What Are Your Privacy KPIs?

Identifying and maintaining measures of success in privacy programs.

The publication of ISO 27701 is an exciting development for all companies looking to enhance and potentially certify their privacy programs. As companies race to digest and implement the new standard, many questions arise around how to address some of its particular requirements. One such area involves the governance of an ISO 27701 program.

It is important to understand that while ISO 27701 specifically deals with privacy, the framework is nested with the ISO 27001 security framework. Each of clauses 4 – 8 of ISO 27701 reference ISO 27001/ISO 27002 and establish “additional criteria”. As a result, ISO 27701 is not intended to be a stand-alone framework, but rather a sister framework to ISO 27001.

In fact, to obtain ISO 27701 certification you must also obtain ISO 27001 certification. If you are unfamiliar with the ISO 27001 framework you can read our whitepaper here.

PIMS 101

An organization’s Privacy Information Management System (PIMS) governs the scope of its ISO 27701 implementation, as well as a set of processes to govern, implement, operate, monitor, review and continuously improve the PIMS. The PIMS must address both information security and privacy, marking a significant expansion of an organization’s Information Security Management System (ISMS) under ISO 27001.

Under ISO 27001 clause 6.2 and ISO 27701 clause 5.4.2, an organization must develop information security and privacy objectives that are measurable. In our ISO 27001 and ISO 27701 implementations, we help companies define Key Performance Indicators (KPIs) relevant to information security and privacy to address this requirement.

These KPIs are designed to give management a quick overview of how the PIMS is functioning, so that management can identify areas for continual improvement.

Measuring Program Performance

Coming up with KPIs that accurately measure and represent the performance of the program can be a challenge in itself. When implementing a PIMS, what are some examples of good privacy KPIs? Here are a few that may be useful:

Number of privacy complaints (customer, regulator)
Response time to data subject requests – standard response times will be defined in the Privacy Policy as required under ISO 27701, Clause 7.3.9
Results of privacy internal audits (required under ISO 27701)
Timely Privacy Impact Assessment (PIA) completion rate
On-time regulator notification for privacy breaches

These KPIs provide measurable results of how an organization is performing as it implements the ISO 27701 Annex A and Annex B controls. As your organization reviews its privacy objectives, you may identify other KPIs that relate to your organization’s stakeholders for privacy, but the five above are fantastic first choices.

Questions about implementing a PIMS under ISO 27701? Contact us here.

About the Author: Philip Brudney

Philip is in charge of Security, Privacy, and Compliance research and quality assurance at risk3sixty. As part of Philip’s duties, he oversees privacy and attestation reporting and is the co-quality assurance manager for the assurance practice (SOC 1, SOC 2, and attestation reporting) where he is responsible for ensuring each engagement meets risk3sixty’s rigorous quality standards in line with AICPA requirements. Philip leads development and peer review of thought leadership, research, and whitepapers. In addition, Philip acts as the Data Protection Officer (DPO) for a wide array of US based firms facing GDPR compliance.

What Are Your Privacy KPIs?

PIMS 101

Measuring Program Performance

Share This Story, Choose Your Platform!

About the Author: Philip Brudney

Related Posts

Risk3sixty Receives ISO 27001, ISO 27701, ISO 22301 Recertifications to Continue Compliance with International Standards

Recent Changes to ISO 27002

What Is Your Privacy Philosophy and Why Does It Matter?

Webinar: Privacy in Contracts: Everything you need to know before you sign

Leave A Comment Cancel reply