ISO/IEC 27701 Implementation Guide
2 The ISO/IEC 27701 Standard The ISO/IEC 27701 international standard for “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines” was published by the ISO and IEC in 2019. ISO/IEC 27701 specifies the requirements that your PIMS will need to meet in order for your organization to become certified to the standard. The requirements in ISO/IEC 27701 are amendments and additions to those of the ISO/IEC 27001 information security standard and its supporting guidance, ISO/IEC 27002. There are many other documents published within the ISO/IEC 27000 series and they provide useful supporting (and in some cases essential) information for organizations going for ISO/IEC 27701 certification (or simply using it for guidance). Some of the common ones are: • • • • • • • • • • • • • • • • •
ISO/IEC 27000 — Information security management systems — Overview and vocabulary ISO/IEC 27001 - Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27002 – Information technology – Security techniques – Code of practice for information security controls ISO/IEC 27003 — Information security management system implementation guidance ISO/IEC 27004 — Information security management — Monitoring, measurement, analysis and evaluation ISO/IEC 27005 — Information security risk management ISO/IEC 27017 – Information security for cloud services ISO/IEC 27018 – Protecting Personally Identifiable Information in the cloud ISO/IEC 27032 — Guidelines for cybersecurity ISO/IEC 27033 — Network security (multiple parts) ISO/IEC 27034 — Application security (multiple parts) ISO/IEC 27035 — Information security incident management (multiple parts) ISO/IEC 27036 — Information security for supplier relationships (multiple parts) ISO/IEC 27037 – Identification, collection, acquisition and preservation of digital evidence ISO/IEC 27039 – Intrusion prevention ISO/IEC 27042 - Analysing digital evidence ISO/IEC 27043 — Incident investigation
It’s worth pointing out that, although useful, none of these are required reading for certification to the ISO/IEC 27701 standard (except perhaps ISO/IEC 27001) so if you are limited in time and budget, just a copy of ISO/IEC 27701 itself will suffice (although if you haven’t purchased the standard yet, we would recommend you look at our ISO27701 Enhanced Gap Assessment Tool as an alternative as it includes all of the requirements in the standard but in a more useful format).
www.certikit.com
Page 5 of 32
