ISO 27701 differs slightly from other ISO standards because ISO 27001 certification is required first. Additionally, organisations that take ISO 27701 will create evidence to demonstrate GDPR compliance.
For more information see our information portal www.27701.pt.
Conduct a GAP analysis of the existing ISMS to the requirements of ISO 27701 and produce an action plan on how to deal with the identified gaps.
Conduct a mapping of personal data collected by the organisation to understand their scope and how they are used and shared with Processors.
Determine the organisation's role as Controller and / or Processor based on internal or external factors relevant to its context, such as privacy legislation, regulations, court decisions or applicable contractual requirements (among others).
Review and update the privacy policies to ensure that they include the necessary information.
Develop policies and procedures applicable to the organisation's role.
Start the implementation of the plan and carry out the necessary activities in the revised ISMS, including, among other, risk assessment, measurement and monitoring, internal audit, management review. Start the operation of the new system and assess its compliance.