ISO 27701. Out-of-the-Box Compliance. Within your reach.

– ISO 27701 is a leading International Standard for Data Privacy. It is an extension to ISO 27001 and provides additional guidance around implementing Data Privacy. ISO 27701 provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Program. It is Privacy Law/Regulation agnostic but the foundation it provides will help the organization comply with any Privacy regulation like the GDPR.

– Implementing ISO 27701 helps organizations identify and manage Data Privacy risks, supports regulatory compliance with Privacy regulations, inspires customer trust and protects reputation and helps benchmark with recognized best practice.
– An organization gets certified for ISO 27701 after an audit by accredited certifying bodies. When a trusted external body provides this ‘stamp of approval’, it provides assurance to the outside world that the organization has indeed implemented Data Privacy in a comprehensive structured manner as per the ISO 27701 standard.
– Many external stakeholders like customers, regulators, business associations etc. require organizations to get certified as a pre-requisite to doing business. Even without such mandates, several organizations get certified for ISO 27701 to build and convey trust to their ecosystem.

– Not at all! You can be of any size to get certified for ISO 27701. ISO 27701 is applicable to all types of organizations processing Personal Data regardless of size and role in the Personal Data Processing Ecosystem. It applies to organizations who collect or process Personal Data for themselves (Controllers) or do so on behalf of a Client (Processor)

– You need to first implement the ISO 27701 standard in your organization. Once you complete the implementation and build sufficient evidence to prove that you have the standard running smoothly, you call in an accredited ISO agency to certify you. The agency will conduct an audit to assure itself that you have indeed implemented the standard. Post which, it awards you the certification.

– A certificate is valid for three years. At the end of year 1 and year 2, a surveillance audit (which is a smaller audit compared to the initial audit at the time of certification) is conducted. The surveillance audit is to check that you continue to properly operate all the Privacy controls that you deployed for ISO 27701 compliance. At the end of year 3, you need to go for a ‘recertification’ – which is nothing but a full-fledged audit just like the one that was done when you first implemented the standard. The reason this ‘reset’ is done is because often many things change within an organization in three years. And hence the Privacy controls deployed may need to be reset or reconfigured to the new business reality.

– Although you can deploy ISO 27701 in only certain ‘parts’ of the organization which are exposed to Privacy Laws, there are many Privacy related processes which make more sense when deployed at an organization level. You can restrict the certification to only certain parts of the organization, depending on business priorities and budgetary constraints.

– We DO NOT ‘replace’ anything that you have already deployed. We merely build on it and add the ‘missing’ pieces. Our endeavour is to leverage whatever has been already done so you can move towards your goal faster.

– We at Arrka have done all the hard work on your behalf – so you don’t need to spend time understanding what ISO 27701 is all about. All of this is baked into the platform.
– Further, for actual deployment, we have a team of consultants who will handhold you through the whole process to get you going. And if you need help for day-to-day management of your Privacy program, then the Arrka team can take that on as well. In short, we work as your virtual DPO (Data Protection Officer).

– The Arrka platform has all the necessary ‘intelligence’ built into it for ISO 27701. This means that you can do the entire deployment of the standard on your own or with our customer assistance team. In other words, there is no dependence on people and their individual competencies. Secondly, with everything automated on the platform, it takes up to 70% less time to implement. And you have all the information you need at your fingertips at any given point in time – no laborious excel sheets and email threads to scan through. Thirdly, the day-to-day management and operations being fully configured on the platform, you have everything in one place to manage your entire 27701 program. This includes managing client contracts, vendors, auditors, etc. So not only does it help during the initial certification but also through the entire lifecycle.

Yes. It is easier for you to get certified for ISO 27701 if you are already ISO 27001 certified as you need to only implement the incremental ISO 27701 controls which are not covered under ISO 27001. ISO 27701 is intended to be a certifiable extension to ISO27001 certification.

– Yes, Arrka can help you implement ISO 27001, get certified for it and remain certified through the lifecycle in tandem with your ISO 27701 journey. Organizations who are not ISO 27001 certified but want to get certified on ISO 27701, would need to implement all controls as required by ISO 27701 which includes ISO 27001 controls. In a way ISO 27001 certification is a by-product of achieving certification on ISO 27701
– Organizations can also implement ISO 27001 and ISO 27701 together as a single implementation project.

– Not at all! Your data continues to remain exactly where it is. The Arrka platform only helps you manage the compliance end-to-end, for which we do not need access to the actual data at any point in time.

– No. Nothing is required to be installed or deployed on your servers

– Yes, Arrka has a pool of Privacy Experts who can step in to help you with any queries you have or any assistance you may need.