ISO 27701: Privacy Information Management System

ISO 27701 is an extension standard based on ISO 27001 for privacy information management systems. This standard is critical for achieving compliance with data protection laws such as KVKK and GDPR and provides a comprehensive framework for organizations to securely process, protect, and manage personal data.

As the Istanbul-based BARLAS Cyber Security team; we provide end-to-end consulting support to organizations operating in Istanbul, Türkiye, and across Europe in ISO 27701, ISO 27001, KVKK, and GDPR compliance projects regarding privacy information management system (PIMS) design, implementation, and audit.

What is ISO 27701?

ISO 27701 (Privacy Information Management System - PIMS) is an international standard that specifies the requirements for processing, protecting, and managing personal data. This standard is built on the ISO 27001 (Information Security Management System - ISMS) standard and provides additional requirements for privacy management.

The ISO 27701 standard is also known as ISO/IEC 27701:2019 and was published by the International Organization for Standardization (ISO) in 2019. This standard includes requirements for both data controllers and data processors.

Core Components of ISO 27701

The ISO 27701 standard consists of the following core components:

1. Privacy Information Management System (PIMS)

It provides a systematic approach for securely processing, protecting, and managing personal data. PIMS, built on top of ISO 27001, includes additional controls and requirements specific to privacy.

2. Requirements for Data Controllers

It defines specific requirements for organizations that process personal data (data controllers). These requirements cover data collection, storage, processing, and deletion processes.

3. Requirements for Data Processors

It provides specific requirements for organizations that process personal data on behalf of data controllers (data processors). These requirements ensure that data processing processes are managed securely.

4. Privacy Controls

In addition to the security controls in ISO 27001, it includes specific controls for privacy. These controls are designed to protect personal data and ensure privacy rights.

Advantages of ISO 27701

ISO 27701 compliance provides organizations with significant advantages:

• Legal Compliance: Achieving compliance with data protection laws such as KVKK, GDPR, and others
• Secure Processing of Personal Data: Secure processing, storage, and protection of personal data
• Privacy Risk Management: Systematic identification, assessment, and management of privacy risks
• Increased Customer Trust: Increased customer trust by demonstrating that personal data is processed securely
• Competitive Advantage: Competitive advantage in privacy management
• Cost Savings: Reducing costs arising from data breaches and legal penalties

Relationship between ISO 27701 and ISO 27001

ISO 27701 is an extension of ISO 27001 and is built on ISO 27001. Therefore, ISO 27001 compliance is required first for ISO 27701 compliance. ISO 27701 adds specific requirements for privacy management to ISO 27001.

This relationship provides the following advantages:

• Integration of information security and privacy management
• Meeting both security and privacy requirements with a single management system
• Resource and cost efficiency
• Process and documentation sharing

ISO 27701 and KVKK Compliance

The ISO 27701 standard is critically important for KVKK (Personal Data Protection Law) compliance. The technical and administrative measures required by KVKK are detailed in the ISO 27701 standard.

The relationship between ISO 27701 compliance and KVKK compliance:

• KVKK's obligation to provide a secure environment can be met through ISO 27701
• Requirements for secure processing of personal data can be met through ISO 27701 controls
• Data controller and data processor requirements are defined in ISO 27701
• Data breach notification and response processes are included in ISO 27701

ISO 27701 Certification Process

The general process for ISO 27701 certification consists of the following steps:

1. ISO 27001 Compliance: First ensuring ISO 27001 compliance
2. Gap Analysis: Evaluation of current status according to ISO 27701 requirements
3. PIMS Design: Design of privacy management system and preparation of implementation plan
4. Implementation: Implementation of privacy policies, procedures, and controls
5. Internal Audit: Verification of the system through internal audit
6. Management Review: Top management reviewing system performance
7. External Audit and Certification: Audit and certification by an independent certification organization

BARLAS ISO 27701 Services

As BARLAS Cyber Security, we provide comprehensive support for ISO 27701 compliance. Our services include:

• ISO 27701 gap analysis and assessment
• PIMS design and implementation
• Privacy risk assessment and risk treatment plan preparation
• Design and implementation of privacy controls
• Documentation preparation (privacy policies, procedures, instructions)
• Staff training and awareness programs
• Internal audit support
• Certification process preparation support

We also strengthen your data privacy processes through penetration tests and vulnerability assessments and support your KVKK compliance by identifying security vulnerabilities in your systems.