ISO 27701 - Extension of ISO 27001 with a focus on data protection

Data protection complements information security

The International Organization for Standardization published a new standard in August 2019 with ISO 27701.

It closely follows ISO 27001 and supplements what ISO 27001 lacks in terms of data protection.

With the new standard ISO 27701, its full name is ISO / IEC 27701: 2019-08 "Information technology - Security procedures - Extension to ISO / IEC 27001 and ISO / IEC 27002 for data protection management - Requirements and guidelines", the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) further expanded the ISO 27000 family. The central standard is ISO 27001, which describes the requirements for an information security management system (ISMS, management system for information security) for certification. There are also numerous other standards in the series that specify the requirements for information security and help with implementation.

The ISMS defines the procedures, rules and measures in companies by means of which they can define, control, control, maintain and optimize information security. Information security also refers to “values”. This includes all data that are important for an organization; Personal data can, but does not necessarily have to be included. This is not enough to ensure the protection of personal data.


Data protection complements information security
 ISO 27701 corrects this deficiency. It is closely based on ISO 27001 and supplements what the standard does in terms of data protection. Instead of information security, it refers to data protection and thus to the handling of personal data, so that a management system for data protection can also be integrated in the management system for information security that is to be certified. ISO 27701 is not a "correct" standard insofar as it is only a supplement to ISO 27001 and certification according to the new ISO 27701 alone is not possible. For a company to achieve ISO 27701 compliance, it must meet all of the ISO 27001 requirements.

Solution to the certification problem?
Although ISO 27701 takes up the principles of the GDPR and supports companies in complying with the GDPR, certification with the GDPR does not do everything. This is, as can be seen from a contribution in datenschutzexperte.de, to the "lower scope of ISO 27701", but also, according to datenschutzbeauftragter-info.de, to formalities affecting the certifying body: Article 42 of the GDPR sees the possibility before certification, Article 43 calls for certification according to ISO 17065, "which is aimed at certification of products and processes", while ISO 27701 is certified as an extension of ISO 27001 according to ISO 17021, with a focus on management systems.

Nevertheless, the new ISO 27701 standard, to facilitate the verification of a "GDPR-compliant handling of personal data" is unanimously welcomed as a "step in the right direction" that can "make an important contribution to pragmatic and effective data protection".