Skip to main content
All CollectionsFrameworksISO 27701:2019
ISO 27701:2019 Framework Updates
ISO 27701:2019 Framework Updates

What you need to know about the ISO 27701:2019 framework updates released on 7/11/2024

Updated over 3 months ago

Overview

Prior to 7/8/2024, ISO 27701:2019 was a requirements-only framework in Drata, where you managed your own controls, policies, and risks. However, with this release, we have released full framework support so that the ISO 27701:2019 product has all the automation and enablement resources that Drata offers.

If you already had ISO 27701:2019 at the time of this update, it’s likely you saw your framework readiness change when we made these updates. Read on to learn about the updates and your action items.

Updates to the ISO 27701 framework in Drata

Here is an overview of the resources that now come with the ISO 27701 framework:

Resource

Details

Requirements

189

Mapped DCF Controls

235

Policies

24 policies apply to this framework in total: - Acceptable Use Policy

- Asset Management Policy

- Backup Policy

- Business Continuity Plan

- Change Management Policy

- Code of Conduct

- Data Classification Policy

- Data Protection Policy

- Data Retention Policy

- Disaster Recovery Plan

- Encryption Policy

- Incident Response Plan

- Information Security Management System (ISMS) and Privacy Information Management System (PIMS) Plan

- Information Security Policy

- Internal Privacy Policy

- Logging and Monitoring Policy

- Network Security Policy

- Password Policy

- Physical Security Policy

- Risk Assessment Policy

- Software Development Life Cycle Policy

- System Access Control Policy

- Vendor Management Policy

- Vulnerability Management Policy

New policies for this framework

As a part of these updates, we added 2 brand new policies applicable specifically to this framework

- Internal Privacy Policy

- Information Security Management System (ISMS) and Privacy Information Management System (PIMS) Plan

Risk Categories

We added 6 new privacy-related risk categories: Privacy - Lawfulness

Privacy - Transparency

Privacy - Data Subject Rights

Privacy - Accuracy

Privacy - Accountability

Privacy - Storage Limitation

Privacy - Purpose Limitation

Privacy - Data Minimization

Risks

We added 20 new risks scenario templates to the risk library to assist you in your evaluation of privacy-related risks.

Next steps

If you are a customer who has had ISO 27701:2019 prior to the release of the full framework support, you likely saw your readiness score change because of our newly-added controls. You can mark the new controls we added to your account out of scope if you don’t want to use them, but we recommend reviewing these new controls and associated mappings first, which were created by Drata’s GRC experts to help you in implementing this framework.

Your readiness score will also change because of the new policy templates that we have added to your account for this framework. We recommend reviewing these policy templates and incorporating them into your compliance program, but you can also choose to archive them if you want to use your own policies.

Here’s an overview of action items to take:

  1. Assess the new controls to determine if they are applicable/relevant to your organization. If they are not, or if you want to continue managing your own control set as-is, you can mark them out of scope.

  2. Additionally, some controls have received updated templates. Revert to the latest template.

  3. Review the new privacy-related risks in the risk library to inform your privacy risk assessment process. Add them to your risk register if deemed appropriate.

  4. Review the new policy templates, edit as appropriate, and approve them. Once approved, send them to your personnel for acknowledgement if applicable. Otherwise, archive them.

Did this answer your question?