This concise guide takes you through the process of implementing the ISO/IEC 27701 international standard for privacy information management using the CertiKit ISO/IEC 27701 Toolkit. It provides a recommended route to certification against the standard starting from a position where the organization has already implemented (and possibly become certified to) the ISO/IEC 27001 information security standard. Indeed, certification to ISO/IEC 27701 is not an option on its own – ISO/IEC 27001 is a necessary prerequisite to ISO/IEC 27701. This point will become increasingly clear as we go through the ISO/IEC 27701 standard and begin to understand its structure.
Of course, every organization is different and there are many valid ways to embed the disciplines of information privacy. The best way for you may well depend upon factors including:
- The size of your organization
- The country or countries in which you operate
- The culture your organization has adopted
- The industry you operate within
- The resources you have at your disposal
- Your legal, regulatory and contractual environment
View this guide simply as a pointer to where you could start and a broad indication of the order you could do things in. There is no single “right way” to implement information privacy; the important thing is that you end up with a Privacy Information Management System (PIMS) that is relevant and appropriate for your specific organization’s needs.