Companies that have an ISMS will be familiar with the ISO 27000 series standards and may already be certified in accordance with them. The relatively new standard 27701:2019 now allows the ISMS to be expanded to include privacy aspects. The diagram shows what the integration can look like and how the standards interact.
What is PIMS?
With a Privacy Information Management System (PIMS), companies can permanently integrate, control and continuously improve a privacy framework and privacy impact assessment procedures in their environment. This ensures strong data protection. ISO 27701:2019 provides a standard that companies can use to expand their ISMS and thus manage information security and data protection in a coordinated manner.
ISO 27701:2019 now bridges the gap between the two worlds: The requirements in ISO 27001 are extended and the Privacy Framework and the PIA also become part of the PDCA cycle. Additional controls are also included. This makes it possible to expand your own Statement of Applicability (SoA) to include privacy-relevant aspects.
If you are new to the topic and do not yet have an ISMS, it is best to forget most of the standards and focus on the ISO 29100 and ISO 29134 standards shown in the previous articles for the time being. Because if you want to get to an acceptable state quickly, start by implementing the considerations from the ISO Privacy Framework in an environment and carrying out initial PIAs on the important processes and systems.
This identifies the risks and applies best practices. In order to build a bridge to IS, it is important to compare which of the identified risks from the PIA are already being addressed by measures. Of course, this lacks the formality that a management system would entail - but a simplified start is still better than no start at all. Proof of the benefits of such initial activities can also justify the budget for further formalization.
In the medium to long term, the goal can be to formalize the selection of controls based on Annex A of ISO 27001 and to create and maintain a structured inventory of protective measures for IS, IT and privacy and to maintain protection at a constant level based on the PIA. Although this is still not an ISMS, it can represent a significant increase in maturity compared to the current status.
However, for all companies that are under great pressure to demonstrate a high level of maturity and provide evidence due to legal or regulatory requirements, a quick start is not the right way to go. A project plan for setting up an ISMS and PIMS should be drawn up right from the start and it should be determined what needs to be implemented and in what order.
If you already have an ISMS, you can expand it and start integrating the principles of the Privacy Framework into your daily work via ISO 27701. The greatest effort will probably be required to train staff in the principles of ISO 29100 and the assessment according to ISO 29134.
It is also important to consider expanding your own processes to include the PIA. For example, as part of change management, it is not only necessary to compare the change to be discussed with the identified risks of the IS, but also to compare it with the PIA.
As soon as the company has made an initial PIA of critical services, a comparison with the controls and an addition to the Statement of Applicability (SoA) can take place. Initially, it is sufficient to use the supplementary controls from Annexes A and B of ISO 27701 and only check at a later stage whether you want to increase the level of detail with ISO 29151, 29101 or 27018 - unless privacy plays such an important role for your own company and its customers that a detailed introduction is justified right from the start.
ISO 27701 now requires aData Protection Officer to be defined on the one hand, but also to offer PII principals a point of contact for inquiries about the processing of their data on the other.
TheData Protection Officer has a similar role to theCISO: they must be independent, familiar with the legal, regulatory and other requirements and have been given the necessary authority by management. This may mean that one more person will be involved in many of the company's projects - theDPO as well as theCISO. It may be uncomfortable for project managers to have an additional person on the specialist committee - but this is essential in terms of strong data protection.
The company 's management also plays an important role: what is the Information Security Policy in the ISMS becomes the "Information Security and Privacy Policy" when ISO 27701 is implemented. Apart from this, adjustments to policies may also be necessary in other areas. Management commitment is therefore essential and the management must set an appropriate example.
Those who follow the path of ISO 27701 and expand their ISMS will be able to map their own SoA and PIA against GDPR paragraphs in the future. As shown in the next table, a privacy principle from ISO 29100 and an ISO 27701 control each represent a reference to one or more GDPR clauses.
The PIA can be used to show the extent to which individual services selectively comply with the provisions of the GDPR; a SoA can be used to show how the entire company complies with the GDPR.
Similarly, mappings can also be made to other laws, e.g. the Swiss DPA.
Apart from such mapping, PIA reports, provided they are made for strategically important services of your own company and can be viewed, are already good documentation for an audit. Provided they are prepared accordingly, they are also well suited to showing the customer the level of protection of their data.
It is important to understand that none of the standards alone will be the solution to achieving a very high level of maturity and documenting compliance with a GDPR in a structured and comprehensible manner. To do this, it is important to place the various components in the right place and allow them to interact.
Anyone who already has experience with maintaining an ISMS will have to learn the new concepts from the Privacy Framework and the PIA and will then be able to upgrade their ISMS to a PIMS relatively quickly. An already highly formalized environment with a high level of maturity is very easy to expand.
Those without an ISMS are not yet lost - the question here is what needs to be achieved. It may not be a bad idea to take a very cautious approach to the privacy framework and the PIA as an introduction and only expand the formality later. However, a simplified start only delivers simplified results and anyone who is under external pressure should think carefully about what needs to be done. As part of our consulting services, Swiss Post Cybersecurity supports you in designing and implementing the right solution.