Authored by Douglas Stewart, Senior Director, Solutions Consulting at OpenText
A few months ago, while doing some data privacy research, I was excited to learn about the recently issued ISO 27701 standard for privacy information management. This is an extension to ISO 27001—the gold standard for information security. And, for me, the latest news brought back memories from mid-2008, when I became well acquainted with the information security standard.
At the time, I was the director of technology for a fast-growing eDiscovery software and service provider—and I’d been given the task of obtaining ISO 27001 certification for the business. While that standard was new to me, I had a solid foundation in information security, an IT team that was well versed in security best practices, and experience with continual improvement systems going back to the days of TQM, or total quality management.
I figured that getting certified would improve our information security practices, demonstrate to customers our commitment to information security, and better equip our IT team to protect our information. But I had no idea how transformative the ISO 27001 certification would be for our entire company.
Let me explain.
The benefits of ISO 27001 certification
The ISO 27001 controls, by design, ended up positively impacting all aspects of our operations—front- and back-office functions—and every employee. By the time of our initial certification audit, our entire organization was working as a coordinated team to ensure the security of the information assets entrusted to us.
Policy, process and personnel development accounted for most of the certification effort, but we also made technology investments driven largely by policy and process requirements. This provided a good lesson in the power of the intentional application of the people-process-technology triad.
The ISO 27701 extension
The organizational transformation that I witnessed as a result of the ISO 27001 certification is what makes me excited about the new ISO 27701 extension. In a nutshell, ISO 27701 provides a framework for handling personal information within an organization. It does this by extending the Information Security Management System (ISMS) required under ISO 27001 through the development of a Privacy Information Management System (PIMS). The PIMS layers data privacy specific controls and requirements on top of the information security framework mandated by ISO 27001. In other words, it leverages your existing information security policies and procedures framework.
Considering the large overlap between information security and data privacy, the ISO 27701 extension of ISO 27001 seems like a smart approach to data privacy management and compliance. The new standard also supports the idea that organizations should not go it alone or resort to ad hoc methods when crafting their data privacy policies and procedures.
Look to the experts—and existing regulations and law
There is a lot of great guidance on data privacy out there, and a lot of it is free. Regulations and laws like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) did not grow out of thin air. Rather, they are based on existing best practices, standards and controls. Consequently, the more you can align your organization’s policies with these public standards and best practices, the better positioned you will be when new data privacy laws, regulations and rules are enacted.
I have long held that the most effective way to manage data privacy risks is to build on the experience of those who have gone before. So make use of the best and better practices endorsed by groups like the International Association of Privacy Professionals, the National Institute of Standards and Technology, ARMA International and the Association for Intelligent Information Management. Read up on the relevant ISO standards like ISO 27001 and ISO 27701. Find experts who have the experience you don’t yet have. And apply the most appropriate technology to address your data privacy challenges.
Learn how OpenText™ Intelligent Viewing can help you address your data privacy challenges. OpenText Intelligent Viewing is a cloud-first universal file viewing solution that offers secure viewing, collaboration, and redaction. Intelligent Viewing provides in-house and remote employees with consistent, reliable access to content while ensuring that it never leaves the repository.