ISMS-PIMS Certification
What is ISMS-PIMS Certification?
ISMS-PIMS Certification is to certify organizations for their conformance to the requirements of Privacy Information Management System based on ISO/IEC 27701 with a prior condition that they already conform to ISMS (ISO/IEC 27001:2013).
Organizations need to have achieved ISMS Certification prior to their extension to ISMS-PIMS Certification.
When an organization is not certified against ISO/IEC 27001 yet, it can apply for certification of both ISMS and ISMS-PIMS at the same time.
The criteria for ISMS-PIMS Certification
The criteria for ISMS-PIMS certification is;
The standard is prepared as additional requirements and guidelines respectively to ISO/IEC 27001*1 and ISO/IEC 27002*2 for privacy information management system.
*1 ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
*2 ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
The roles in the organization (as PII controller and/or PII processor)
The roles in organizations are specified as follows in ISMS-PIMS certification;
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes
privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller
(Source; ISO/IEC 29100:2011 Information technology - Security techniques - Privacy framework, 2.10, 2.12)
When organizations are to achieve ISMS-PIMS Certification, they need to specify the roles within themselves; PII controller and/or PII processors.
ISMS-PIMS Certification is to certify organizations for appropriate implementation of the Privacy Information Management System based on ISO/IEC 27701 in addition to ISMS Certification (ISO/IEC 27001).