Compliance with a fast-growing array of privacy regulations like the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) is now a major concern for many companies. If your business stores and/or processes personal information (PI), chances are you’ll soon need to prove you can protect it.
As a trusted international data privacy standard, aligning with the ISO 27701 privacy extension to the 27001 information security standard could be “the silver bullet” to reduce the complexity of managing compliance with multiple, overlapping privacy regulations.
To shed light on how ISO 27701 can help your business prove privacy compliance, we invited Debbie Zaller to be our guest on The Virtual CISO Podcast. Debbie is Principal and co-owner at Schellman & Company, a leading IT certification and audit firm that is among the few currently authorized to certify ISO 27701 compliance. Host John Verry, Pivot Point’s CISO and Managing Partner, is a strong proponent of ISO 27701.
Here are the top four benefits of achieving ISO 27701 certification that Debbie and John came up with:
One: It’s global
For companies that are already ISO 27001 certified or are considering ISO 27001 certification, ISO 27701 provides the most comprehensive and trusted attestation available globally regarding privacy controls.
As Debbie points out, “This is one of the few privacy certifications we have that’s worldwide… A lot of them are jurisdiction specific. ISO 27701 allows your organization to get a certification that you have a privacy program in place that meets some of the main privacy principles of all privacy laws worldwide.”
In other words, ISO 27701 is a unified construct that enables you to manage compliance with a wide range of US and international privacy laws.
“It’s flexible enough to operate throughout the world, but it does allow you to highlight that privacy program that is still rigorous and specific to the main privacy principles that are included in every privacy law”
Two: It’s highly rigorous
A further benefit of ISO 27701 is its unequaled rigor. “It highlights an organization’s privacy program to a very strenuous and detailed [level of] controls that you normally wouldn’t find anywhere else,” states Debbie. “A lot of jurisdictions don’t yet have a certification against their privacy laws or regulations, so this is one way to do that before we get those…”
In terms of thoroughness, how does ISO 27701 stack up against a SOC 2 report covering the Privacy Trust Service Criteria (TSC)?
As an auditor, Debbie asserts, “I think [SOC 2’s Privacy TSC] is a good one, but it’s a little bit too broad. It’s a little bit too basic, where ISO 27701 gets into a lot more details and it’s a lot more rigorous.”
Three: It offers third-party attestation
Another big benefit of ISO 27701 certification is it gives you demonstrable proof of your privacy posture alongside your information security posture.
John notes, “If you think about it, most people who have gone to ISO 27001 or SOC 2… they have that because somebody is asking them for it. And if they’re already being asked for information security attestation, they’re going to be asked for privacy attestation.”
Attestation of compliance with a globally recognized standard by a third party accredited auditor is the most trustworthy and respected form of attestation.
Four: It’s flexible enough to accommodate jurisdictional specifics
As an international standard, ISO 27701 was specifically created to enable organizations to manage and attest to privacy compliance with multiple jurisdiction-specific requirements.
“For example, there are some requirements in ISO 27701 for breach notification, but the timing of notification and the details are actually jurisdiction specific,” Debbie explains. “So if an organization operates in the EU, you’d want to make sure that you’re falling in line with GDPR, and so you kind of bring those jurisdictions [specifics] into ISO 27701.”
“It’s flexible enough to operate throughout the world, but it does allow you to highlight that privacy program that is still rigorous and specific to the main privacy principles that are included in every privacy law,” emphasizes Debbie.
If your business needs to comply with multiple privacy laws, you’ll find this insightful discussion on ISO 27701 highly informative. It covers everything from basics to benefits to costs to specific compliance questions.