Identifying and maintaining measures of success in privacy programs.
The publication of ISO 27701 is an exciting development for all companies looking to enhance and potentially certify their privacy programs. As companies race to digest and implement the new standard, many questions arise around how to address some of its particular requirements. One such area involves the governance of an ISO 27701 program.
It is important to understand that while ISO 27701 specifically deals with privacy, the framework is nested with the ISO 27001 security framework. Each of clauses 4 – 8 of ISO 27701 reference ISO 27001/ISO 27002 and establish “additional criteria”. As a result, ISO 27701 is not intended to be a stand-alone framework, but rather a sister framework to ISO 27001.
In fact, to obtain ISO 27701 certification you must also obtain ISO 27001 certification. If you are unfamiliar with the ISO 27001 framework you can read our whitepaper here.
An organization’s Privacy Information Management System (PIMS) governs the scope of its ISO 27701 implementation, as well as a set of processes to govern, implement, operate, monitor, review and continuously improve the PIMS. The PIMS must address both information security and privacy, marking a significant expansion of an organization’s Information Security Management System (ISMS) under ISO 27001.
Under ISO 27001 clause 6.2 and ISO 27701 clause 5.4.2, an organization must develop information security and privacy objectives that are measurable. In our ISO 27001 and ISO 27701 implementations, we help companies define Key Performance Indicators (KPIs) relevant to information security and privacy to address this requirement.
These KPIs are designed to give management a quick overview of how the PIMS is functioning, so that management can identify areas for continual improvement.
Measuring Program Performance
Coming up with KPIs that accurately measure and represent the performance of the program can be a challenge in itself. When implementing a PIMS, what are some examples of good privacy KPIs? Here are a few that may be useful:
- Number of privacy complaints (customer, regulator)
- Results of privacy internal audits (required under ISO 27701)
- Timely Privacy Impact Assessment (PIA) completion rate
- On-time regulator notification for privacy breaches
These KPIs provide measurable results of how an organization is performing as it implements the ISO 27701 Annex A and Annex B controls. As your organization reviews its privacy objectives, you may identify other KPIs that relate to your organization’s stakeholders for privacy, but the five above are fantastic first choices.
Questions about implementing a PIMS under ISO 27701? Contact us here.