New Standard: ISO 27701:2019 Security techniques — Extension to ISO/IEC 27001and ISO/IEC 27002
Almost every organization processes Personally Identifiable Information (PII). Further, the quantity and types of PII processed is increasing, as is the number of situations where an organization needs to cooperate with other organizations regarding the processing of PII. Protection of privacy in the context of the processing of PII is a societal need, as well as the topic of dedicated legislation and/or regulation all over the world.
The Information Security Management System (ISMS) defined in ISO/IEC 27001 is designed to permit the addition of sector specific requirements, without the need to develop a new Management System. ISO Management System standards, including the sector specific ones, are designed to be able to be implemented either separately or as a combined Management System.
Requirements and guidance for PII protection vary depending on the context of the organization, in particular where national legislation and/or regulation exist. ISO/IEC 27001 requires that this context be understood and taken into account. This document includes mapping to:
— the privacy framework and principles defined in ISO/IEC 29100;
— ISO/IEC 27018;
— ISO/IEC 29151; and
— the EU General Data Protection Regulation.
However, these can need to be interpreted to take into account local legislation and/or regulation.
This document can be used by PII controllers (including those that are joint PII controllers) and
PII processors (including those using subcontracted PII processors and those processing PII as
subcontractors to PII processors).
An organization complying with the requirements in this document will generate documentary
evidence of how it handles the processing of PII. Such evidence can be used to facilitate agreements with
business partners where the processing of PII is mutually relevant. This can also assist in relationships
with other stakeholders. The use of this document in conjunction with ISO/IEC 27001 can, if desired,
provide independent verification of this evidence.
This standard (initially developed as ISO/IEC 27552) specifies a general framework, including principles, requirements and guidance for assessing, measuring, monitoring and reporting on investments and financing activities in relation to climate change and the transition into a low-carbon economy. The assessment includes the following items:
- the alignment (or lack thereof) of investment and financing decisions taken by the financier with low-carbon transition pathways, adaptation pathways, and climate goals;
— the impact of actions through the financier’s investment and lending decisions towards the achievement of climate goals in the real economy, i.e. mitigation (greenhouse gas emissions) and adaptation (resilience);
— the risks to owners of financial assets (e.g. private equities, listed stocks, bonds, loans) arising from climate change.
To support the financier’s assessment of the impact of investment and lending decisions, this document provides guidance for the financier on how to:
— set targets and determine metrics to be used for tracking progress related to the low-carbon transition pathways of investees;
— determine low-carbon transition and adaptation trajectories of investees;
— document the causality or linkage between its climate action and its outputs, outcomes and impacts.
This standard is applicable to financiers, i.e. investors and lenders. It guides their reporting activities to the following third parties: shareholders, clients, policymakers, financial supervisory authorities and non-governmental organizations.
Contact us for further assistance