The new International Standard ISO/IEC TS 27006-2, which specifies requirements and provides guidance to bodies auditing and certifying a personal data management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, should be published shortly. Therefore, it is becoming increasingly clear what requirements certification bodies will have to comply with and how these requirements will be reflected in PIMS audits.
The structure of the ISO/IEC TS 27006-2 standard copies the structure of ISO/IEC 27006 and extends it at some points. But the crucial thing is that the PIMS certification according to the ISO/IEC 27701 standard is understood as an extension of the ISMS certification according to the ISO/IEC 27001 standard. Let’s look at other essential details.
Conflict of interest
The impartiality of the certification body is one of the pillars that ensures the credibility of the issued certificates. The basic rule is that the certification body must be impartial and must not allow any pressure that could compromise impartiality (ISO/IEC 17021-1). In connection with ISMS certification based on ISO/IEC 27001, certification bodies must avoid activities that could be considered as consultations, incl. conducting an internal audit. For example, they can only provide lectures and training, publish interpretations of individual requirements of standards or perform audits of second and third parties (ISO/IEC 27006).
Newly, according to ISO/IEC TS 27006-2, the certification body will not be allowed to provide the services of an external data protection officer or to conduct a data protection review for the organisation.
Competences of persons involved in certification audits and PIMS certification
Certification bodies must ensure that personnel have the appropriate knowledge and skills in relation to management systems and are geographically competent (ISO/IEC 17021-1). Concerning the ISMS based on ISO/IEC 27001, all members of the audit team must have knowledge of information security, management systems, auditing principles, monitoring, measurement, analysis and ISMS evaluation. Cumulatively, the audit team must have technical knowledge of the activities being audited and be able to indicate information security incidents (ISO/IEC 27006).
ISO/IEC TS 27006-2 extends the competence requirements for auditors who will need specific knowledge of PIMS. It is clear that the list of eligibility requirements will include knowledge of the requirements and guidelines given in ISO/IEC 27701; knowledge of the instructions given in ISO/IEC 29100 or the ability to identify PII.
The draft ISO/IEC TS 27006-2 addresses additional requirements for the general knowledge of the audit team. Greater emphasis is placed on knowledge of the structure, hierarchy and interrelation of specific documentation in the field of personal data management; privacy information risk assessment, privacy impact assessment and risk management; current technologies where privacy protection may be relevant or problematic; or best practices and practices for protecting privacy information in the industry.
Those who review audit reports and make certification decisions will need to have PIMS-specific knowledge, such as knowledge of the privacy framework (ISO/IEC 29100), ISO/IEC 27701, legal and regulatory information security and privacy requirements, and how to define the scope of management systems based on ISO/IEC 27701.
Demonstration of auditors’ knowledge and experience
If auditors are qualified in the field of ISMS and PIMS, they meet the requirements of 7.2.1.1 d) ISO/IEC 27006, i.e. participation in 4 certification audits in the scope at least 20 days, of which max. 5 days within supervisory audits, through audits in both areas. According to the draft standard, certification bodies will also have to ensure that the auditor performs at least one on-the-spot audit in both the ISMS and PIMS areas.
Auditors must maintain up-to-date knowledge and skills in the field of privacy information through continuous professional development. According to the draft ISO/IEC TS 27006-2, the certification body must demonstrate the knowledge and experience of auditors through recognised specific PIMS qualifications; the participation of auditors in PIMS training and the acquisition of relevant personal certificates; or through ISMS or PIMS audits witnessed by another ISMS or PIMS auditor.
Selection of auditors
In addition to the qualification requirements for auditors mentioned above, the criteria for the selection of PIMS auditors will need to ensure that each auditor has at least four years full-time practical work experience in IT, of which at least two years in a role or function related to privacy. Similarly, this requirement should apply to technical experts who may participate in the certification audit.
Certification documents
The draft ISO/IEC 27006-2 standard extends the requirements for certification documents. The organisation must identify whether it is certified as a PII controller or a PII processor.
In addition to declaring that the organisation complies with ISO/IEC 27701, certification documents will be required to state the ISO/IEC 27001 certification on which the ISO/IEC 27701 certification is based. Certification documents will need to indicate the version of the Declaration of Applicability (SoA) for ISO/IEC 27701 if it exists separately from the SoA for ISO/IEC 27001.
It is also necessary that the effective date of the PIMS certification according to ISO/IEC 27701 must be in the ISMS certificate according to ISO/IEC 27001, on which the PIMS certification is based. The subsequent recertification audit then logically covers both areas cumulatively.
Certification documents should (but need not) include the term “Privacy Information Management System”, a list of services that are included in the scope of certification and, of course, information that the certified organisation meets the requirements of ISO/IEC 27001 and ISO/IEC 27701.
Scope of Certification
Certification the body will need to ensure that the scope of ISO/IEC 27701 certification is within the scope of the ISO/IEC 27001 certification. Therefore, it is not possible for the scope of ISO/IEC 27701 certification to be, even if only partially, outside the scope of ISO/IEC 27001 certification.
The ISO/IEC 27701 audit program will need to identify the scope concerning the role of PII controller or PII processor. As mentioned above, this information will have to be stated on the certification documents.
The certification body must confirm that processes of PII processing are included in the scope of the client’s PIMS.
The certification body will also need to ensure that the assessment of information security and privacy risks and their treatment properly reflects the activities and extends to the boundaries of its activities, as defined in the scope of certification. Certification bodies will need to confirm that this is reflected in the scope of the PIMS as well as in the Statement of Applicability (SoA) of the auditee.
Criteria certification
Audit criteria against which to be audited PIMS clients are ISMS based on ISO/IEC 27001 extended by PIMS based on ISO/IEC 27701.
Audit duration
The certification body will need to set an additional audit time for the ISO/IEC 27701 certification audit. The draft ISO/IEC TS 27006-2 specifies the additional audit time for specific aspects of PIMS as a percentage increase in the audit time calculated for the ISMS audit according to Annex B of ISO/IEC 27006. However, the current proposal does not specify a specific percentage increase.
Audit report
The audit report will have to state, similarly to the scope and in the certification documents, the role of the client to the processing of personal data, i.e. whether he acts as a PII controller or as a PII processor.
The decision on certification
The certification body will need to consider the impact that non-compliance found with ISO/IEC 27701 could have on compliance with ISO/IEC 27001. If the organisation does not meet the privacy-specific requirements, then this will only affect compliance with ISO/IEC 27701 and not ISO/IEC 27001. In this case, the organisation does not have to worry that its ISO/IEC 27001 certification will be compromised.
Suspension, withdrawal or restriction of the scope of certification
In general, the certification body must suspend certification, e.g. if the management system fails to meet the certification requirements (ISO/IEC 17021-1). According to ISO/IEC TS 27006-2, the certification body will then have to suspend, revoke or reduce the scope of ISO/IEC 27701 certification if its basic ISO/IEC 27001 certification is suspended, revoked or revoked.