ISO 27701 FAQ

The standard requires an Internal Audit to be carried out before an external audit can be performed.

The Internal Audit must be carried out by a competent and objective auditor.

The auditor can be in-house (from the organization’s own staff) or an external consultant. If in-house, it is important that the auditor is independent and has no prior or current involvement in the development and implementation of the PIMS.

The Internal Audit review includes:

1. A documentation review of policies and procedures to confirm they adhere to the standards requirements
2. An evidence review through sampling and analysis to determine that the policies are being adhered to

Any findings from the Internal Audit must be tracked to resolution.

The Internal Audit is meant to be continuous throughout the certification period (3 years).

An external audit is as essential as an internal audit, except that the outcome is the acquisition of a certification! 

The external audit starts with stages 1 and 2.

Stage 1: This consists of an extensive documentation review of your PIMS program. This typically lasts a couple of hours to a day.

The outcome of Stage 1 is a list of findings (non-conformities) that need to be remediated before moving to Stage 2.

Stage 2: This consists of an extensive review of evidence that supports the documentation provided during Stage 1 to confirm that the controls operate according to the ISO 27701 requirements. This takes a bit more time than Stage 1 and can last a couple of days to a week.

The outcome of stage 2 is a list of findings (non-conformities) that need to be remediated before being recommended for certification.

An ISO 27701 certification is valid for three years.

This doesn’t mean that you do nothing for 3 years, no!

ISO requires surveillance audits to be performed each year to ensure the PIMS program and controls continue to operate effectively.

It is simple!

ISO 27701 defines the requirements for PIMS and can be certified against them.

ISO 27702 provides guidance on how to implement the ISO 27701 requirements. It cannot be certified against.

Organizations are required to secure and maintain the integrity of all sensitive data that they process under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA). However, while these regulations provide a framework for data protection, they do not provide specific guidance on the actions that organizations should take to ensure data privacy. This is where ISO 27701 is beneficial.

ISO 27701 provides a comprehensive set of requirements and guidelines for implementing a best-practice process for managing a Privacy Information Management System (PIMS) that includes effective data security and privacy capabilities. By following the guidelines set out in ISO 27701, organizations can establish a systematic approach to identifying and mitigating privacy risks, handling personal data, and complying with applicable regulations. This helps improve data protection and privacy, enhance stakeholder trust, and promote operational efficiency.