Standards Development

Scope

This document specifies refinements for an application of EN ISO/IEC 27701 in a European context.

This document is applicable to the same entities as is ISO/IEC 27701: all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors.

An organization can use this document for the implementation of the generic requirements and controls of EN ISO/IEC 27701 according to its context and its applicable obligations.

Certification criteria based on these refinements can provide a certification model under ISO/IEC 17065 for processing operations performed within the scope of a privacy information management system according to EN ISO/IEC 27701, which can be combined with certification requirements for EN ISO/IEC 27701 under ISO/IEC 17021. 

Purpose

EN 17926 is normatively dependent on ISO/IEC 27701-2022, which revision started in 2023. Because ISO/IEC 27701 is going to be change significantly, particularly in the way it relates to information security, EN 17926 should be revised to be adapted to the new version of ISO/IEC 27701 (expected publication in 2024 or 2025).

EN ISO/IEC 27701 specifies a Privacy Information Management System which can be implemented in any jurisdiction. As a management system designed for international use, its requirements are generic, and the guidance can be adapted by the organizations according to their context and applicable obligations.

Although EN ISO/IEC 27701 can be implemented under any jurisdiction, including under the General Data Protection Regulation (GDPR) (ISO/IEC 27701 Annex D contains a mapping between clauses of the standard and GDPR), it is the responsibility of the organization to determine how to implement requirements and controls of EN ISO/IEC 27701 in the context of the GDPR. This document will provide refinements to EN ISO/IEC 27701 that organizations can use in the GDPR context for the purpose of demonstrating compliance with their obligations. EN ISO/IEC 27701 combined with the refinements of this document constitutes a set of requirements which is more specifically designed and fit for the context GDPR than the generic ones from EN ISO/IEC 27701 alone.

Thus EN ISO/IEC 27701 can be considered as an international framework, which is possible to refine for a particular regional context (in the case of this project, the GDPR), and even to add requirements fit for a given jurisdiction/country or sector (out of scope of this project).

This document specifies refinements to ISO/IEC 27701, for processing operations as part of products, processes, and services. It can be used for assessment of conformity to ISO/IEC 27701 in this context, either by first, second, or third parties. In particular, certification bodies can use these requirements and refinements to assess the conformity of both a privacy information management system per ISO/IEC 17021 and the processing operations of a product, process or service per ISO/IEC 17065.

GDPR Article 42 establishes the possibility of certification mechanisms. Provisions of this document may be considered for the establishment of a certification mechanism as per GDPR article 42.