ISO 27701 Certification
You can apply for an audit of your ISMS according to the current standard ISO 27001:2022 in combination with ISO 27701:2019. Our audit teams audit locally in most jurisdictions around the world. The information security auditors inspect your Information Security Management System (ISMS) and the associated Privacy Information Management System (PIMS) in over 7 different languages (English, German, Dutch, Spanish, French, Turkish and Polish). Apply now for an extended ISO 27001 Certification (including ISO 27701 audit)! Is your main business location is in USA, Europe, Africa or Asia? Certification audits are possible in many regions.
Who needs an ISO 27701 Certificate?
If your organisation is processing data that can be assigned to a human being, you might have to consider introducing an ISMS into your organisation. Traditionally, you would first gain an ISO 27001 Certification. As the requirements for platform providers and service organisations are becoming increasingly tougher, an ISO 27001:2022 certificate is no longer sufficient. Several jurisdictions are increasingly expecting that the ISMS is also adjusted to address PII related concerns. As a result, companies operating social media platforms, eCommerce websites, SaaS Business Platforms and even online market places are moving towards achieving the ISO 27701 certification as an upgrade to their ISO 27001 certificate. That is why following organisations predominantly need to get their PIMS certified according to ISO 27701:
ISO 27001 Certification Areas
Within the ISO 27000 Standard is the main core standard 27001, which is the required certification for any kind of Addon (e.g., ISO 27018, ISO 27701, ISO 27090, ISO 27091). If your organization has never been through an audit and you have just recently introduced your ISMS, then focus on ISO 27001 Certification. Once your ISMS has a substantial maturity, you can go for expanding your ISO 27001 certificate with special certifications (e.g. ISO 27018 for Cloud Service Provider).
Information Security
ISMS: Implement a management system to protect the data in your company with a ceetified information security
Cloud Security
CSMS: Information security in the cloud is a very important issue. This niche is exposed to unique threats and has experienced scandals.
PI Security Management
PIMS: Protecting your clients data from being misused is so important for social media and eCommerce platforms.
What is ISO 27701?
The international Standards Organisation (short: ISO) introduced the ISO 27701 standard in order to help organisations protect personal information being processed by the human and technical resources of such organisation. Auditors will want to make sure, that a privacy information management System (PIMS) has been truly set up and is operating in a congruent manner.
A PIMS is there to help leadership ensure the protection of personally identifiable information (PII). Such information can be in digital (on drives, discs, cloud, etc.) or analogue (on paper, on drawings, order lists, printed bank statements) format.
The ISO 27701:2019 standard has following structure:
- Introduction – the standard describes a process for systematically managing information risks.
- Scope – it specifies generic PIMS requirements suitable for organisations of any type, size or nature.
- Normative references – only ISO/IEC 27000 is considered absolutely essential reading for users of ISO 27701.
- Terms and definitions – see ISO/IEC 27000.
- Context of the organisation – understanding the organisational context, the needs and expectations of ‘interested parties’ and defining the scope of the PIMS. Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” the PIMS, meaning that it must be operational, not merely designed and documented.
- Leadership – top management must demonstrate leadership and commitment to the PIMS, mandate policy, and assign information security roles, responsibilities and authorities.
- Planning – outlines the process to identify, analyse and plan to treat information risks, to clarify the objectives of information security, and to manage PIMS changes.
- Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
- Operation – more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
- Performance evaluation – monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.
- Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), systematically refining the ISMS.
Why can an ISO 27701 certification be beneficial to you?
When an organisation decides to become ISO 27701 certified, they undergo a journey towards building their PIMS documentation and preparing all people inside the business for applying the new security measures. Thereby, the organisational processes achieve a greater maturity. Once the certification audit is successfully completed, the ISO 27701 certificate will show to outsiders following positive aspects:
- Greater information security
- Regular security improvements
- Greater trustworthiness
- Greater reliability
- Lower risk to client assets and IP
Furthermore, an organisation also experiences following inner improvements:
- Information flow inside company is secure and efficient
- Information is available and reliable at all times
- Loss, theft, misuse, manipulation of data is less likely
- Only authorised persons have access to confidential data
- Greater compliance with laws, regulations and contractual obligations
What is required for ISO 27701:2019 certification?
The ISO 27701:2019 standard requires following 14 items to be compliant within the PIMS documentation in order to issue a certificate:
- PIMS scope (as per clause 4.3)
- Information security policy (clause 5.2)
- Information risk assessment process (clause 6.1.2)
- Information risk treatment process and the Statement of Applicability (clause 6.1.3)
- Information security objectives (clause 6.2)
- Evidence of the competence of the people working in information security (clause 7.2)
- Other PIMS-related documents deemed necessary by the organisation (clause 7.5.1b)
- Operational planning and control documents (clause 8.1)
- The risk assessment outputs i.e. the assessed risks (clause 8.2)
- The risk treatment decisions (clause 8.3)
- Evidence of the monitoring and measurement of information security (clause 9.1)
- The PIMS internal audit program and the results of audits conducted (clause 9.2).
- Evidence of management reviews of the PIMS (clause 9.3)
- Evidence of nonconformities identified and corrective actions arising (clause 10.1)
How will the audit plan be influenced by the statement of applicability?
Our audit teams follow an audit plan which takes your organisation’s specific industry sector and business model into consideration. The compliance of your ISMS will be reviewed in relation to the different chapters and parts of Annex A. In order to conduct a proper audit, it is necessary for the audit client to name staff members, who can answer questions in relation to parts of the audit plan. Such an example would be naming the firewall administrator for the security controls related to access controls. During the audit the lead audit will then request the privacy information security officer of the organisation to arrange with the firewall admin to be available for the session regarding access control.
An organisation must review regularly its statement of applicability (SoA), in order to decide which controls are necessary. Auditors will will review the SoA and question in particular controls that have been stated as not applicable. The controls marked as applicable will also be inspected but in a different way.
How much will the audit and ISO 27701:2019 certification cost?
The cost of an ISO 27701:2019 certification process is dependent on the size and risk profile of the organization. The ISO 27006 Standard provides an average number of audit days for an organisation of average risk and certain number of included staff. Our audit estimators evaluate the to be expected audit time in relation to company specific parameters. Some factors allow for a reduction of audit duration and thereby positively reducing the audit costs.
Where risks require additional depth of audit activities, the audit plan will have to allocate extra time for it. This increases the audit time and the audit related costs. In addition if auditors have to travel to the client’s operational locations, the client organisation will incur additional travel expenses. The ISO standard allows for up to 30% of the audit to be conducted as remote audit. If the company structure (home office) or the situation (e.g. pandemic) required a 100% remote audit, the certification body is required to gain consent from the respective accreditation body. Remote audits avoid travel costs and are usually ideal for “virtual organizations” (e.g. 100% home office based teams).
| Number of persons doing work under the organization’s control | PIMS audit time for initial audit (auditor days) |
|---|---|
| 1~10 | 0.5 |
| 11~15 | 1 |
| 16~25 | 1.5 |
| 26~45 | 2,0 |
| 46~65 | 2.5 |
Above table is based on the ISO 27006 Standard document (Table B1), displaying additional time for PIMS audit during a combinded ISO 27001 audit.
The audit time allocated for PIMS inspection is at least:
- 30% of the audit time as PII controller
- 30% of the audit time as PII processor
- 50% of the audit time, if the organisation is a PII controller and PII processor
The ISO 27701 audit (stage 1 + Stage 2) must then be at least 2.5 days for PII controllers and 3 days for PII processors. If an organisation is acting on both the controller and the processor role then the audit duration should not be less than the recommended 3.5 days.
This requirement is because an ISO 27701 audit will have to be conducted together with the ISO 27001 audit.
If the organisation already has an ISO 27001 certificate and wants to upgrade its commitment, then a separate audit for PIMS documentation may be conducted. In such a case the minimum of 0.5 days must be added to the audit duration time.
FAQ for ISO 27701 Certification
The cost of your ISO 27001 certification will be quoted based on organization size and risk profile. The offer will contain a fixed fee basis and the estimated audit days. This will allow you to better budget your certification project.
The cost of certification will depend on:
- your organisation’s total size
- the sector you operate in
- the number of locations you operate from and their particular activities
- your organisation risk profile
You will be assigned an account manager who coordinates the first stage of your journey towards the ISO 27001 certificate. This person will get you a fixed fee quote and gather the key details of your desired scertification scope.
The lead auditor will then arrange with you a 1-2 hour call to check that all aspects of your sik profile have been considered and that the audit plan structure matches the availability of the key people in your organization.
Once you have completed the audit, the account manager will keep you updated while the audit documentation is being processed by the compliance team in the certification body. After a positive review the ISO 27001 certificate will be issued to you.
We will also help you understand how to best use the certificate and associated logos, in order to avoid conflicts with the ISO rules.
Stratlane's accreditation is a key part of the assurance we can guarantee those who trust you by trusting your certificate.
Our accredited ISO 27001 certificates include not only your logo but also the logo of the accreditation body and respective accreditation associations.
Let's Get Your Company Certified!
Make use of our certification services so that your businesss gains the competitive advantage of having accredited ISO certifications.