top of page
Checklist

Mid-Sized Company - Big Goals: Getting Ready for ISO 27701

Challenge

A mid-sized service provider with a global client base that handles a wide range of client data types, from user profiles to financial transactions, wanted to demonstrate its commitment to data privacy and security by achieving ISO 27701 certification, the privacy extension to ISO 27001.

 

Key issues included:

  1. Global Compliance: The Company needed to comply with multiple data privacy regulations, including GDPR, CCPA/CPRA, and other international standards, but exhibited a lack of certainty about actual regulatory requirements and obligations.

  2. Diverse Data Processing: Processing various datasets required tailored privacy measures for different types of data, and ad hoc practices complicated the path to certification.

  3. Client Trust: In a market increasingly focused on privacy, achieving certification was crucial for enhancing client trust and differentiating the brand adding pressure to the team.

Solution

DPS Privacy implemented a structured, multi-phase approach to achieve ISO 27701 certification within the company’s desired timeline:

 

Phase 1: Initial Assessment
We started by leveraging the company’s existing Information Security Management System (ISMS) from ISO 27001 to set a strong foundation for ISO 27701. DPS Privacy meticulously defined the scope of the privacy extension, encompassing all business units and data processing activities. A comprehensive gap analysis was conducted to pinpoint discrepancies between current practices and ISO 27701 standards, allowing us to create a targeted action plan.

 

Phase 2: Implementation
DPS Privacy took immediate action to close identified gaps in the Privacy Information Management System (PIMS). We developed and updated essential policies, procedures, and guidelines tailored to the unique needs of the organization. Our team proactively validated vendor processes, ensuring third-party compliance, and ran thorough Privacy Impact Assessments on critical data processing activities. These actions were complemented by revising employee training programs to include ISO 27701 requirements, equipping staff with the knowledge to safeguard personal data effectively.

 

Phase 3: Documentation and Record Keeping
To solidify compliance efforts, DPS Privacy meticulously documented every aspect of the privacy program, creating a robust audit trail. We implemented a comprehensive record-keeping system that ensured all data processing activities were accurately tracked and aligned with ISO 27701 standards. This systematic approach not only prepared the company for certification but also established a culture of accountability and continuous improvement.

 

Phase 4: Internal Audits & Testing
DPS Privacy conducted rigorous internal audits to test the effectiveness of the newly implemented PIMS. Our team simulated real-world scenarios and performed mock certification audits to identify any remaining issues or deficiencies, providing the company with a clear path to certification readiness. We then led a series of surveillance audits, reinforcing best practices and pinpointing opportunities for further enhancement.

Results

  • Achieved ISO 27701 Certification: The Company was prepared and successfully passed the certification audit, demonstrating its commitment to the highest standards of data privacy and security.

  • Sustainable Compliance: The Company moved from ad hoc to a standardized approach that facilitated easier compliance across multiple jurisdictions, including GDPR and CCPA/CPRA, reducing complexity and risk.

  • Established Cross-Functional Team: A dedicated team with representatives from Privacy, IT/Security, and the Business was created, encouraging collaboration and ensuring ongoing privacy governance.

  • Ongoing Support & Improvement: DPS Privacy continues to work closely with the company, providing regular audits and updates to the PIMS, ensuring adaptability to evolving privacy regulations.

bottom of page