ISO updates standard on managing privacy compliance programs

For the first time since 2019, the International Organization for Standardization has updated its international standard for managing privacy compliance programs.

The international standard for "Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance," ISO 27701, "specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System."

There are several significant changes in the updated ISO 27701. The standard is now a standalone management system, meaning organizations will no longer need to have an ISO 27001 certified Information Security Management System. However, those with an ISMS will be able to integrate the two management systems.

PIMS clauses

The updated standard outlines clauses that set out the high-level requirements of establishing a PIMS, which must be followed and implemented by any organization seeking certification.

Clause 4: Context of the organization. Like many other standards, ISO 27701 requires organizations to fully understand the context of their organization. This is achieved by determining the external and internal issues relevant to the PIMS, understanding the needs and expectations of interested parties — specifically those with interests or responsibilities when it comes to processing personally identifiable information — and determining the scope of the PIMS. This understanding must include the organization's role in relation to PII, either as a controller and/or as a processor.