ISO 27701. Out-of-the-Box Compliance. Within your reach.

Let limited budgets and lack of access to expertise not stop you from getting ISO 27701 certified. And further managing it through the whole lifecycle.

Arrka empowers you at each stage

Whether you are just thinking of ISO 27701 certification or are already certified

Thinking about it?

You need to get compliant and certified. Yet you worry about finding the budgets and experts. Worry not — The Arrka platform equips you. Get going on your own. Quickly & easily.

Documentation done?

Policies & documents Completed. Controls are being rolled out. The Arrka platform helps automate & streamline — so your evidences are ready for your audit.

Already Certified?

Yayy! Now to ensure you remain compliant. The Arrka platform equips you for that. Throughout the certification lifecycle.

ISO 27701 compliance simplified and streamlined.

Simplified & Quick Assessments

Hassle-free Gap Assessments & Privacy Testing. Across Teams & Geos.

Centralised Controls Management

Easily implement & manage all controls. Preconfigured workflows for process controls. Import of logs & reports from 3P tech controls.

Handy Built-in Tools

Personal Data Inventory, DPIA, DPdD, Vendor Privacy Management, Contracts Management and many others to help your Privacy program.

KPIs, Metrics & Dashboards

Leverage preset KPIs or configure your own to track & measure your compliance on a continual basis. Generate Alerts & Reports as required.

FAQs on ISO 27701 compliance

What is ISO 27701?

– ISO 27701 is a leading International Standard for Data Privacy. It is an extension to ISO 27001 and provides additional guidance around implementing Data Privacy. ISO 27701 provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Program. It is Privacy Law/Regulation agnostic but the foundation it provides will help the organization comply with any Privacy regulation like the GDPR.

Why do organizations implement and get certified for ISO 27701?

– Implementing ISO 27701 helps organizations identify and manage Data Privacy risks, supports regulatory compliance with Privacy regulations, inspires customer trust and protects reputation and helps benchmark with recognized best practice.
– An organization gets certified for ISO 27701 after an audit by accredited certifying bodies. When a trusted external body provides this ‘stamp of approval’, it provides assurance to the outside world that the organization has indeed implemented Data Privacy in a comprehensive structured manner as per the ISO 27701 standard.
– Many external stakeholders like customers, regulators, business associations etc. require organizations to get certified as a pre-requisite to doing business. Even without such mandates, several organizations get certified for ISO 27701 to build and convey trust to their ecosystem.

Is ISO 27701 only for large enterprises?

– Not at all! You can be of any size to get certified for ISO 27701. ISO 27701 is applicable to all types of organizations processing Personal Data regardless of size and role in the Personal Data Processing Ecosystem. It applies to organizations who collect or process Personal Data for themselves (Controllers) or do so on behalf of a Client (Processor)

What is the process for ISO 27701 certification?

– You need to first implement the ISO 27701 standard in your organization. Once you complete the implementation and build sufficient evidence to prove that you have the standard running smoothly, you call in an accredited ISO agency to certify you. The agency will conduct an audit to assure itself that you have indeed implemented the standard. Post which, it awards you the certification.

How long is the ISO 27701 certificate valid for? What is the certification lifecycle?

– A certificate is valid for three years. At the end of year 1 and year 2, a surveillance audit (which is a smaller audit compared to the initial audit at the time of certification) is conducted. The surveillance audit is to check that you continue to properly operate all the Privacy controls that you deployed for ISO 27701 compliance. At the end of year 3, you need to go for a ‘recertification’ – which is nothing but a full-fledged audit just like the one that was done when you first implemented the standard. The reason this ‘reset’ is done is because often many things change within an organization in three years. And hence the Privacy controls deployed may need to be reset or reconfigured to the new business reality.

Does ISO 27701 need to be deployed and/or certified across my entire organization or can it be done in ‘parts’?

– Although you can deploy ISO 27701 in only certain ‘parts’ of the organization which are exposed to Privacy Laws, there are many Privacy related processes which make more sense when deployed at an organization level. You can restrict the certification to only certain parts of the organization, depending on business priorities and budgetary constraints.

If we avail of Arrka’s ISO 27701 solution, what happens to the security and Data Privacy products and other activities that we already have in place?

– We DO NOT ‘replace’ anything that you have already deployed. We merely build on it and add the ‘missing’ pieces. Our endeavour is to leverage whatever has been already done so you can move towards your goal faster.

We have no one in our organization who understands ISO 27701 in depth, nor does anyone have the time to spend on this. How does Arrka help?

– We at Arrka have done all the hard work on your behalf – so you don’t need to spend time understanding what ISO 27701 is all about. All of this is baked into the platform.
– Further, for actual deployment, we have a team of consultants who will handhold you through the whole process to get you going. And if you need help for day-to-day management of your Privacy program, then the Arrka team can take that on as well. In short, we work as your virtual DPO (Data Protection Officer).

Everyone else we have spoken to for our ISO 27701 requirement is a consulting services firm. So what is the big deal about the Arrka platform that makes it so different from the others?

– The Arrka platform has all the necessary ‘intelligence’ built into it for ISO 27701. This means that you can do the entire deployment of the standard on your own or with our customer assistance team. In other words, there is no dependence on people and their individual competencies. Secondly, with everything automated on the platform, it takes up to 70% less time to implement. And you have all the information you need at your fingertips at any given point in time – no laborious excel sheets and email threads to scan through. Thirdly, the day-to-day management and operations being fully configured on the platform, you have everything in one place to manage your entire 27701 program. This includes managing client contracts, vendors, auditors, etc. So not only does it help during the initial certification but also through the entire lifecycle.

Is it easier for us to get certified for ISO 27701 if we are already ISO 27001 certified?

Yes. It is easier for you to get certified for ISO 27701 if you are already ISO 27001 certified as you need to only implement the incremental ISO 27701 controls which are not covered under ISO 27001. ISO 27701 is intended to be a certifiable extension to ISO27001 certification.

We want to get certified for ISO 27001 as well. Can Arrka do that for us?

– Yes, Arrka can help you implement ISO 27001, get certified for it and remain certified through the lifecycle in tandem with your ISO 27701 journey. Organizations who are not ISO 27001 certified but want to get certified on ISO 27701, would need to implement all controls as required by ISO 27701 which includes ISO 27001 controls. In a way ISO 27001 certification is a by-product of achieving certification on ISO 27701
– Organizations can also implement ISO 27001 and ISO 27701 together as a single implementation project.

If we use the Arrka solution, will our Personal Data reside on the Arrka platform?

– Not at all! Your data continues to remain exactly where it is. The Arrka platform only helps you manage the compliance end-to-end, for which we do not need access to the actual data at any point in time.

If we use the Arrka solution, will we need to deploy anything on our servers?

– No. Nothing is required to be installed or deployed on your servers

If we need to reach out and talk to a Privacy expert at any point in time, can Arrka help with that?

– Yes, Arrka has a pool of Privacy Experts who can step in to help you with any queries you have or any assistance you may need.

Have additional laws and standards to comply with?

We understand that your business is probably spread across multiple countries – so you may need to comply with more than one law or standard at the same time. Worry not; we can easily do that without missing a beat.