Information Security Management System (ISO/IEC 27701)
Information Security Management System (ISO/IEC 27701) is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving information security management in an organization. The standard provides a comprehensive framework for protecting the confidentiality, integrity, and availability of information.
ISO/IEC 27701 is designed to complement the existing ISO/IEC 27001 standard, which provides guidelines for the implementation of an information security management system (ISMS). While ISO/IEC 27001 focuses on the implementation of information security controls, ISO/IEC 27701 extends these guidelines to include privacy considerations and the protection of personal data.
The standard defines the information security management system as a systematic approach to managing sensitive information, including personal data, and protecting it from unauthorized access, use, disclosure, disruption, modification, or destruction. The standard outlines a risk management process that organizations must follow to identify and evaluate privacy risks, implement appropriate controls, and monitor the effectiveness of these controls.
The standard defines the key components of an information security management system, including:
Policies: Organizations must establish policies and procedures to guide the implementation and management of the ISMS.
Organization of information security: Organizations must appoint a person or group responsible for managing information security and ensure that they have the necessary resources and authority to carry out their responsibilities.
Asset management: Organizations must identify and categorize their information assets and determine the level of protection required for each asset.
Human resources security: Organizations must ensure that all personnel involved in the processing of sensitive information are aware of their responsibilities and have received the necessary training.
Physical and environmental security: Organizations must implement appropriate measures to protect their physical facilities and equipment from unauthorized access, damage, and destruction.
Communications and operations management: Organizations must establish secure communications and operations management practices, including disaster recovery and business continuity procedures.
Access control: Organizations must implement access controls to ensure that sensitive information is only accessible to authorized personnel.
System acquisition, development, and maintenance: Organizations must ensure that the information systems they acquire, develop, or maintain are secure and that any changes to these systems do not compromise the security of sensitive information.
Supplier relationships: Organizations must ensure that their suppliers and contractors comply with the information security requirements outlined in the ISMS.
The standard also outlines the requirements for continual improvement of the ISMS, including the implementation of a review process, regular risk assessments, and the implementation of any necessary corrective actions.
In conclusion, ISO/IEC 27701 provides a comprehensive framework for managing and protecting sensitive information, including personal data, in an organization. The standard helps organizations to meet their legal and regulatory obligations and to build trust with their customers and other stakeholders by demonstrating their commitment to information security and privacy. NSPECT.IO, which uses Google Cloud for its operations, has undergone the ISO/IEC 27701 certification process to demonstrate its commitment to the protection of sensitive information.
The Information Security Management System (ISO/IEC 27701) is a global privacy standard established by the International Organization for Standardization (ISO), a non-government organization comprised of 163 national standards bodies. The standard focuses on the collection and processing of personally identifiable information (PII) and is designed to help organizations comply with international privacy laws and frameworks.
ISO/IEC 27701 extends the requirements of ISO/IEC 27001 and ISO/IEC 27002 to include data privacy and provides a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS). The standard includes requirements and guidance for organizations acting as PII controllers and PII processors.
NSPECT.IO operates using the Google Cloud Platform for its marketplace operations. The platform has received an accredited ISO/IEC 27701 certification as a PII processor, following an audit by an independent third party.