Project Description

ISO 27701 Certification

Does your organization has a robust management system in place to address the personal data related regulatory requirements? For examples, GDPR by EU,  California Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), Personal Data (Privacy) Ordinance (Cap. 486, PDPO) in HK, and Network Security Law and Personal Information Protection Law in Mainland, China. Have you heard about ISO 27701?

ISO 27701:2019 is an extension to ISO 27001 and ISO 27002 for privacy information management. The goal of ISO 27701:2019 is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.


ISO 27701 can be applied to any organization with required management on the Personally Identifiable Information under its control, such as a bank, insurance company, telecommunication company, airline, data center, agent, NGO, hospital, and school.

Requiring suppliers/service contractors to go for ISO 27001 and ISO 27701 certifications can be a good option for an organization to address the risks, related to PII regulations, from supply chain. Organizations planning to seek an ISO 27701:2019 certification can plan it together with ISO 27001:2013 certification.

ISO 27701 私隱資訊管理體系認證

您的組織是否有適當的管理系統來應對與個人數據相關的監管要求?例如,歐盟的《通用數據保護條例》(GDPR),加州消費者隱私法 (CCPA)、美國的《健康保險流通與責任法案》(HIPAA)、香港的《個人資料(私隱)條例》(PDPO) 及 中國內地的《網絡安全法》和《個人信息保護法》。你聽說過ISO 27701 嗎?

在2019年8月初次發佈的ISO 27701是ISO 27001和ISO 27002的擴展內容,用於隱私信息管理。該標準正在開發中,並預計即將出版。

ISO 27701:2019的目標是透過額外的要求來增強現有信息安全管理體系(ISMS),以便建立、實施、維護和不斷改進私隱資訊管理系統(PIMS)。該標準概述了適用於個人身份信息(PII)控制者和PII處理者的框架,用於隱私控制管理,以降低對個人隱私權的各種風險。


ISO 27701可適用於需要對個人身份資訊進行管理的任何組織,如銀行、保險公司、電信公司、航空公司、數據中心、代理商、非政府組織、醫院和學校。

要求供應商/服務承包商獲得ISO 27001和ISO 27701認證,對於組織來說,是應對來自供應鏈的與個人資訊法規相關的風險一個很好的選擇。 計劃尋求ISO 27701:2019認證的組織可以連同ISO 27001:2013 認證一起進行規劃。

Structure of ISO 27701:2019 標準的結構

The requirements of the standard are segregated into the four following groups:

  1. PIMS requirements related to ISO/IEC 27001 are outlined in clause 5.
  2. PIMS requirements related to ISO/IEC 27002 are outlined in clause 6.
  3. PIMS guidance for PII Controllers are outlined in clause 7
  4. PIMS guidance for PII Processors are outlined in clause 8

The standard further includes the following informative Annex:

  1. Annex A lists all applicable controls for PII Controllers
  2. Annex B lists all applicable controls for PII Processors
  3. Annex C maps ISO/IEC 27701 controls against GDPR
  4. Annex D maps ISO/IEC 27701 controls against ISO/IEC 29100
  5. Annex E maps ISO/IEC 27701 controls against ISO/IEC 27018
  6. Annex F maps ISO/IEC 27701 controls against ISO/IEC 29151


  1. 第5節概述了與ISO / IEC 27001相關的PIMS要求
  2. 第6節概述了與ISO / IEC 27002相關的PIMS要求
  3. 第7節概述了PII控制者的PIMS指南
  4. PII處理者的PIMS指南在第8節中概述


  1. 附件A列出了PII控制者的所有適用控制
  2. 附件B列出了PII處理者的所有適用控制
  3. 附件C列出GDPR與ISO / IEC 27552控制的對應關係
  4. 附件D列出ISO / IEC 29100與ISO / IEC 27701的對應關係
  5. 附件E列出ISO / IEC 27018與ISO / IEC 27701控制進行了映射
  6. 附件F列出ISO / IEC 29151與ISO / IEC 27701控制的對應關係

Integration of ISO 27001 and ISO 27701

  • ISO 27001 defines the requirements for an information security management system (ISMS).
  • An organization with ISO 27001 certification can use ISO 27701 to further extend its information security controls to cover privacy information management, including its processing of personally identifiable information (PII).
  • An organization without ISMS certification can establish and implement ISO 27001:2013 ISMS and ISO 27701:2019 PIMS together as an integrated system.
  • ISO 27701 certification is being offered together with ISO 27001 certification.

Benefits of Certification 認證的意義

A PIMS implementation and certification against ISO 27701:2019 can bring about important benefits for PII Controllers and PII Processors.

  • First, apply one system to manage compliance to multiple privacy regulations and policies from multiple jurisdictions,  such as General Data Protection Regulation (GDPR) by EU.
  • Second, help Data Protection Officers and top management to provide evidence, as due diligence, to organization board members or other regulating parties on their efforts in privacy regulatory compliance.
  • Third, PIMS certification can be valuable in communicating privacy compliance to customers and partners. PIMS certification can be a signal of trustworthiness to the public and other business partners.

根據ISO 27701:2019的實施私隱資訊管理系統和取得認證可為PII控制者和PII處理者帶來重大益處。

  • 首先,使用一個體系來管理來自多個司法管轄區的多項私隱法規和政策的合規性,例如歐盟的通用數據保護法規(GDPR)。
  • 其次,有助資料保護負責人和最高管理層向組織的董事會或其他監管方面提供有關私隱法規遵從性工作的盡職管理證據。。
  • 第三,私隱信息管理體系認證對於向客戶和合作夥伴傳達私隱合規性非常有價值。 PIMS認證可以成為公眾和其他商業合作方值得信賴的標誌。

Related Training Courses | 相關培訓課程

Related News 相關新聞: