Privacy is necessary for the modern age due to the ever-increasing rate of digitisation. Privacy addresses the treatment of personal data legitimately. Information security addresses the confidentiality, integrity and availability of personal data. Information security and privacy are interlinked, and privacy cannot be ensured without appropriate security controls.
Privacy Information Management System based on ISO/IEC 27701
In August 2019, the International Organization for Standardization (ISO) published ISO/IEC 27701, which extends the requirements and recommendations of ISO/IEC 27001 and ISO/IEC 27002 to address privacy issues. The standard specifies requirements and guides establishing, implementing, operating and continuously improving PIMS. It guides data controllers and processors on adequately securing personal data processing processes using a PIMS (Privacy Information Management System).
Benefits of PIMS for the organisation
- Building trust and increasing customer satisfaction
- Improving transparency of the organisation’s processes and procedures
- Maintaining the integrity of customer and other stakeholder information
- Effective management of the organisation and increased return on investment
- Compliance with legal, regulatory, contractual and other societal needs and expectations
Subject of our expert services
1 | Analysis of the existing system and PIMS project planning
Analysis of the context of the organisation and gap analysis of the current state • Development of an PIMS project plan
2 | Establishment and implementation of the PIMS
Identification and description of the boundaries and scope of the PIMS • Definition of the organisational structure, roles and responsibilities of individuals and relevant committees • Design of the information security and privacy policy • Setting up and documenting PIMS processes
3 | Information security and privacy risk management and controls management
Selection and documentation of information security and privacy risk management methodologies • Identification, analysis and evaluation of risks • Selection of risk treatment options and controls • Preparation of Statement of Applicability (SOA) • Management of risk treatment plans
4 | Documentation of topic-specific policies and procedures
PIMS documentation structure design and management • Design and documentation of topic-specific policies and procedures • Support for the implementation of specific measures • Design and performance of training and awareness-raising activities
5 | Internal audit, supplier audit and certification audit support
Draft and documentation of the PIMS internal audit charter • Draft PIMS audit programme and planning of audit activities • Implementation of internal audit and supplier audit • Support follow-up activities and actions after the audit • Preparation for and support during the certification audit
Advanced GRC applications
The difficulty of executing PIMS processes increases with the size of the organisation and the maturity of the management system. For complex organisations with complex management systems, we recommend using advanced modular tools.
More information can be found in the Applications section.
Quality of our services
During the provision of consulting services, the standards of quality of consultancy services based on ISO 20700, information security based on ISO/IEC 27001 and project management based on ISO 21502 are applied.
Competences of our consultants:
- Certified ISO/IEC 27701 Lead Implementer
- Certified ISO/IEC 27001 Lead Implementer *
- Certified ISO/IEC 27005 Lead Risk Manager *
- Certified ISO/IEC 27002 Lead Manager
- Certified Data Protection Officer *
When conducting an internal audit (first-party audit) or second-party audit, the best practice of auditing management systems, as defined in ISO 19011, ISO/IEC 27007, ISO/IEC TS 27008 and other relevant standards, is applied.
Competences of our auditors:
- Certified ISO/IEC 27701 Lead Auditor *
- Certified ISO/IEC 27001 Lead Auditor *
* NOTE: ISO/IEC 17024 accredited or relevant ISACA certification.