ISO 27701: How to assess your company's level of data protection suitability?

By August 20, 2020 No Comments

* Carlos Borella

The theme Data Protection it was certainly one of the most discussed, perhaps the most, in the last few months, since several countries around the world (GDPR, LGPD, among others) were enacted by countries.

After the period of assessments, assessments, data flow mapping, controls applied or not, and the generation of numerous action plans, I believe that everyone's question should be: How can I measure my company's suitability for adopting practices for the protection of personal data?

It is certainly not a simple answer, since there is no certification directly linked to regulations to assess the level of compliance. However, the publication of ISO / IEC 27701: 2019 can support you in this phase of the data protection journey. And how would that be?

Through a matrix of risks and controls, based on  ISO 27001, ISO 27701 and data protection regulations to which the company is subject, it is possible to carry out an assessment and measure the level of adequacy of your company.

It is recommended that this evaluation be carried out by a person with some independence, that is, who is not directly linked to the adequacy processes.

And how can we support you?

  • Support the development of a methodology for assessing your environment, an assessment that can be performed, for example, by an internal audit area of your company, if there is such a structure. In addition, to the development of the methodology, train and support your internal team in such implementation;
  • Perform the assessment, in the role of external auditor, in order to assess and issue an independent opinion in relation to the level of adequacy to data protection, currently implemented;

It is important to note that ISO-based certification can offer a good path for the application of information security controls and data protection, however the supervisory authorities have not yet defined specific rules for certification processes under the terms of the regime of article 42/43 (GDPR) and article 35 (LGPD).

Our recommendation is to use a mixed risk and control matrix, developed based on requirements and controls of standards (ISO) and regulations (GDPR, LGDP, etc.), which can be used to assess the level of adequacy of the organization, regardless of whether in the future it will seek to implement the management systems proposed by ISO.

* Carlos Borella is a partner, CEO and leader of the Cyber area at [SAFEWAY]

Download eBook about this topic and schedule a conversation with one of our experts and understand how we can support you at this stage of your fitness journey.




 THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.

Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!