeguarding of privacy as potentially affected by personal data processing. As the overlap of privacy and security regulations increases, so do the calls for new ways for these two teams to collaborate, communicate more effectively, and use common tools. Technology is needed for the maintenance and continual improvement of a privacy information management system (PIMS) in accordance with ISO 27701 (formerly known as “ISO 27552”), as well as the planning and implementation of global privacy laws and frameworks.
How OneTrust Helps
Privacy Information Management System (PIMS) Decision-Making
ISO 27701 includes a roadmap for determining both the internal and external issues that might affect privacy (including taking the interests of third parties into account) to determine scope and context, and then creating policies and procedures to match. Use the ISO 27701 Privacy Information Management System (PIMS) Planning template in OneTrust to assist with PIMS decision-making according to clause 5 of the ISO 27701 standard, including evaluating your organization and its context, understanding the needs and expectations of interested parties, determining the scope of the PIMS, identifying leadership roles and responsibilities, establishing and tracking objectives, defining risk criteria, and more.
ISO 27701 requires a substantial amount of documentation to be created, reviewed, updated and properly controlled over the life of the PIMS. This documentation is vital to the effectiveness and continuous improvement of the PIMS, as well as to achieving and maintaining certification. Use the Document Repository in OneTrust to store and organize PIMS documentation in a central location for access by the PIMS Team and other need-to-know personnel.
Privacy Training, Testing and Attestation
Clause 5.7 requires that you conduct internal audits of the ISMS against the ISO/IEC 27701:2019 standard (including all of clause 5 and applicable Annex A/B controls). Additionally, Clause 5.7.3 calls for management reviews of the PIMS at planned intervals. Use the OneTrust ISO 27701 Audit Checklist template, a fully customizable questionnaire based on ISO 27701, to assist in conducting internal or external audits to evaluate the maturity and overall effectiveness of the PIMS, and to track corrective action plans. After completing an audit, OneTrust allows you to easily generate an audit report showing an overview of your answers, comments and evidence attachments.
Records of Processing Activities
Annexes A.7.2.8 and B.8.2.6 recommend organizations establish what records are necessary in support of its processing obligations, as well as maintain and preserve them. Organizations should create and maintain an inventory or detailed list of all the personal data processing activities it executes. With OneTrust, you can create and maintain inventories of your organization’s assets and vendors, the risks associated with each, and their owners within the organization. With Data Mapping Automation, collect information about the purpose, type and process by which personal data is being collected, used, stored, and transferred, as well as generate visualizations and data flow diagrams as tools for easier analysis and executive communication.
Risk Assessment and Treatment
Clause 5.4 requires the creation of a detailed risk assessment methodology that includes criteria for how to identify different levels of risk. Clause 5.6 then requires the implementation of these plans, for example, following the risk methodology when conducting risk assessments, setting risk treatment plans and tracking them to completion, calculating residual risk, and ensuring that all of this is documented in a controlled manner. Use OneTrust Assessment Automation, and an extensive gallery of questionnaire templates, to identify and calculate risks to individuals as a result of processing their personal information, and to craft and track risk treatment plans.
Supplier, Processor, and Vendor Management
According to clause 220.127.116.11, organizations should include specific terms in contracts between themselves and any subcontractor. Clause 7.2.6 states that contracts between the organization and any personal data processor should require implementation of the appropriate Annex B controls. Clause 7.5 recommends that organizations determine and document the applicable basis for international transfers of personal data. Use OneTrust Vendorpedia, third-party risk management software, to automate the vendor engagement lifecycle, from onboarding to offboarding, to help obtain and maintain ISO 27701 certification.
Incident & Breach Response
Clause 18.104.22.168 states that an organization’s incident management process should feature the responsibilities and processes related to identifying and recording breaches of personal data processing. Enable self-service reporting of security incidents and weaknesses, maintain incident and breach records, evaluate against breach notification obligations, and analyze overall risk with connections to your underlying inventories of data, processing activities, assets and vendors. OneTrust can be used to put incident management policies and procedures into action.
Data Subject & Consumer Rights Management
Consent & Preference Management
Under ISO 27701, consent must be obtained, where applicable, from individuals and recorded so that details, such as when consent was provided, proof of identity of the individual, and the consent statement, can be provided on request. Use OneTrust Consent Management tool to demonstrate compliance with granular records of consent. OneTrust provides the platform and instruments necessary to collect valid consent as required by ISO 27701, as well as privacy regulations such as GDPR, CCPA, and LGPD.