Share via

ISO/IEC 27701:2019: Privacy Information Management

ISO/IEC 27701:2019 overview

ISO/IEC 27701:2019 complements the widely used ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS). Implementing a PIMS is a helpful compliance addition for organizations that rely on ISO/IEC 27001. The standard creates a strong integration point for aligning security and privacy controls. ISO/IEC 27701 provides a framework for managing personal data that both data controllers and data processors can use. This framework is a key distinction for General Data Protection Regulation (GDPR) compliance.

In addition, any ISO/IEC 27701 audit requires the organization to declare applicable laws and regulations in its criteria for the audit. This requirement means that the standard can be mapped to many of the requirements under GDPR or other laws. Once mapped, privacy professionals implement the ISO/IEC 27701 operational controls. An internal or external third party, who is accredited to assess, evaluates the organization's compliance with the requirements of the standard and issues a certificate to that effect. This universal framework allows organizations to efficiently implement compliance with new regulatory requirements. Microsoft sponsors the open-sourced Data Protection Mapping Project to bring a common understanding of the relationship between ISO/IEC 27701 and various data protection regulations.

Microsoft in-scope cloud platforms and services

The Azure ISO/IEC 27701 certificate shows Microsoft online services in scope:

  • Azure (for detailed insight, see the Azure ISO/IEC 27701 offering)
  • Dynamics 365 (for detailed insight, see the Azure ISO/IEC 27701 offering)
  • Microsoft Defender XDR (not in scope for Azure Government)
  • Microsoft Bing for Commerce (not in scope for Azure Government)
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Managed Desktop (not in scope for Azure Government)
  • Microsoft Stream
  • Microsoft Threat Experts (not in scope for Azure Government)
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense
  • Power Apps
  • Power Automate
  • Power BI
  • Power BI Embedded
  • Power Virtual Agents (not in scope for Azure Government)
  • Universal Print (not in scope for Azure Government)
  • Windows 365

Azure, Dynamics 365, and ISO 27701

For more information about Azure, Dynamics 365, and other online services compliance, see the Azure ISO 27701:2019 offering.

Office 365 and ISO 27001

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Access Online, Microsoft Entra ID, Azure Communications Service, Compliance Manager, Customer Lockbox, Delve, Exchange Online Protection, Exchange Online, Forms, Griffin, Identity Manager, Lockbox (Torus), Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Customer Portal, Office 365 Microservices (including but not limited to Kaizala, ObjectStore, Sway, PowerPoint Online Document Service, Query Annotation Service, School Data Sync, Siphon, Speech, StaffHub, eXtensible Application Program), Office 365 Security & Compliance Center, Office Online, Office Pro Plus, Office Services Infrastructure, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, Project Online, Service Encryption with Microsoft Purview Customer Key, SharePoint Online, Skype for Business, Stream
GCC Microsoft Entra ID, Azure Communications Service, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream
GCC High Microsoft Entra ID, Azure Communications Service, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business
DoD Microsoft Entra ID, Azure Communications Service, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office 365 Security & Compliance Center, Office Online, Office Pro Plus, OneDrive for Business, Planner, Power BI, SharePoint Online, Skype for Business

Office 365 audits, reports, and certificates

Microsoft cloud and commercial technical support services undergo an annual audit as part of the certification process for ISO/IEC 27701.

Frequently asked questions

How does ISO/IEC 27701 help with evolving regulatory requirements?

ISO/IEC 27701 includes an annex that contains the operational controls of the standard. The annex maps these controls against relevant requirements in GDPR for controllers and processors. This mapping is just one example of how organizations can implement privacy regulations relative to the ISO framework. As additional mappings with other regulations become available and are validated, organizations can transfer the operational controls from the standard directly from regulatory review to implementation. This universal framework allows organizations to reliably implement the relevant regulatory requirements.

How does ISO/IEC 27701 help with audit costs?

As more privacy regulations come into force in various jurisdictions, the pressure to provide evidence of compliance increases. But the costs of disparate regulatory certifications become prohibitive if every regulation calls for its own unique audit. By outlining a set of universal operational controls, ISO/IEC 27701 also outlines a universal compliance framework to audit against, and potentially certify, for multiple regulatory requirements.

It's important to recognize that the establishment of an official GDPR certification requires approval by the European regulators. While the alignment between ISO/IEC 27701 and GDPR is evident, an ISO/IEC 27701 certification shouldn't be taken as evidence of GDPR compliance or official GDPR certification until regulatory decisions are finalized.

How does ISO/IEC 27701 help with commercial agreements involving PII?

Commercial agreements involving movement of personal information can warrant certification of compliance. Modern organizations engage in complex data transfers with a deep network of business partners including partner organizations or cocontrollers, processors such as cloud providers, and subprocessors such as vendors who support those same processors. Failure to comply with regulations in any part of this network could lead to cascading compliance issues across the supply chain. This is where a verification of compliance can be valuable beyond the assurance provided by contractual terms between these organizations. Since the global economy dictates that most of these organizations are spread across the world, it's practical to use an international standard from ISO to manage compliance across the network.

This reliance on compliance increases the importance of certification to the standard. While not all companies and organizations need to earn such certification, most benefit from partners and vendors who do, especially when sensitive or high volumes of data processing are involved.

How does ISO/IEC 27701 relate to ISO/IEC 27001?

ISO/IEC 27701 is built on top of ISO/IEC 27001, one of the most widely adopted international standards for information security management. If your organization is already familiar with ISO/IEC 27001, it's logical and more efficient to integrate the new privacy controls provided by ISO/IEC 27701. This approach means the implementation and audit of both standards is less expensive and easier to achieve. Key points of ISO/IEC 27701 and ISO/IEC 27001:

  • ISO/IEC 27001 is one of the most used ISO standards in the world, with many companies already certified to it.
  • ISO/IEC 27701 includes new controller- and processor-specific controls that help bridge the gap between privacy and security. It provides a point of integration between what might be two separate functions in organizations.
  • Privacy depends on security. Likewise, ISO/IEC 27701 depends on ISO/IEC 27001 for security management. Certification for ISO/IEC 27701 must be obtained as an extension of an ISO/IEC 27001 certification and can't be obtained independently.

What should your organization do with ISO/IEC 27701?

No matter the size of your organization and whether it's a controller or a processor, consider pursuing certification, either for your own organization or by requesting it from vendors or suppliers based on your business requirements. This situation applies especially for processors, subprocessors, and cocontrollers that are processing sensitive or high volumes of personal data. Assess your business needs to determine if certification for your own products and services is suitable.

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview portal that helps you understand your organization’s compliance posture and take actions to reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources

  • Last updated on