PIMS + ISMS : An Improvised Integrated Approach towards Cyber Governance

“Information Security”, the term seems familiar and part of the daily tech chore, whether it be the concern with the new thriving app in the market or the services that get you groceries at home with the tap on the screen. Although, the lives have become easier with the services given around the globe, the increasing data streams and the growing need of data has paved ways for concerns regarding the accessibility and privacy of the same. Data privacy and the need to secure information from falling in the hands of the malicious actors is now a constant concern of every industry segment. There is a need to safeguard the information across the business, which has given rise to the requirements of multidisciplinary efforts and cross functional expertise to implement necessary security measures at the minimum possible cost.

Need of a separate privacy standard

Data breaches and ransomware are becoming an increasingly common news headline, whether it be data loss owing to a misconfiguration or a human error. To combat this increasing threatscape and the need to focus on data privacy, the International Standard organization put forth a new Privacy Information Management Standard i.e ISO 27701:2019 a couple of years back. As per the IAPP-EY Privacy Survey of 2019 on legal and regulatory compliance, 40% of the respondents voted for having compliance with privacy laws and regulations as their highest priority, throttling the need to integrate privacy controls in the organization’s regulation policy. We see a massive increase in the desire to shift from a project based compliance approach to a long term sustainable privacy practice.

The integration of privacy practices into the overall organizational practices in order to streamline processes is a frequent task, triggered by the requirements of regulatory enforcement, social responsibility and customer satisfaction. The new privacy standard of ISO 27701:2019 serves as a way of structuring, and guiding the information processed and stored at the organization. With the growing concern of collection and processing of personal information, implementation of the privacy controls can help businesses in the long run. The PIMS standard enables the organization to assess, treat, and reduce risks associated with the collection, maintenance and processing of personal information. ISO 27701 is seen as very essential for any organization that is both responsible and accountable for Personally Identifiable Information (PII) as it provides requirements on how to manage and process data and safeguard privacy.

The Prominent Information Security Management Framework (ISO 27001:2013)

The ISO/IEC 27001:2013 framework is an information security management system standard published and promoted by the International Standardization and  International Electrotechnical Commission (IEC), The centrally managed framework enables one to manage, monitor, review and improve your information security practices. The security policies and procedures and controls in the framework are designed to meet the three objectives : Confidentiality, Integrity and Availability. Prominently know as the ISMS system, the standard makes the implementation process transparent and relatively straightforward.

With the increasing war of data and the growing cyber incidents, successful implementation of the ISMS policies and procedures can significantly safeguard the organization's sensitive data against any security incidents. As newer standards are rising and brought to practice, the controls stated in the ISMS can help you bring your organizational controls in resonance with the requirements stated in other regulations like the EU-GDPR (General Data Protection Regulation) and the NIS Directive (Directive on security of network and information systems), as many of their requirements overlap. Implementation of the standard that seems like a big brother to the emerging compliance regulations, comes with its own basket of benefits. The standard ensures legal and regulatory compliance and gives a competitive edge as it is considered as a baseline requirement for many.

Adopting ISMS significantly improves the organization’s information security practices and the release of the newer privacy compliance framework like ISO 27701 has only strengthened these benefits.

Integrated Approach of PIMS and ISMS

Businesses can ascertain major benefits if they adopt the integrated approach towards implementation of PIMS + ISMS altogether. ISO 27701 significantly enriches the implementation of ISMS  and addresses the privacy concern of the organization. It helps to understand and cover the practical approach in the implementation of effective management of PII in a single effort. Recognized security techniques like pseudonymization under PIMS can minimize the risks associated with PI processing and therefore can offer greater assurance to your clients and employees that their personal information will be appropriately protected from the threat of unauthorized disclosure loss theft etc

Moreover the integrated  approach can be seen as cost effective, as the organization can save both time and resources if implementing the standards separately. One cannot become PIMS certified unless you have already certified with an ISMS standard or are implementing both ISMS and PIMS together, as the PIMS standard is based on the requirements control objectives and controls of an ISMS but focuses on privacy specific requirements The implementation of ISO 27001 can continually improve the Privacy Information Management System controls within organizations and PIMS will cover all the privacy obligations imposed on your organization via contracts or codes of practice. The following benefits follows the successful integrated implementation of the two standards :

  • Protection of the organization’s reputation

  • Build customer’s trust and confidence

  • Increase customer satisfaction

  • Increase transparency of the organization’s processes and procedures

Maintain the integrity of customers’ and other interested parties’ information
About Us :
Empanelled with CERT-in, QRC Assurance and Solutions is certified to provide PCI DSS, PA DSS, PCI 3DS, PCI SSF, ISO 27001 and ISO 27701 certifications along with other cybersecurity compliance services like SWIFT Assessment, SOC 1/SOC 2/SOC 3, HIPAA, GDPR, SAR Audits etc.

We support  our customers to establish, document, implement and maintain Data Security and Privacy frameworks to protect their sensitive data from all Internal / External Threats and manage the Confidentiality, Integrity, Availability, Security, Privacy of such information systematically.

7th July, 2021 | Cybersecurity | Posted by Abhishek T, SPD, QRC

Tags: PIMSISMSISO 27001ISO 27701

Abhishek T, SPD, QRC

Get Free Consultation