ISO 27701, the new cybersecurity and data privacy standard

According to data protection specialists, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) launched a new set of recommendations related to user privacy to help organizations to comply with data protection laws in different parts of the world.

The new standard, ISO 27701, was created for adoption in any organization that collects and processes personally identifiable information (PII) and is expected to primarily assist companies governed by the European Union General Data Protection Regulation (GDPR).

The continuing failures and abuses of companies that handle personal information (such as Facebook) as well as online criminal activities forced governments around the world to apply stricter measures to ensure the security of the information of technology users. Currently, rules such as the UK Data Protection Act, the California Consumer Privacy Act and the aforementioned GDPR ensure strict penalties for companies that do not meet security objectives ensure data protection experts.

To meet this objective, the ISO 27701 standard has a framework that makes it easier for any organization to implement a secure information management system, extending the requirements mentioned in the ISO 27001 standard, which also refers to the protection and privacy of information.

According to data protection experts, ISO 27001 was designed to help organizations manage their information security policies and practices without having to invest their entire budget in complying with privacy standards. Specifications for managing information security are included with new policies, procedures, and other variables involving people, processes, and technology implementations.

The plan is for companies to adhere to both standards for compliance with privacy laws in various parts of the world, which can be critical to preventing incidents of data breaches or, in the worst cases, mitigating the impact of these incidents they may have.

While no data protection legislation explicitly mentions the adoption of these standards, specialists from the International Institute of Cyber Security (IICS) mention that multiple companies do consider them as a benchmark to comply with these strict laws.