Our Services

ISO/IEC 27701

Business background

ISO/IEC 27701 Privacy Information Management System Certification

In recent years, Internet applications have emerged one after another, big data and cloud computing have developed rapidly, and people have left more and more personal marks on the network. By collecting, mining, refining and analyzing the traces left by people on the Internet, the accurate portraits of everyone are completely exposed in the networ.

The Cybersecurity Law of the People's Republic of China (commonly referred to as the Cybersecurity Law) was formally effective on June 1, 2017. It is worth noting that the Cybersecurity Law also has many provisions on data (including personal information) security and protection, such as Articles 40 to 45.

General Data Protection Regulation (GDPR) was officially effective on May 25, 2018, with the most well-known being a fine of 20 million euros or 4% of the global revenue from the previous fiscal year.

Knowing the above, we can clearly find that privacy leakage will have a serious impact on the reputation and business status of enterprises. In this context, the ISO organization has published ISO/IEC 27701 Privacy Information Management System (PIMS) standard, which provides a management standard that is in line with global trends for enterprises to carry out privacy information management in a comprehensive and compliant manner.

Business Introduction

Certification of an organization's privacy information management in accordance with the ISO/IEC 27701 standard

The certification process falls into two stages:

At stage 1, we will confirm whether your company's privacy information management system framework is consistent with the declared certification scope based on the ISO/IEC 27701 standard, and agree on the resources needed and schedule for stage 2 audit.

At stage 2, we will confirm in detail whether ISO/IEC 27701 standard has been effectively implemented in your company, and discover areas for improvement in your company's privacy information management from an objective third-party perspective. If the operation of your company's system does not have a serious impact on the certification results, we will issue the certification certificate within 15 working days.


Optional services:

Internal auditor training: The effective operation of the system relies on effective internal audits, which cannot be achieved without the correct understanding of standards by internal auditors. We provide internal auditor training services to help your company truly master the methodology of privacy information management and achieve continuous improvement.

Gap analysis: In this process, we will carefully understand your company's existing privacy information management system and compare it with the requirements of ISO/IEC 27701 to form a detailed gap analysis report. This helps us identify areas for improvement before conducting formal audits, thus saving time on the project and reducing uncertainty in certification conclusions.


Applicable types of enterprise and the values obtained by the enterprise

ISO/IEC 27701 applies to all organizations, regardless of their size, industry, or business nature.

On November 1, 2021, the Personal Information Protection Law was officially implemented, and in conjunction with the Data Security Law that came into effect on September 1, China's legal framework in the field of data security is being established and improved.

The official implementation of the Personal Information Protection Law has taken the personal information protection boom triggered since the GDPR came into effect in 2018 to a new height, with a focus on its impact on businesses. Some provisions of the Personal Information Protection Law may have a significant impact on enterprises, such as stipulating that relevant data platform enterprises should establish a compliance system and clarify their legal obligations such as protecting personal information and regularly publishing social responsibility reports on personal information protection.

It should be noted that privacy related laws vary from country to country, with GDPR, California bill, and countries such as Australia or Japan having their own laws. This actually creates barriers to conducting cross-border data business, while a privacy information management system provides a consistent set of privacy practices (i.e. controls) that can be mapped against any privacy law. It can help assist enterprises in providing due diligence certificate and obtaining more business opportunities. Other benefits include assuring customers, suppliers, regulatory agencies, and other stakeholders that the company has comprehensive systems and processes to ensure privacy information compliance.

Preparation

Before formal certification, your company should have established a privacy information management system that meets both the ISO/IEC 27001 information security management system and the ISO/IEC 27701 standard, and the system should have been operated for no less than three months.

The operation of the system includes carrying out management activities such as risk assessment, privacy impact analysis, internal audit, and management review as required by ISO/IEC 27701 standard.

Project cycle, scope, and resources that the enterprise needs to provide(such as time, personnel, materials, etc.)

The certification project cycle is approximately four weeks from the beginning of stage 1 audit to the issuance of the certificate.

The main purpose of privacy information management is to meet the needs of customers and compliance requirements, so it usually requires the participation of your company's business department, technology research and development department, customer service department, information security department, and legal department.

If appropriate, please provide support such as network, office and material printing during the audit.


Duration of the optional services:

Internal auditor training: 2 working days

Gap analysis: 4 working days


Certification process

Organizations applying for certification should establish a privacy information management system that complies with the requirements of ISO/IEC 27701:2019 standard. Additionally, as the ISO/IEC 27701 standard is an extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy information, an information security management system that includes privacy information and complies with ISO/IEC 27001 should also be established. Before applying for ISO/IEC 27701 certification, the organization should complete internal audits and management reviews, and ensure that the system has been operated for at least three months; the organization should provide sufficient information on the operation of the privacy information management system to CEPREI. For multiple sites, the certification scope, address, and personnel distribution of each site should be specified. CEPREI will conduct audits on multiple sites through sampling;

The certification is carried out in two stages: stage 1 is on-site audit, which includes document review and confirmation of the adequacy of preparation for stage 2 audit; stage2 audit is mainly about evaluating the compliance and effectiveness of the system, and making recommended conclusions for the on-site audit;

The certificate is valid for 3 years and is subject to annual surveillance after initial audit;

When there are changes in the organization's privacy information management system, or significant changes that affect the compliance of the privacy information management system, CEPREI shall be notified in a timely manner; CEPREI will conduct surveillance audits, certificate renewal audits, or re-certification as appropriate to maintain the validity of the certificate.


Advantages of CEPREI and cases

As the first third-party authoritative certification body to introduce the concept of "certification" into China, CEPREI Certification Body adheres to the concept of "science, justice, service and value". After nearly 50 years of development, CEPREI has established a service and R&D team with rich theoretical knowledge and practical experience, and has obtained accreditation and authorization from various domestic and foreign authorities. It enjoys a deep theoretical foundation and rich practical experience in the research and assessment of systems, industry management training, and sector-specific technical support, and enjoys a high reputation in the fields of certification, evaluation, and training at home and abroad.

CEPREI Certification Body has been deeply engaged in the field of information security for many years, and is one of the first pilot bodies to obtain the support of the Ministry of Industry and Information Technology and the approval of the Certification and Accreditation Administration of China for information security management system certification, and is a member of the CNAS Information Security Certification Professional Committee.

In 2021, CEPREI became the first Chinese-funded certification body in China recognized by ANAB Privacy Information Management System.

CEPREI’s capability

Evaluate the hazardous substance management process provided by the enterprise and confirm its ability to ensure the continuous and stable provision of products that meet specified regulatory requirements.

Regulatory requirements may include (according to customer requirements): EU RoHS Directive, WEEE Directive, Battery Directive, Packaging Directive, China RoHS, enterprise requirements, and customer requirements for hazardous substances.

Applicable to all enterprises manufacturing electronic and electrical product related components,