Overview
Prior to 7/8/2024, ISO 27701:2019 was a requirements-only framework in Drata, where you managed your own controls, policies, and risks. However, with this release, we have released full framework support so that the ISO 27701:2019 product has all the automation and enablement resources that Drata offers.
If you already had ISO 27701:2019 at the time of this update, it’s likely you saw your framework readiness change when we made these updates. Read on to learn about the updates and your action items.
Updates to the ISO 27701 framework in Drata
Here is an overview of the resources that now come with the ISO 27701 framework:
Resource | Details |
Requirements | 189 |
Mapped DCF Controls | 235 |
Policies | 24 policies apply to this framework in total: - Acceptable Use Policy - Asset Management Policy - Backup Policy - Business Continuity Plan - Change Management Policy - Code of Conduct - Data Classification Policy - Data Protection Policy - Data Retention Policy - Disaster Recovery Plan - Encryption Policy - Incident Response Plan - Information Security Management System (ISMS) and Privacy Information Management System (PIMS) Plan - Information Security Policy - Internal Privacy Policy - Logging and Monitoring Policy - Network Security Policy - Password Policy - Physical Security Policy - Risk Assessment Policy - Software Development Life Cycle Policy - System Access Control Policy - Vendor Management Policy - Vulnerability Management Policy |
New policies for this framework | As a part of these updates, we added 2 brand new policies applicable specifically to this framework - Internal Privacy Policy - Information Security Management System (ISMS) and Privacy Information Management System (PIMS) Plan |
Risk Categories | We added 6 new privacy-related risk categories: Privacy - Lawfulness Privacy - Transparency Privacy - Data Subject Rights Privacy - Accuracy Privacy - Accountability Privacy - Storage Limitation Privacy - Purpose Limitation Privacy - Data Minimization |
Risks | We added 20 new risks scenario templates to the risk library to assist you in your evaluation of privacy-related risks. |
Next steps
If you are a customer who has had ISO 27701:2019 prior to the release of the full framework support, you likely saw your readiness score change because of our newly-added controls. You can mark the new controls we added to your account out of scope if you don’t want to use them, but we recommend reviewing these new controls and associated mappings first, which were created by Drata’s GRC experts to help you in implementing this framework.
Your readiness score will also change because of the new policy templates that we have added to your account for this framework. We recommend reviewing these policy templates and incorporating them into your compliance program, but you can also choose to archive them if you want to use your own policies.
Here’s an overview of action items to take:
Assess the new controls to determine if they are applicable/relevant to your organization. If they are not, or if you want to continue managing your own control set as-is, you can mark them out of scope.
Additionally, some controls have received updated templates. Revert to the latest template.
Review the new privacy-related risks in the risk library to inform your privacy risk assessment process. Add them to your risk register if deemed appropriate.
Review the new policy templates, edit as appropriate, and approve them. Once approved, send them to your personnel for acknowledgement if applicable. Otherwise, archive them.