PLEASE SHARE

   
 

ISO 27701 brings ISO 27000 Standards Series to a total of 47

 

27001 cloud-1

Launched in August: ISO 27701:2019 Security Techniques – extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – requirements and guidelines

 

What is ISO 27701:2019?

ISO 27701 is the highly anticipated standard that is expected to be the first privacy management certification to get mainstream adoption and may serve as a basis for upcoming GDPR certifications.

The new standard recommends organizations include information security and the protection of personal data requirements into their management system activities. 

NOTE: The EC has started the development of a GDPR Certification Scheme but the connection with ISO 27001, if any, has yet to be announced.

Path to ISO 27001 Certification

Relationship Between  ISO 27001 and ISO 27701:2019

 
Every organization processes Personally Identifiable Information (PII) and the quantity and types of PII processed is increasing, as is the number of situations where an organization needs to cooperate with other organizations, both public and private sectors, regarding the processing of PII. 
 
Protection of privacy in the context of the processing of PII is a societal need, as well as the topic of dedicated legislation and/or regulation now evolving worldwide.
 
Requirements and guidance for PII protection vary depending on the context of the organization, in particular where national legislation and/or regulation exist. ISO/IEC 27001 requires that this context be understood and, in the EU this includes the General Data Protection Regulation (GDPR).
 
The Information Security Management System (ISMS) defined in ISO/IEC 27001 is designed to permit the addition of sector-specific requirements, without the need to develop a new Management System.
 
Hence, the plethora of standards that have now been published, including ISO 27701.
 

Is Compliance with Other Standards and Guides in the ISO 27000 Series Mandatory?

The answer is No and Yes!
 
NO: There is nothing in the standards and guides making their use obligatory, but:
YES: External auditors are aware of these standards and guides and they will be informally using them to frame their interview questions. 
 
For example, if an organization has Personally Identifiable Information, the external auditors will ask how the organization has addressed the typical vulnerabilities identified in ISO 27701 - this is 'low hanging fruit' for the auditor. 
 
So, you cannot afford to ignore the standard and your risk assessment (and opportunities) needs to add relevant vulnerabilities from ISO 27701 to those from the Statement of Applicability in Annex A of ISO 27001.
Choose from five ISO 27001 Courses
 
The next question is then: How big is the ISO 27001 family?
 
Very big is the answer. 

 

What Comprises the ISO 27000 Series of Standards?

 

The ISO 27000 series of standards now total to 47. Below is a list of the standards included in the series and a short analysis of each one.

#

Standard

Type (*)

Comment

1

ISO/IEC 27000 — Information security management systems — Overview and vocabulary

IO

 

2

ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements.

AS

The 2013 release of the standard specifies an information security management system in the same formalized, structured and succinct manner as other ISO standards specify other kinds of management systems.

3

ISO/IEC 27002 — Code of practice for information security controls

CP

Essentially a detailed catalogue of information security controls that might be managed through the ISMS

4

ISO/IEC 27003Information security management system implementation guidance

GL

 

5

ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation

GL

 

6

ISO/IEC 27005 — Information security risk management

GL

 

7

ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems

GL

For Certification Bodies only

8

ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on auditing the management system)

GL

Useful to consultants and those responsible for ISMSs.

9

ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on auditing the information security controls)

TR

Useful to consultants and those responsible for ISMSs.

10

ISO/IEC 27009 — Essentially an internal document for the committee developing sector/industry-specific variants or implementation guidelines for the ISO27K standards

IO

 

11

ISO/IEC 27010 — Information security management for inter-sector and inter-organizational communications

GL

Guidance for implementing information security management within information sharing communities.

12

ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

CP

Additional sectoral controls

13

ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (derived from ITIL)

GL

 

14

ISO/IEC 27014 — Information security governance.

IO

Aids organizations to evaluate, direct, monitor and communicate the information security related activities within the organization.

15

ISO/IEC TR 27015 — Information security management guidelines for financial services -

--

Now withdrawn

16

ISO/IEC TR 27016 — information security economics

TR

 

17

ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

CP

Additional sectoral controls

18

ISO/IEC 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

CP

Additional sectoral controls

19

ISO/IEC TR 27019 — Information security for process control in the energy industry

CP

Additional sectoral controls

20

ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity

GL

Popular choice as an ‘add-on’ to ISO 27001 Certification

21

ISO/IEC 27032 — Guideline for cybersecurity

GL

 

22

ISO/IEC 27033-1 — Network security - Part 1: Overview and concepts

IO

 

23

ISO/IEC 27033-2 — Network security - Part 2: Guidelines for the design and implementation of network security

GL

 

24

ISO/IEC 27033-3 — Network security - Part 3: Reference networking scenarios - Threats, design techniques and control issues

GL

 

25

ISO/IEC 27033-4 — Network security - Part 4: Securing communications between networks using security gateways

GL

 

26

ISO/IEC 27033-5 — Network security - Part 5: Securing communications across networks using Virtual Private Networks (VPNs)

GL

 

27

ISO/IEC 27033-6 — Network security - Part 6: Securing wireless IP network access

GL

 

28

ISO/IEC 27034-1 — Application security - Part 13: Guideline for application security

GL

 

29

ISO/IEC 27034-2 — Application security - Part 2: Organization normative framework

GL

 

30

ISO/IEC 27034-6 — Application security - Part 6: Case studies

GL

 

31

ISO/IEC 27035-1 — Information security incident management - Part 1: Principles of incident management

GL

 

32

ISO/IEC 27035-2 — Information security incident management - Part 2: Guidelines to plan and prepare for incident response

GL

 

33

ISO/IEC 27036-1 — Information security for supplier relationships - Part 1: Overview and concepts

IO

 

34

ISO/IEC 27036-2 — Information security for supplier relationships - Part 2: Requirements

AS

 

35

ISO/IEC 27036-3 — Information security for supplier relationships - Part 3: Guidelines for information and communication technology supply chain security

GL

 

36

ISO/IEC 27036-4 — Information security for supplier relationships - Part 4: Guidelines for security of cloud services

GL

 

37

ISO/IEC 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence

GL

 

38

ISO/IEC 27038 — Specification for Digital redaction on Digital Documents

CP

Additional sectoral controls

39

ISO/IEC 27039 — Intrusion prevention

GL

 

40

ISO/IEC 27040 — Storage security

GL

 

41

ISO/IEC 27041 — Investigation assurance

GL

 

42

ISO/IEC 27042 — Analyzing digital evidence

GL

 

43

ISO/IEC 27043 — Incident investigation

GL

Idealized models for common incident investigation processes across various incident investigation scenarios involving digital evidence.

44

ISO/IEC 27050-1 — Electronic discovery - Part 1: Overview and concepts

IO

 

45

ISO/IEC 27050-2 — Electronic discovery - Part 2: Guidance for governance and management of electronic discovery

GL

 

46

ISO 27701 – Security Techniques – extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – requirements and guidelines

AS

ISO 27001 and ISO 27002 are normative documents here.

47

ISO 27799 – Health Informatics

CD

Information security management in health using ISO/IEC 27002 - guides health industry organizations on how to protect personal health information using ISO/IEC 27002.

 

Our Recommendation for Tackling the ISO 27000 Series

  1. Implement and maintain an ISMS,
  2.  
  3. incorporate the additional sector-specific Standards and applicable data protection directive requirements,
  4.  
  5. Use relevant Guidelines and Technical reports,
  6.  
  7. get Certified and, after all that,
  8.  
  9. sleep a little easier at night.

Gap Analysis Tool ISO 27001

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. He spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates

FOLLOW US ON...

Recent Posts

Posts by Topic