ISO 27701: 2019 Privacy Information Management System Lead Auditor
Summary Course Description:
The world is currently confronting a dynamic regulatory environment for data privacy. In 2016, Europe created the General Data Protection Act (GDPA). Each country and many states have their own data privacy requirements, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Once it became compulsory there was a need to provide evidence of conformance. It took until 2019 when ISO 27701 introduced the concept of Privacy Information Management Systems (PIMS). Conceptually, any firm who was ISO 27001 certified can implement a “PIMS” and be assessed to ISO 27701 which demonstrates compliance to GDPR – and other data privacy regulations.
To succeed in this course one should be familiar with ISO 27001 & ISO 27002. Precision Execution LLC uses the Case Study method to help learn how PIMS fit with an ISMS. The pillars of content have been built around:
· Section 5: PIMS specific requirements in ISO 27001
· Section 6: PIMS specific guidance in ISO 27002
· Section 7: PIMS specific guidance for Controllers found in ISO 27002
· Section 8: PIMS specific guidance for Processors found in ISO 27002
At the completion of the course, you will be clear what additional documents you are required to have such as an updated SoA. You will learn how to leverage what you have relative to what will need to be built new. You will understand the certification process, and the components of the implementation process, and be able to estimate how ling this may tke to implement as you build a project plan.
Day 1: Understanding ISO 27701: 2019 Requirements (Learning Objectives):
Learning Objectives:
· To understand the privacy information management security (PIMS) requirements in ISO 27001;
· To understand the privacy information management security (PIMS) requirements in ISO 27002;
· To understand the privacy information management security (PIMS) requirements in ISO 27001 for PII Controllers;
o Conditions for collecting and processing:
§ Identify and document purpose
§ Identify lawful basis
§ Determine when and how consent is to be obtained
§ Obtain and record consent
§ Privacy impact assessment
§ Contracts with PII processors
§ Joint PII controller
§ Records related to processing PII
o Obligations to PII principals:
§ Determining and fulfilling obligations to PII principals
§ Determining information for PII principals
§ Providing information to PII principals
§ Providing mechanism to modify or withdraw consent
§ Providing mechanism to object to PII processing
§ Access, correction and/or erasure
§ PII controllers obligations to inform third parties
§ Providing copy of the PII processed
§ Handling requests
§ Automated decision making
o Privacy by design and privacy by default:
§ Limit collection
§ Limit processing
§ Accuracy and quality
§ PII minimization objectives
§ PII de-identification and deletion at the end of processing
§ Temporary files
§ Retention
§ Disposal
§ PII transmission controls
o PII sharing, transfer and disclosure:
§ Identify basis for PII transfer between jurisdictions
§ Countries and international organizational to which PII can be transferred
§ Records of transfer of PII
§ Records of PII disclosure to third parties
Day 2: Implementing ISO 27701: 2019 (Learning Objectives):
· To understand the privacy information management security (PIMS) requirements in ISO 27002 for PII Processors;
o Conditions for collection and processing
§ Customer agreement
§ Organizations purposes
§ Marketing and advertising use
§ Infringing instructions
§ Customer obligations
§ Records related to processing PII
o Obligations to PII principals
§ Obligation to PII principals
o Privacy by design and privacy by default
§ Temporary files
§ Return, transfer or disposal of PII
§ PII transmission controls
o PII sharing, transfer and disclosure
§ Basis for PII transfer between jurisdictions
§ Countries and international organizations to which PII can be transferred
§ Records of PII disclosure to third parties
§ Notification of PII disclosure requests
§ Legally binding PII disclosures
§ Disclosures of subcontractors used to process PII
§ Engagement of a subcontractor to process PII
§ Change of subcontractor to process PII
· To understand how to use ISO 27701 as a verification for your customers that the GDPR requirements are met – how 3rd Party add-on audits to ISO 27001 can be useful;
· To learn implementation techniques that are efficient and effective and leverage systems already in place.
Day 3: Planning & Conducting Effective Management System Audits (Learning Objectives):
· Be capable of applying terms, definitions and concepts to MS auditing
· Be capable of recognizing examples of Auditing Principles
· To recognize the types of audits these principles apply
· To learn the roles & responsibilities of Audit Program Manager
· To understand the Audit Lifecycle - IPERC
· To understand the role of the Auditor through each step
· To learn the layers of planning 1) Program 2) Audit and 3) Interview
· Be capable of conducting a Process Audit
· Be able to write clear NC reports and communicate findings
· To understand differences b/n 1st & 3rd Party audits
· To understand the corrective action process and role of auditor
· To understand your personality type to solicit optimal outcomes
Day 4: Leading Management System Audits (Learning Objectives):
· To learn the roles & responsibilities of Audit Team Leader
· To be able to write an audit plan - applying the risk-based approach
· To be able to run an Opening & Closing Meeting
· To be able to handle difficult situations - professionally
· To be able to discuss strategic issues with Top Management
· To be able to demonstrate conflict management skills - including diverging opinions
· To be able to identify and manage audit risk
· To recognize the nuances of Joint & Combined audits
· To be able to conduct virtual/remote audits
· To understand required report content & who gets the report
· To be capable of verifying effectiveness & completeness of corrective actions
· To gain familiarity with ISO 17021-1
· To gain familiarity with IAF documents and how to use them
· To exhibit auditor communication skills - w/ wide range of people w/ range of topics
· To ensure audit plans include objectives, scope & criteria (and are understood)
· To understand the process for selecting overall team competence is understood
· To ensure work assignments to teammates are clear & documented info for audit is prepared
· To confirm H&S considerations are planned and related risks are understood
· To assure auditors are capable of progressing the audit and keep on schedule
· To assure the purpose of team briefings is understood - including the content of the briefings
· The TL can lead the team to reach consensus on audit findings
· The TL objectives, purpose and content of Closing Meeting are understood
· The TL understands to distribute the audit report as per the audit plan
· The TL demonstrates ability to develop a complete, accurate, concise and clear audit record
· The TL ensures audit report details audit completion and follow up actions
· To understand the completion and effectiveness of corrective actions are verified
Course Materials:
· Slides with Notes pages
· Five exercises per day are used to engage students and confirm learning
· Case Study
Standards: Standards are not included in the cost of the course. The following standards will be covered in this class.
· ISO 27701: 2019 (available for $237 T webstore.ansi.org)
· ISO 19011: 2018 (available for $148.00 at webstore.ansi.org)
We recommend you purchase digital copies prior to the course. There may be “packages” that can get the price lower.
Exams: Each of the four days includes a one hour timed exam. There are 25 Questions each day and one must achieve 70% to pass.
Please note price includes a 2.9% service fee.
ISO 27701: 2019 Privacy Information Management System Lead Auditor
Summary Course Description:
The world is currently confronting a dynamic regulatory environment for data privacy. In 2016, Europe created the General Data Protection Act (GDPA). Each country and many states have their own data privacy requirements, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Once it became compulsory there was a need to provide evidence of conformance. It took until 2019 when ISO 27701 introduced the concept of Privacy Information Management Systems (PIMS). Conceptually, any firm who was ISO 27001 certified can implement a “PIMS” and be assessed to ISO 27701 which demonstrates compliance to GDPR – and other data privacy regulations.
To succeed in this course one should be familiar with ISO 27001 & ISO 27002. Precision Execution LLC uses the Case Study method to help learn how PIMS fit with an ISMS. The pillars of content have been built around:
· Section 5: PIMS specific requirements in ISO 27001
· Section 6: PIMS specific guidance in ISO 27002
· Section 7: PIMS specific guidance for Controllers found in ISO 27002
· Section 8: PIMS specific guidance for Processors found in ISO 27002
At the completion of the course, you will be clear what additional documents you are required to have such as an updated SoA. You will learn how to leverage what you have relative to what will need to be built new. You will understand the certification process, and the components of the implementation process, and be able to estimate how ling this may tke to implement as you build a project plan.
Day 1: Understanding ISO 27701: 2019 Requirements (Learning Objectives):
Learning Objectives:
· To understand the privacy information management security (PIMS) requirements in ISO 27001;
· To understand the privacy information management security (PIMS) requirements in ISO 27002;
· To understand the privacy information management security (PIMS) requirements in ISO 27001 for PII Controllers;
o Conditions for collecting and processing:
§ Identify and document purpose
§ Identify lawful basis
§ Determine when and how consent is to be obtained
§ Obtain and record consent
§ Privacy impact assessment
§ Contracts with PII processors
§ Joint PII controller
§ Records related to processing PII
o Obligations to PII principals:
§ Determining and fulfilling obligations to PII principals
§ Determining information for PII principals
§ Providing information to PII principals
§ Providing mechanism to modify or withdraw consent
§ Providing mechanism to object to PII processing
§ Access, correction and/or erasure
§ PII controllers obligations to inform third parties
§ Providing copy of the PII processed
§ Handling requests
§ Automated decision making
o Privacy by design and privacy by default:
§ Limit collection
§ Limit processing
§ Accuracy and quality
§ PII minimization objectives
§ PII de-identification and deletion at the end of processing
§ Temporary files
§ Retention
§ Disposal
§ PII transmission controls
o PII sharing, transfer and disclosure:
§ Identify basis for PII transfer between jurisdictions
§ Countries and international organizational to which PII can be transferred
§ Records of transfer of PII
§ Records of PII disclosure to third parties
Day 2: Implementing ISO 27701: 2019 (Learning Objectives):
· To understand the privacy information management security (PIMS) requirements in ISO 27002 for PII Processors;
o Conditions for collection and processing
§ Customer agreement
§ Organizations purposes
§ Marketing and advertising use
§ Infringing instructions
§ Customer obligations
§ Records related to processing PII
o Obligations to PII principals
§ Obligation to PII principals
o Privacy by design and privacy by default
§ Temporary files
§ Return, transfer or disposal of PII
§ PII transmission controls
o PII sharing, transfer and disclosure
§ Basis for PII transfer between jurisdictions
§ Countries and international organizations to which PII can be transferred
§ Records of PII disclosure to third parties
§ Notification of PII disclosure requests
§ Legally binding PII disclosures
§ Disclosures of subcontractors used to process PII
§ Engagement of a subcontractor to process PII
§ Change of subcontractor to process PII
· To understand how to use ISO 27701 as a verification for your customers that the GDPR requirements are met – how 3rd Party add-on audits to ISO 27001 can be useful;
· To learn implementation techniques that are efficient and effective and leverage systems already in place.
Day 3: Planning & Conducting Effective Management System Audits (Learning Objectives):
· Be capable of applying terms, definitions and concepts to MS auditing
· Be capable of recognizing examples of Auditing Principles
· To recognize the types of audits these principles apply
· To learn the roles & responsibilities of Audit Program Manager
· To understand the Audit Lifecycle - IPERC
· To understand the role of the Auditor through each step
· To learn the layers of planning 1) Program 2) Audit and 3) Interview
· Be capable of conducting a Process Audit
· Be able to write clear NC reports and communicate findings
· To understand differences b/n 1st & 3rd Party audits
· To understand the corrective action process and role of auditor
· To understand your personality type to solicit optimal outcomes
Day 4: Leading Management System Audits (Learning Objectives):
· To learn the roles & responsibilities of Audit Team Leader
· To be able to write an audit plan - applying the risk-based approach
· To be able to run an Opening & Closing Meeting
· To be able to handle difficult situations - professionally
· To be able to discuss strategic issues with Top Management
· To be able to demonstrate conflict management skills - including diverging opinions
· To be able to identify and manage audit risk
· To recognize the nuances of Joint & Combined audits
· To be able to conduct virtual/remote audits
· To understand required report content & who gets the report
· To be capable of verifying effectiveness & completeness of corrective actions
· To gain familiarity with ISO 17021-1
· To gain familiarity with IAF documents and how to use them
· To exhibit auditor communication skills - w/ wide range of people w/ range of topics
· To ensure audit plans include objectives, scope & criteria (and are understood)
· To understand the process for selecting overall team competence is understood
· To ensure work assignments to teammates are clear & documented info for audit is prepared
· To confirm H&S considerations are planned and related risks are understood
· To assure auditors are capable of progressing the audit and keep on schedule
· To assure the purpose of team briefings is understood - including the content of the briefings
· The TL can lead the team to reach consensus on audit findings
· The TL objectives, purpose and content of Closing Meeting are understood
· The TL understands to distribute the audit report as per the audit plan
· The TL demonstrates ability to develop a complete, accurate, concise and clear audit record
· The TL ensures audit report details audit completion and follow up actions
· To understand the completion and effectiveness of corrective actions are verified
Course Materials:
· Slides with Notes pages
· Five exercises per day are used to engage students and confirm learning
· Case Study
Standards: Standards are not included in the cost of the course. The following standards will be covered in this class.
· ISO 27701: 2019 (available for $237 T webstore.ansi.org)
· ISO 19011: 2018 (available for $148.00 at webstore.ansi.org)
We recommend you purchase digital copies prior to the course. There may be “packages” that can get the price lower.
Exams: Each of the four days includes a one hour timed exam. There are 25 Questions each day and one must achieve 70% to pass.
Please note price includes a 2.9% service fee.
