ISO/IEC 27701:2019 Privacy Information Management Implementation

Hi all

I hope you are well and safe during this pandemic period. It hasn't been easy for many of us, maintaining an economy and home life has been difficult, but better times are ahead and we'll be focusing on continual improvement in this latest blog edition.

Personally it has been a good week for me, I have updated my website to include the 7 Biggest Mistakes People Make When Implementing ISO 9001 and ISO 27001 and have been busy helping my clients of all shapes and sizes. As well I have put on my website 6 videos, to help people and to show that there is more to me than just writing! I've uploaded my videos to you tube, See 'Steven Burgess ISO' or visit the website for more details. It was fun doing the videos, not always easy without a script but I just about managed it with a few notes and help from a marketing expert, who is helping me at this moment in time. I'm not a massive fan of marketing, I prefer it to come naturally and always try and get myself across in a normal way, the videos have allowed me to do this and hopefully they will help to support many people in their quest to implement ISO Standards.

One more bit of positive news is the fact that one of my main clients, Disclosure Services has decided to implement ISO 27701, Privacy Information Management Standard. It is a bolt on to ISO 27001 Information Security Management Systems and I put a proposal to the board to implement it and they agreed that it would be a good thing to do. Privacy management is high on the agenda for this company, they process data relating to criminal record checks and so need to put privacy at the heart of their operations. It is a big task for me but one I am relishing and I know that with the help and experience of third party auditors, the IT staff there, staff and management that we will make a success of it. It is a big project and one I am looking forward to.

Privacy information management is crucial in this era of information management, not only do we have such legislation like the GDPR of Europe but also the Data Protection Act of the UK, both of these have formed a backbone for implementing extra requirements and have helped to make the organisation safer and more secure. We focus on what the GDPR requires, implement it and use it to drive our business forward. Privacy management is what our clients want and need and it is they who we are protecting. This is what standards do, they protect people from harm, whether that be harm from the misuse of information, harm from a lack of safety or harm to the environment, standards are a focal point for improvement and this new standard is no different.

I have come to understand that people take the security of their information seriously, this is what ISO 27701 will help us to do. It will be helping us to focus our efforts on improving systems, IT and the general well-being of the company by bringing down liabilities. After all, liabilities are there to harm businesses and we must do all that we can to reduce the risks to businesses and to strengthen them properly.

Nowadays there is an eye on all organisations with regards to people's information. People want their data protected and the ISO 27701 standard focuses on information standards. To be honest we have been working at this for some time, with the inception of a new process risk assessment to supplement our asset based risk assessment, we have been able to see how our process affects us. Not only is it vital to focus on your processes it also helps with legal requirements, like conditions for processing, lawful basis for processing and technical safeguards for information. These are all in the GDPR and a process risk assessment gets you to focus on these vital areas, as well as many more.

I have developed a new style of risk assessment to be maintained with our asset based risk assessment because 1) Businesses need one and 2) It helps us to comply with legislation. Businesses need one because they need to understand the information flow, information is embedded into processes and we need to be able to pinpoint where the inconsistencies lie, where the strengths are and what residual risks we have. Residual risks are an important point, knowing what these are again highlights any remaining liabilities and what you may be doing about them. ISO 27001 asks that you get your residual risks monitored and or accepted or acted upon.

In the coming months, I expect ISO 27701 implementation to take 9 months of time, depending on my workload and depending on company requirements. I will let you know about the progress of it from this blog as I learn to understand these new requirements.

Have a good one.

Best regards


Steven Burgess is an ISO 9001 and ISO 27001 Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.