ISO 27701, the new kid on the block...
In my humble opinion, setting aside the direct commercial activities of organisations, three areas of business focus are here to stay.
Health & Safety, Environmental and Data Protection. Each element is gaining significant traction, particularly the latter two in recent times given mankind's wanton disregard for our planet's sustainability and society's unwillingness to permit corporation's to continue to play fast and loose with our personal data.
The legal/moral, lawful and financial reasons for having your health & safety and environmental houses in order are well documented, and GDPR has raised the bar in terms of protecting the most valuable commodity on earth.
The unfortunate fact, however, is that whilst all businesses hear what is needed, too many choose not to listen. That discussion, however, can wait for another day.
For those that have embraced the cycle of compliance (and I remind all that there is no such thing as a finishing post or winning line), switching off the lights at COB with a knowing grin and clear conscience is something to be cherished.
As detailed elsewhere on these pages, a management system within your organisation affords you control, efficiencies, competitive advantage, heightened employee morale, improved credibility, compliance...
And it doesn't have to be a certified option.
ISO standards are not prescriptive. They say what needs to be done, but not how, and for many businesses that would benefit from a formal management system that lack of knowledge/understanding is what deters.
Whilst standards are not legal requirements, many movers and shakers have identified the need to implement.
ISO 45001 deals with health & safety (OHSMS), ISO 14001 is environmental (EMS) and ISO 27001 information security (ISMS).
In all truth, 27001 filled me with some trepidation before I embarked on my Lead Auditor and Lead Implementer journey. My assumption was that it would be of most benefit to those from an IT background. I was mistaken. And having emerged unscathed, it was actually the most enjoyable of processes.
It is a more technical standard, and the requirements placed on organisations by elements such as the Statement of Applicability (Annex A and its 114 information security controls) can be time-consuming and costly.
Yet its importance to the risk management process cannot be overstated given that an SoA will be your go-to justification for your control profile in the event of any external investigation for a data breach.
The ante, however, has been ramped up in recent months with the introduction of ISO 27701, which amounts to an extension of 27001.
The new kid on the block is a Privacy Information Management System (PIMS). It is GDPR-driven, with focus being on protecting the privacy rights of the individual - albeit by its very nature it enhances a company's existing ISMS.
It is an important fact to digest that 27701 is not a stand-alone option, it has to dovetail with 27001. Both can be adopted concurrently, but only 27001 can be implemented in isolation as a first step.
And certification to 27701 will not confirm legal compliance with GDPR, but there is no doubting that such accreditation will ensure the regulators (ICO) look more favorably on businesses with a robust system in place to assess, react and reduce risks associated with the collection, maintenance and processing of personal information.
If considering, I would suggest that buying the 27701 standard is essential. Thereafter the commercial realities/benefits will be easier to identify.
The success or failure of the project will then depend on having demonstrable management support and the necessary resource to follow the plan through.
ISO 27701 will not even register on many radars, and understandably so, but for others it will be a absolute requirement, so it is never too early to start on that process of due diligence.
2020 is likely to be a big year for this new standard.
*I am a qualified lead implementer in 27001 and 45001, and lead auditor in 45001, 27001 and 14001.