ISO 27701:2019 specifies requirements and offers guidance on establishing, managing, and continually improving the Privacy Information Management System (PIMS) that was launched in Aug 2019. It extends the scope of ISO 27001 Information Security Management System (ISMS) and ISO 27002 to include privacy and protection of personal data. The standard provides guidelines to PII controllers and processors for the processing of Personally Identifiable Information (PII) that can be adapted to achieve compliance with global data privacy standards like the General Data Protection Regulation (GDPR) and other data privacy legislation. Since this is an extension, companies intending to implement ISO 27701 must be ISO 27001 compliant or would need to certify for both simultaneously.
ISO 27001, ISO 27002 & GDPR: How ISO 27701 Builds on Their Legacy?
With ever-growing data privacy laws, there was a necessity for a standard that could be followed the world over. ISO 27701 was designed keeping in mind the requirements of global data privacy laws, as such its adaptability to those laws is one of its' greatest strengths.
ISO 27001 is built on the principles of the CIA triad (Confidentiality, Integrity, and Availability) for protecting sensitive information, and critical assets and to generate accountability cum supervision within an organization. ISO 27002, on the other hand, is essentially a guide on the best practices of information security, cyber security, & privacy protection controls and provides guidelines for implementation of ISO 27001. ISO 27701, on the other hand, integrates and builds upon existing controls of ISO 27001 and ISO 27002 for the establishment of a PIMS which is continuously improved, implemented, and managed. It specifies requirements for the processing of PII for both PII controllers and processors within an ISMS. It also draws a clear distinction between PII controllers and the processors each subject to different requirements. Although very different on paper, GDPR is a mandatory regulation and ISO 27701 is an optional certificate, they both aim for strengthening data privacy. Accentuating confidentiality of data, robust documentation process, and assessment and minimizing of risk.
Although ISO 27701 is not mandatory, it is a strategic tool that helps businesses in building trust, bypassing privacy audits, improving customer morale, and having the adaptability to achieve compliance with any data privacy law.
ISO 27701 Data Sanitization Requirements
PIMS-specific requirements and guidelines for implementation have been added to the existing controls of ISO 27001. Since ISO 27701 is adaptable to various data privacy laws we can refer to data sanitization protocols mentioned under various laws. ISO 27001 under section A.8.10 [Information deletion] requires 'data deletion' when it reaches the end of usage. Similarly, many controls in ISO 27701 require data deletion that is mentioned in the following sections which specify ISO 27701 data sanitization requirements:
1. PIMS Specific Guidance Related to ISO 27002 [Section 6]
[Section 18.104.22.168] "The organization should ensure that, whenever storage space is re-assigned, any PII previously residing on that storage space is not accessible."
Secure Disposal for Re-use of equipment: Organizations are required to ensure no PII remains on the media scheduled for reuse. Media sanitization must be ensured before reassigning the media through logical destruction of data by utilizing secure data erasure software.
2. Obligation to PII Principles: [Section 7 & 8]
[Section 7.3.4] "The organization should provide a mechanism for PII principals to modify or withdraw their consent."
Providing a Mechanism to Modify or Withdraw Consent: The customers have a right to withdraw their information and organizations should inform them and provide them with ways to exercise that right. Once the consent is receded further processing should not be done on that data. Data privacy laws mandate the 'deletion of data' beyond recovery in a stipulated time frame.
[Section 8.3.1] "The organization should provide the customer with the means to comply with its obligations related to PII principles."
Obligations to PII principals: The obligations between organization and customer can be covered under existing contracts, state laws, or regulations. This obligation extends to the deletion of personal data within a specified time limit. Organizations can meet compliance by utilizing a software-based approach for the deletion of data beyond recovery.
3. Privacy By Design and Privacy By Default [Section 7&8]
[Section7.4.5] "The organization should either 'delete PII' or render it in a form which does not permit identification or re-identification of Pll principals, as soon as the original Pll is no longer necessary for the identified purpose(s)."
PII De-identification and Deletion at the End of Processing: The organization must ensure erasure beyond recovery once the PII has reached its logical end and further processing is not required. Data privacy laws mandate erasure with certified software which renders data recovery impossible.
[Section7.4.8] "The organization should have documented policies, procedures, and/or mechanisms for the disposal of PII."
Disposal: Once the data reaches its end of life there should be a robust data erasure policy to handle secure data disposal. In keeping with prevalent data privacy laws, media sanitization through logical destruction using overwriting software is recommended. Physical destruction is also prescribed in some situations, the policy should address both scenarios.
[Section 8.4.1] "The organization should ensure that temporary files created as a result of the processing of PII are disposed of (e.g. erased or destroyed) following documented procedures within a specified, documented period."
Temporary files: These files sometimes contain identifiers to PII, regularly deleting these files is necessary for data privacy. Scheduling data erasure as a regular feature can be extremely beneficial for organizations, helping them in audit and meeting compliance.
[Section 8.4.2] "The organization should provide the ability to return, transfer, and/or disposal of PII securely. It should also make its policy available to the customer."
Return, Transfer, or Disposal of PII: The PII reaches a stage where it needs to be returned to the customer, transferred to another organization, or disposed of securely. Utilizing data erasure software for secure deletion can help organizations meet compliance.
Software-Based Data Sanitization: For ISO 27701 Compliance
ISO 27701:2019 certification is designed to help organizations mitigate risk, and be ready for compliance. The acceptance and recognition of ISO make it more desirable and necessary for organizations to adopt it. Achieving permanent & secure data wiping ensures fulfillment of ISO 27701 data sanitization requirements by making sure that the deleted customer data and disposed of the storage device are secure and data cannot be retrieved by any means. Permanent sanitization can be successfully achieved by using professional data erasure tools like BitRaser. It is an easy-to-use DIY software that ensures compliance with major data privacy laws like CPRA, GDPR, SOX, HIPAA, etc, and fulfills ISO 27701 data sanitization requirements for organizations. Adhering to 24 international data erasure standards, the software can securely and safely wipe media devices rendering recovery of data impossible. The software follows the best practices of data sanitization with the generation of verifiable audit trails, a cloud repository of reports and certificates for round-the-clock global access, and offers complete verification to guarantee to wipe beyond scope of recovery even through forensic means.
The broad framework of ISO 27701 provides the structure required by organizations to comply with data privacy laws, build trust and improve public perception. This certification can provide a solid foundation for companies to build on and achieve compliance. The underlying principle of continuous improvement prepares organizations for future threats and aligns their security posture accordingly. ISO 27701 data sanitization requirements comply with major privacy laws and ISO 27701 certification would save organizations from unnecessary risks, fines, and penalties.