ISO 27701 – is it worth it?

We’ll look at 7 Decision Factors, both pros and cons, to help you make that decision, and explore a really interesting alternative.

Let’s be positive and start with the 2 biggest positives – and how much of a positive these are will depend on your particular situation.

#1 Due Diligence

Survey after survey states that independent certifications are persuasive in due diligence. If you see a business is ISO 27001 certified, that gives you more comfort about their Security practices. And of course some customers demand certain certifications.

So, on that basis, if you have ISO 27001 it’s a no-brainer to go for ISO 27701 to demonstrate you’ve thought properly about Data Protection.

However, it doesn’t take much searching to find the negative arguments you’ll be hit with. For example: 

• Certificates might only relate to one function or one office or location, not necessarily the whole organisation or the part that looks after your data.
• There’s a lot of scepticism about how many organisations treat it like a marketing expense and don’t actually implement it properly, using ‘friendly’ auditors to back fill when certification comes round.

We acknowledge these arguments are out there – and some are more valid than others. On the whole though, you can’t disagree that having a certification (any certification, not just ISO) is a signal you’ve invested in that area, from Cyber Essentials to SOC 2 for Security, and ISO 9001 to ISO 14001 on Quality and Environment. But, do you really need to have an ISO? For example, only 0.05% of EEA and UK organisations have chosen to get certified for 27001 on Security.

#2 Privacy Framework

Anyone for PIMS? No, not the British summer drink; it’s the Privacy Information Management System that 27701 will make you put in place. It’s essentially an extensive Privacy Framework. This is excellent in itself, and a big positive. 

But there’s a pretty huge question here: there are many ways to put in place a Privacy Framework, such as the UK ICO’s free Accountability Framework, your favourite consultant’s documentation, NIST’s Privacy Framework, and solutions like Keepabl’s intuitive SaaS delivering a Privacy Framework “out of the box” based on GDPR.

The point is that it’s not rocket science and there are many ready-made frameworks out there you may feel are more appropriate, more applicable or otherwise a better fit for you. It’s not hard to create a Privacy Framework, the key is selecting the method that’s appropriate for your organisation.

The GDPR is all about putting in place ‘appropriate’ measures – appropriate, for example, to the risk to individuals and to the state of the art. The UK ICO confirms that your Privacy Framework will likely flex according to the size of your organisation. And the UK Government’s review of UK Data Protection law, launched in September 2021, certainly seems to be looking to make compliance more practical. Let’s wait and see how that one pans out.

So why go to the extent of tying yourself to 27701’s Privacy Information Management System, after having tied yourself to 27001’s Information Security Management System, if it’s not appropriate for you? 

Now let’s look at the 3 biggest negatives – and, again, how much of a negative these are will depend on your particular situation.

#3 27701 is not (yet) an official GDPR certification

Many people hoped that 27701 would be an official GDPR certification. As at 15 September July 2021, it’s not. It’s ‘just’ a standard you can tweak for GDPR. At the time of this blog, while there are some national certifications dealing with certain aspects of GDPR such as destruction, there is no official EU-wide certification for GDPR.

So you will be able to say you’re 27701 certified, but it’s not (yet at least) an official GDPR certification and it’s not a pure GDPR-focused standard. So, right now, this is probably a neutral point.

Of course, if this changes and 27701 does become an official GDPR certification, then this is a massive positive.

#4 GDPR is a law

There’s never been a generally-applicable security law in the UK, so Security standards have filled the gap, with a set of rules to be implemented in a risk-based manner, laying out a path for organisations to follow to improve their Security stance and reduce risk as they go about business. 

Does that sound familiar?

GDPR is a set of rules to be implemented in a risk-based manner, laying out a path for organisations to follow to improve their Data Protection stance and reduce risk as they go about business. GDPR, in that case, can be seen as its own standard.

At the end of the day, what can a standard like 27701 do? It can only mirror the GDPR but you’ll still need to check you comply with the GDPR.

With 27701 you have a whopping great law out there, enforced by regulators and the courts, turning out decisions, and with regulators turning out guidance – not always in accordance with each other.

So while the certification would most likely help you in your vendor due diligence, what 27701 and the ISO say is really immaterial at the end of the day. It’s what your respective GDPR, the CJEU and the UK Supreme Court says that matters.

#5 Reliance on 27001 

As we said, 27701 is not a standalone certification – it’s an extension to 27001. So you have to get certified for 27001 before (or at the same time as) you get certified for 27701. 

There are many good reasons to look at Privacy and Security together. But, again, there’s many ways to do this. 

Again, 99.95% of European organisations have decided not to get certified under 27001 for their Security practices, no doubt for various reasons. You can see our Privacy Kitchen video 27001 is not GDPR for more detail. 

We did that with 2018 stats, but the 2019 percentages were almost identical. It still only has a maximum 0.05% adoption rate amongst European businesses.

So, will 27701 make a sufficient impact on the cost-benefit analysis to push people through 27001 to 27701? It’s looking unlikely at this stage.

#6 It’s Flexible & International

A strength of 27701 can also be seen as a weakness; it’s designed to be flexible enough to allow you to create a PIMS that satisfies many jurisdictions’ laws. 

But that flexibility can be seen as a big negative: 27701 doesn’t equal GDPR, you have to tweak it for GDPR and it’s not an official GDPR standard (as yet). 27701 even has an annex to help you cross-check it against GDPR.

And if you’re going to tinker with it for GDPR, and for CCPA, and for the LGPD, then where has the ‘standard’ gone – where’s GDPR in there?

It’s easy to understand the desire for a certification for GDPR (and it’s important to note that the ISO already has other standards for Privacy), but 27701’s flexibility rather chips away at the idea of a GDPR standard and, possibly, lead to questions about what processing, business units and laws your certification covers. So customers and partners may want to dig a bit more into your PIMS and Privacy Governance.

#7 Cost

The cost of certified compliance with an ISO, both in terms of cash and time, and in obtaining and maintaining certification, is not insignificant. If your organisation has tight budgets and no real internal or external demand for an ISO certification, you may well decide not to go for 27001 or 27701.

For example, Keepabl has Cyber Essentials Plus, the independently certified security standard launched by the UK Government as a simpler standard. It’s a great alternative and, for example, is the standard required by the NHS Toolkit and the G-Cloud framework, which Keepabl has been named to.

However, the cost of an ISO certification and maintaining it is bearable for mid-sized and larger organisations and indeed anyone with a good business case for it. So, how much of a negative this is, really depends on your business and size.

Bonus Tip

Now for our bonus tip, a very interesting alternative to 27701…

If you really want a certification aligned with GDPR – again, none have been officially approved as a full GDPR standard as yet – you should take a look at British Standard 10012. 

As the British Standard Institute notes, BS 10012 is a British standard specifying a personal information management system aligned to the GDPR and UK Data Protection Act 2018. 

At an ENISA event in 2017, a speaker noted BS 10012’s focus on the GDPR and referred to it as ‘state-of-the-art work but not certifiable’. Well, now you can get certified against it.

What’s your decision?

So there we have it! You can use those 7 factors to help decide whether you really need certification or to go another route. Do let us know what you think, we’d love to hear from you at hello@keepabl.com and you can comment on our Privacy Kitchen video.

Keepabl’s here to help!

Why not choose Keepabl as a way to create your instant Privacy Framework focused on GDPR? Our award-winning Privacy Management Software allows you to get up and running with ease, with simple data mapping, instant Article 30 Records creation and comprehensive Risk and Breach functionality for peace of mind. And, you can export KPIs, insights and reports on all of this at the click of a button so you can keep the Board and Auditors happy.

Want to get going? Get your Keepabl demo. We’re passionate about GDPR and we’d love to speak with you to show how SaaS automation can improve your compliance.

Privacy Kitchen 

Be sure to watch our Privacy Kitchen video on 27701!

And check out the other videos on our Privacy Kitchen channel, free video help on all things GDPR and Privacy. There’s a wealth of valuable information on topics including How to Prepare for GDPR Breach, The 7 Principles of GDPR and Schrems II – What does it mean?