ISO 27001, 27701 and Concentric AI

June 13, 2023
Cyrus Tehrani
4 min read

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are leading independent bodies that establish international standards across various domains. Their joint subcommittee has introduced the ISO/IEC 27000 family of standards — a comprehensive set of controls for managing information security. The controls cover legal, physical, and technical aspects of risk management.

A brief overview of ISO 27001 and 27701

The ISO/IEC 27001 standard specifies an Information Security Management System (ISMS) that organizes information security under explicit management control. This standard outlines best practices and requirements for maintaining an ISMS, including documentation, responsibility divisions, security auditing, and preventive measures. ISO 27001 was created to help organizations comply with legal and regulatory requirements pertaining to information security.

The ISO/IEC 27701:2019 standard complements ISO/IEC 27001 by providing guidelines for a Privacy Information Management System (PIMS). It serves as a balance between security and privacy controls, with a framework for managing personal data useable by both data controllers and processors. These controls are crucial for compliance with regulations such as GDPR.

For an ISO/IEC 27701 audit, organizations must state the relevant laws and regulations, allowing the standard to align with requirements like GDPR and CCPA. After implementing the ISO/IEC 27701 controls, a certified auditor evaluates the organization’s compliance, then issues a certification.

How Concentric helps you with ISO 27001 compliance

Here are the key areas where Concentric AI can help you align with ISO 27001 requirements:

Risk Assessment and Treatment: Concentric’s autonomous risk monitoring aligns with ISO 27001’s requirement for regular risk assessments. Our solution can discover how your PII/customer data is being used, who it is being shared with, and who accessed it.

Best of all, Concentric can identify, categorize and remediate your data wherever it is stored: in the cloud, on premises, structured or unstructured. All without time-consuming rules or regex.

Asset Management: ISO 27001 requires organizations to maintain an inventory of information assets. Concentric’s comprehensive PII data discovery and categorization can give you a clear understanding of where your sensitive data resides and how it should be categorized, fulfilling this requirement.

Access Control: Concentric can help you implement zero-trust access principles, which aligns with ISO 27001’s requirement for limiting access to data based on the principle of least privilege.

Incident Management: With our solution’s ability to identify, classify and remediate data risk issues, we help you meet regulatory mandates and avoid data loss, which aligns with ISO 27001’s requirements for incident management and business continuity.

Compliance: Concentric can help you respond to data access audits and data subject access requests (DSAR), which can assist in demonstrating compliance with ISO 27001 and other regulations.

Continuous Improvement: Concentric’s ability to continually assess data for risk and remediate issues also aligns with ISO 27001’s requirement for continuous improvement of the ISMS.It’s important to note that while Concentric can go a long way in helping you with compliance, it’s crucial to conduct regular audits and reviews to ensure ongoing compliance.

How Concentric helps you with ISO 27701 compliance

Here are the key areas where Concentric AI can help you align with ISO 27001 requirements:

Data Mapping and Categorization: ISO 27701 requires organizations to understand what personal data they store and where it lives. When it comes to your sensitive data, Concentric AI’s comprehensive data discovery and categorization gives you a clear view of where your sensitive data resides and how it should be categorized, fulfilling this requirement.

Risk Assessment: Concentric’s autonomous risk monitoring aligns with ISO 27701’s requirement for regular risk assessments. You can discover how your sensitive data is being used, who it is being shared with, and who accessed it, helping you identify and mitigate privacy risks.

Data Minimization and Purpose Limitation: Two key principles of ISO 27701 emphasize data minimization and purpose limitation. By classifying all your sensitive data with context, you can be more confident your data is only used for its intended purpose while unnecessary data is not collected or stored.

Access Control: Concentric can help you implement zero-trust access practices, which aligns with ISO 27701’s requirement for limiting access to personal data based on the principle of least privilege.

Incident Management and Breach Notification: Concentric can help you meet regulatory mandates and prevent loss of customer data, which aligns with ISO 27701’s requirements for incident management and breach notification.

Data Subject Rights: Concentric helps you respond to data subject access requests (DSARs), including right-to-know and right-to-be-forgotten requests — is a key area of ISO 27701’s focus on respecting data subject rights.

Continuous Improvement: Our solution’s ability to continually assess data for risk and remediate any issues aligns with ISO 27701’s requirement for continuous improvement of the PIMS.

As with ISO 27001, regular audits and reviews are necessary to ensure ongoing compliance.

More than just compliance

Our customers are successfully using our product in production for petabytes of data for:

Again: Concentric can identify, categorize and remediate your data wherever it is stored: in the cloud, on premises, structured or unstructured. All without time-consuming rules or regex. 

concentric-logo

Libero nibh at ultrices torquent litora dictum porta info [email protected]

Getting started is easy

Start connecting your payment with Switch App.