Skip main navigation
Home>The Association>UNE Briefing Room>Press releases>The UNE-EN ISO/IEC 27701 Standard for Information Privacy Management has been published.

An extension of the standard UNE-EN ISO/IEC 27701 on Privacy Information Management has been published


  • It reinforces the implementation of an Information Security Management System (ISMS) and sets out the requirements for ensuring the adequate management of Personal Identifiable Information (PII).

Madrid, 3 December 2021 - The Spanish Association for Standardization - UNE, has published UNE-EN ISO/IEC 27701:2021 Security techniques. An extension of the ISO/IEC 27001 and ISO/IEC 27002 standards on information security. Requirements and guidelines. This is the official Spanish version of Standard ISO/IEC 27701:2019.

Due to the importance of personal data processing in the Spanish-speaking market, as from today, this standard has an official ISO version in Spanish, developed by several experts in the field.

Thus, Information Security Management Systems (ISMS) are now available for the Spanish-speaking market, to help companies and organisations obtain certification in this international standard. In an increasingly digital environment, Personal Identifiable Information PII, has become an essential part of the normal operations of companies, organisations and other entities. Information security is a growing social need, and a way to guarantee the rights and freedoms of interested parties.

This standard sets out the requirements for ensuring an information security management system for Personal Identifiable Information (PII) through the implementation of an ISMS, in order to attain a higher level of security, confidentiality, integrity, availability and resilience of information systems that manage PII.

The UNE-EN ISO/IEC 27701:2021 standard is a tool that will help to guarantee, and demonstrate compliance with the provisions of the General Data Protection Regulation (GDPR), as well as Organic Law 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights, (LOPDGDD).

This standard will be especially important regarding compliance with the principle of proactive responsibility of the GDPR, which requires, in general, continuous management of compliance with the standard, and in particular, of the risks that the PII processing entails for the rights and freedoms of its interested parties.

Similarly, the ISMS defined by the ISO/IEC 27701 Standard will be a great ally for all data controllers and processors that receive requests for information and guarantee of compliance with the GDPR and the LOPDGDD in the field of due diligence or other control activities. With this certification, data controllers and processors will be able to demonstrate continuous compliance, through compliance with an ISO standard, which is synonymous with reliability and trust.

The ISO/IEC 27701 standard covers Information Security Management Systems (ISMS) created from the provisions of the ISO/IEC 27001, Information Technology - Security Techniques - Information Security Management Systems - Requirements, and with the ISO/IEC 27002 Information Technology - Security Techniques - Code of Practice for information security systems.

Thus, the standard ISO/IEC 27701 extends the controls set forth in these two standards, adapting and improving them to guarantee the security of PII processed within information systems of companies or organisations. New requirements have also been added, regarding those intended for information management by data controllers; and by data processors and sub-processors.

These new requirements imposed by ISO/IEC 27701 have been drafted with the intention of compliance with the specific obligations deriving from data protection regulations at an international level, with particular attention to the provisions included in the GDPR.

With the adaptation to the Spanish market, the standard UNE-EN ISO/IEC 27701:2021 complements all the family of ISO 27000 standards, aimed at Standardising information security and the protection of the PII, in particular, the UNE-EN ISO/IEC 27001:2017 and the UNE-EN ISO/IEC 27002:2017.

We consider that all these standards, when effectively implemented, help companies to create a culture of regulatory compliance, based on and with the goal of guaranteeing the security of PII and respecting the rights and freedoms of its owners.