What is ISO/IEC 27701?
The International Organization for Standardization (“ISO”) is an international, nongovernmental organization made up of national standards bodies that develop and publish a wide range of proprietary, industrial and commercial standards. In August 2019, ISO published ISO/IEC 27701 (“ISO 27701”), a new international privacy standard about protecting and managing the processing of personal data.
This new standard is a privacy extension to the existing and widespread industry standards ISO/IEC 27001 and ISO/IEC 27002, which were first published by ISO in 2005. They describe how to establish and run an Information Security Management System (“ISMS”), and ISO now reports that over 36,000 organizations in 131 countries are currently independently certified as meeting ISO/IEC 27001. Audited ISO certifications are awarded to organizations that have been assessed by an independent, external auditor to meet a specific, published standard. Auditors themselves are also accredited—with the ISO 27000 series of certifications, to published international ISO standards, too.
The ISO 27701 extension to the ISO/IEC 27001 and ISO/IEC 27002 standards is less than four years old and adapts the ISMS management system concept into the creation of a Privacy Information Management System (“PIMS”). There are requirements to make sure this privacy management system is robust and is also continually improving to meet its defined objectives.
ISO standards often map to—and frequently reference—other international ISO standards, but it’s unusual for them to map to non-ISO standards, especially to one particular region’s regulations. So until the GDPR regulatory bodies adopt an official certification mechanism, ISO 27701 provides an excellent way to demonstrate externally-audited compliance with the regulation.
Understanding the Certification
Shoplazza’s PIMS was assessed by a third-party auditor, BSI in October 2022. Certifying to the ISO 27701 privacy standard is a multi-step process that includes:
understanding and planning for the standard;
identifying and adapting the controls the organization will implement;
internally auditing against the requirements;
externally auditing against the standard (in itself a two-stage process)
Then, we were finally certified against the standard by the independent auditor. Once certified, the privacy management system is continually evaluated and improved, with internal and external audits on an ongoing annual basis.
How does an ISO/IEC 27701 Certification benefit customers?
The ISO 27701 certification provides assurance to our customers that we have a privacy program that has been assessed by a third party to meet an international industry standard aligned to the GDPR, and that requires us to keep our privacy program under continuous compliance. This certification, in addition to the Data Processing Addendum (“DPA”) we make available to our customers in the dashboard, offers our customers multiple layers of assurance that any personal data that Shoplazza processes will be handled in a way that meets the GDPR’s requirements.
ISO/IEC 27701 at Shoplazza
Our official certification is stated below. For more information, please visit our compliance pages or reach out to our customer service.