Most, if not all organizations in the world, process Personal Data (or PII – Personally Identifiable Information). The volume of data processed is increasing continually and organizations are required to protect the privacy of the personal data they process.
ISO/IEC 27701 is a standard published in 2019 to be used by any organization that acts as a PII controller or processor or both, in order to develop a Privacy Information Management System (PIMS).
This standard is in fact an extension of ISO/IEC 27001, the information security management system standard and is alligned with the requirements of the Regulation (EU) 2016/ 679 – the General Data Protection Regulation (GDPR).
An organization that has an Information Security Management System in place, according to ISO/IEC 27001, can obtain an extension to its certification by implementing supplementary controls that refer to privacy and that will cover the requirements of ISO/IEC 27701.
ISO/IEC 27701 is alligned with the GDPR and is the first international standard to provide requirements for handling personally identifiable information (PII) by an organization. Certification to ISO/IEC 27701 shows that the organization has controls in place that cover the requirements to of the GDPR.
RIGCERT is accredited for the provision of Information Security Management Systems certification according to ISO/IEC 27001.
It is a set of elements (policies, processes and procedures) used by an organization to fulfil its objectives and perform its tasks. A management system can address a single discipline (e.g. quality management system or information security management system) or several disciplines at the same time, in what is referred to as an integrated management system. It is the choice of the organization what type of management system it chooses to implement and certify.
For every discipline there are specific standards that define the requirements for a management system (e.g. ISO 9001, ISO 14001 or ISO/IEC 27001). An organization wishing to obtain the certification of its management system has to demonstrate during an initial certification audit that it fulfils the requirements of the specific standards used as reference for certification.
Regardless of the discipline all management systems generally require organizations to define roles, responsibilities and authorities for personnel, document policies, establish objectives and actions to achieve them, demonstrate operation in controlled conditions, monitor, measure, analyze and evaluate performance and act to continually improve the system.
A management system can be implemented by the organization using internal resources or with the help of external consultants . The management system needs to be maintained and continually improved.
To be useful, a management system should become an integral part of the organization’s activities and not a set of requirements separated from operational routine.
The support from top management is vital for the success of a management system in the organization.
Certification is an attestation from a third party (usually called registrar or certification body) that the management system implemented by an organization fulfills the requirements of applicable standard(s).
So, in fact, not the organization is the subject of certification but its management system.
The certification process begins with the application sent by the organization looking to obtain certification. It has to be a written application and its useful to the certification body for understanding what is required and to plan the resources needed to provide the certification services.
A contract for the certification is signed.
The certification audit is done to evaluate how the requirements of the standard(s)/ reference documents are implemented. The audit team is made of one or several members and the audit duration depends on a series of factors like the standards for certification involved, the size of the organization, its activities. locations, etc.
In case the conclusions of the audit are positive and there are no other elements that may affect the certification, the certification body issues the conformity certificate(s).
The document General rules for the certification of management systems contains detailed information about how the certification process works, what are the requirements for obtaining and maintaining certifications.
Management system certifications are valid for 3 years, with the condition that successful yearly surveillance audits are performed (in the first and second year after certification). Surveillance audits are meant to evaluate if the management system certified continues to respect applicable requirements.
The certification program is the document that specifies the planning of surveillance audits and it is communicated to the organization at certification date.
In the third year the recertification audit takes place and the organization enters another 3-year certification cycle in similar conditions as the previous.
In case surveillance audits are not performed as scheduled the certification may be suspended. During suspension the certification is temporarily invalid. If during suspension the situation is not corrected the certification is withdrawn.
Appeals refer to decisions of RIGCERT with regards to a certain certification (e.g. not granting, suspending, withdrawal, etc) while complaints may refer to a series of aspects like: the personnel working on behalf of RIGCERT, activities of the organizations certified by RIGCERT, activities of third parties connected to RIGCERT, etc.
Appeals and complaints should be sent at firstname.lastname@example.org and are treated confidentially.
RIGCERT personnel involved in the review and decision regarding a certain appeal or complaint have not been involved in the case being reviewed.
The review can include actions like performing special audits, request of information from the parties involved and is concluded with a formal decision communicated to the appellant and/ or complainant.
Detailed information on the appeals and complaints handling process are available in the document General rules for the certification of management systems.
Want to work with us
Complete the form below with your personal information and we will contat you as soon as possible.