ISO standards now required in PH telco, transport sectors

In March 2022, the Congress of the Philippines passed amendments to the Public Service Act (PSA) that made it possible for full foreign ownership of telecommunications and railway services.

As part of this liberalisation of key public services, which is expected to encourage more foreign investment and innovation, to improve the quality of products and services, to lower prices and to create more jobs, the amendments also require compliance with international standards, specifically ISO, in certain public-service industries.

Initially, the amendments highlighted the telecommunications sector, where certified ISO compliance on information security standards was meant to protect the Philippines from cyber threats coming from foreign interests. In fact, ISO compliance is now a “continuing requirement” for telco firms to “retain their authority to operate as a public service”.

It has now been made clear that all companies belonging to sectors such as telecommunications, domestic shipping, railways and subways, airlines, expressways, tollways, and transport network vehicles services (TNVS) are now mandated to implement information security management systems based on ISO standards.

Click to find out more about ISO/IEC certifications vs national 'trust' certifications

According to Edwin Concepcion, Country Manager of data privacy consultancy Straits Interactive in the Philippines, these amendments and the ISO requirements “mean that it is more urgent now” for organisations in these sectors “to align their information security practices with ISO and to get certified.”

To find out how to comply with the ISO requirements of the PSA or with the Data Privacy Act in the Philippines, please schedule a 20-minute strategy call or contact sales@straitsinteractive.com to get your queries answered.

ISO/IEC 27001/27701 and the Philippine Privacy Trust Mark

For example, the ISO/IEC 27001, published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), provides standards and requirements for the implementation and operationalisation of the Information Security Management System (ISMS).

“This is basically all about the company's data, regardless whether it is personal data, transactional data or confidential data. The protection of this data is in ensuring that you maintain its confidentiality, integrity and availability,” he added.

On the other hand, the ISO/IEC 27701 is an extension of the ISO/IEC 27001 with the inclusion of privacy principles that are adaptable depending on the context of the organisation, with focus on a Privacy Information Management System (PIMS).

“Providing choice, privacy notice, and getting consent - these are now guidelines that are also in the ISO/IEC 27701,” said Concepcion.

When considering implementation of these ISO standards, Concepcion added that the “foundation” should be the ISO 27001, and that compliance with ISO standards are also the basis for awarding the Philippine Privacy Trust Mark, or PPTM.

“Based on the information provided by the National Privacy Commission, the auditing agent would have to look at an organisation's ISO/IEC 27001 and ISO 27701 practices or alignment to those standards for you to be awarded the PPTM,” he said.

Visit www.dpexnetwork.com to learn more about ISO certification courses and data protection competency roadmaps.