The scope of the ISO 27001:2022 standard is to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. (ISMS). The ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process. One of the objectives of the standard is to give confidence to interested parties that risks are adequately managed.
If we compare ISO 27001 with a framework such as PDPCSI, the following differences stand out.
1.PDPCSI applies to Personal Data only while ISO 27001 applies to both personal and non personal data
2. PDPCSI is related to mitigation of the risk of non compliance of a given personal data protection law while ISO 27001 is related to preserve the CIA of information
3. PDPCSI is to mitigate/avoid the risk of penalty under the data protection law while ISO 27001 is to provide confidence to the business partners.
There is one school of thought that ISO 27001 is an ISMS system while PDPCSI is a law compliance system and the two are not comparable.
However, law compliance always refers to the “Reasonable Security” to be maintained on personal data as part of the requirement of compliance. It is one of the sections of the law such as Article 32 (2) of GDPR or Section 9(4) of DPDPB 2022
Article 32(2) of GDPR or Section states “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Article 9(2) of DPDPB 2022 states “Every Data Fiduciary and Data Processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.”
ISO 27001 addresses these specific requirements of the data protection laws since it is a framework for preserving the Confidentiality, integrity and availability of information.
However PDPCSI considers this as one of the important requirements but there are a multitude of other requirements that it tries to address. The main requirements of privacy are establishing the legal basis for processing, protecting the rights of the data subjects, ensuring the compliance through out the life cycle of the data processing etc. Obviously, ISO 27001 does not aim to address these aspects.
In that case, it is unclear what does the change of title of ISO 27001 to include “Privacy Protection” mean.
When the number of controls in Annex A of ISO 27001 reduced from 114 to 93 in the new version, the following 11 new controls have been added.
- A.5.7 Threat intelligence
- A.5.23 Information security for the use of cloud services
- A.5.30 ICT readiness for business continuity
- A.7.4 Physical security monitoring
- A.8.9 Configuration management
- A.8.10 Information deletion
- A.8.11 Data masking
- A.8.12 Data leakage prevention
- A.8.16 Monitoring activities
- A.8.23 Web filtering
- A.8.28 Secure coding
The reduction of the number from 114 to 93 has came about because of merging of several other controls. 35 of the earlier 114 controls remain unchanged, 23 controls were renamed and the remaining controls were merged into 24 new controls.
Hence if “Privacy Protection” has been added to ISO 27001 in the new version, it should be part of the above 11 controls.
On the other hand, ISO 27701 addressed the Privacy related controls applicable for PII as PIMS and included requirements such as
- Awareness and training: These controls address the need to raise awareness of privacy risks among employees and to provide them with training on how to protect personal data.
- Consent: These controls address the need to obtain consent from individuals before collecting, using, or disclosing their personal data.
- Data minimization: These controls address the need to collect only the personal data that is necessary for the purpose for which it is being collected.
- Data security: These controls address the need to protect personal data from unauthorized access, disclosure, modification, or destruction.
- Privacy impact assessment: The organization should conduct a privacy impact assessment (PIA) to identify and assess the privacy risks associated with its processing of personal data
- Privacy policy: The organization should have a privacy policy that sets out the organization’s commitment to privacy and the rights of individuals with respect to their personal data.
- Data protection officer: The organization should appoint a data protection officer (DPO) to oversee the organization’s compliance with privacy laws and regulations.
- Data breach notification: The organization should have a process for notifying individuals and regulators of data breaches.
ISO 27701 was not however a certification standard and it’s implementation had to be done along with ISO 27001 for certification.
Hence if we are looking at ISO 27001 as a standard for PIMS, then we need to look at both ISO 27001:2022 and ISO 27701:2019. However, ISO 27001:2022 does not refer to ISO 27701 in its normative reference list because it is the base standard and ISO 27701 is only a guidance. ISO 27701 on the other hand refers to ISO 27001:2013 and not ISO 27001:2022.
Hence ISO 27001:2022 cannot be considered as a framework for privacy management despite its title. A Creative auditor may however imply several aspects of Privacy into “Confidentiality”.
But ISO 27001+ISO 27701 is comparable to PDPCMS as a standard for implementation and certification of a PIMS.
ISO 27001 is relevant in comparison with PDPCMS to the extent PDPCMS protects CIA of personal data and hence we can continue to look at ISO 27001 from this limited perspective. After completing the discussion on ISO 27001, we shall explore ISO 27701 also.
Naavi