Transcript:
[00:00:00] Claire McKenna: Hello everyone, and welcome to today’s episode of cyBARRR Chats. BARRR Certifications is now accredited for ISO I E C 27701 audits as of July, and we’re excited to have this offering as part of our suite of services. We’re joined today by Angela Redmond, Director of BARR Cyber Risk Advisory Practice to discuss what ISO 27701 is and how it might help your organization.
So Angela, welcome. Let’s kick it off. What is ISO 27701?
[00:00:33] Angela Redmond: ISO 27701 was released in August, 2019, and it’s an extension of ISO 27,001. It outlines requirements for establishing, implementing, maintaining, and continuously improving an organization’s privacy information management system, also known as the PI m.
It is an internationally accepted standard and essential for organizations that process personally identifiable information or pii. ISO 27701 was developed to provide guidance for organizations complying with international privacy regulations such as the EU General Data Protection Regulation, or gdpr.
It’s a highly effective way of demonstrating an organization’s commitment to data privacy. Got
[00:01:29] Claire McKenna: it. So in this context, what is the difference between privacy and
[00:01:34] Angela Redmond: security? Privacy refers to the individual’s ability to control the access to their personal data, whereas security is the process or system in place to protect that data.
Privacy depends on. Similarly, ISO 27701 depends on having ISO 27,001 in place. It cannot be obtained independently. Got
[00:02:01] Claire McKenna: it. And what kinds of organizations might benefit from obtaining an ISO 27701 certification?
[00:02:10] Angela Redmond: So similar to ISO 27,001, ISO 27701 uses a risk based approach. Organizations adopting ISO 27701 are not required to implement every possible control for every situation.
Instead, organizations should understand the context in which they handle data as either controllers or processors. These terms are also parts of gdpr. ISO includes both controller and processor specific controls. So regardless of the context your organization handles data You may want to consider ISO 27701 organizations of all sizes and industries that want to demonstrate a commitment to privacy can benefit from ISO 27 7 oh.
[00:03:01] Claire McKenna: Got it. So you’ve already touched on this a little bit, but could you just explain, um, a little bit more about how ISO 27,001 and ISO 27701 relate to each other?
[00:03:13] Angela Redmond: Yes. So like we mentioned previously, privacy depends on security. Consider ISO 27701 as an additional arm of ISO 27,001. It can only be implemented when an organization also has an ISO 27,001 certification.
[00:03:33] Claire McKenna: Okay, Got it. And could you explain BARRs step by step process and approach to
[00:03:40] Angela Redmond: certification? BARR begins with pre-certification activities. We’ll conduct a client evaluation and an engagement acceptance review. And as part of this process, we will need information over the p ims scope and boundaries of the system to determine fee arrangements and resourcing need.
The next step is the initial certification audit, which includes two stages. Stage one is an evaluation of the management system and documentation. With primary focus on the design of the system, the stage two audit evaluates the implementation and effectiveness of the management system. This stage is performed at the client locations.
BARR certifications will then determine if it will issue certification to the. If an initial certificate is issued, it’s valid for 30 years. Surveillance audits are conducted at least annually to help ensure a certified organization is able to maintain its compliance to the standard. Before the CERT certificate expires, our certifications and the client will plan arrangements for recertification.
[00:04:52] Claire McKenna: Got it. Thank you for that explanation. Um, what type of effort and commitment is required on, uh, the behalf of an organization to obtain an ISO 27701 certification?
[00:05:07] Angela Redmond: So like we mentioned previously, ISO 27701 is an extension of ISO 27,001 and thus the effort and commitment required to obtain an ISO 27701 certification isn’t too much more than ISO 27,000 oh one.
The scope includes some additions and extensions to the ISO 27,001 annex. A.
Got it
[00:05:33] Claire McKenna: and my last question for you today is can ISO 27701 guarantee coverage under the gdpr?
[00:05:42] Angela Redmond: The short answer is not completely, but it can help position your organization for GDPR compliance. There is no official certification or report that can guarantee GDPR compliance. ISO 27701 is a management system that covers many aspects of GDPR and demonstrates an organization’s commitment to protecting privacy, but it does not guarantee GDPR coverage since ISO 27701 can.
Scoped to specific aspects of an organization and is scalable. An organization can have ISO 27701 in place for parts of their business and still not be GDPR compliant.
[00:06:25] Claire McKenna: Got it. That is very good to know. Well, that was my last question for you today. So Angela, thank you so much for sharing all of your valuable insight into ISO 27701, and to our audience.
Please contact us if you’re interested in learning more about ISO 27701, and we look forward to seeing everyone next time on cyBARR Chats.