ISO/IEC 27001, 27701, DPTM, PPTM – Which should I get for my organisation?

We often hear of organisations flaunting their ISO or Data Protection Trustmark (DPTM) certifications. But what do these certifications mean? How do they differ? And do I need to get one for my organisation?

With the enforcement of data protection regulations in many regions, certifications in information security and privacy management – such as the ISO/IEC 27001, 27701 and DPTM, among others – are growing in popularity. Getting certified increases your credibility as an organisation, opening up opportunities for partnerships with other firms. Getting certified is also a way of building trust with your customers.

But with the many certifications available, how do I know which to get for my organisation?

We interviewed Edwin Concepcion, CIPM and Certified Lead Implementer of ISO 27001 and 27701, to discuss the differences between some of the more popular certifications in information security and data privacy.

Find out more about the difference between the ISO/IEC 27001 and ISO/IEC 27701 here.

What are the key differences between ISO/IEC 27001, 27701, DPTM / PPTM?

The ISO/IEC 27001, ISO/IEC 27701, the Singapore Data Protection Trustmark (DPTM), and the Philippine Privacy Trust Mark (PPTM) are among the most widely recognised certifications which demonstrate an organisation’s capability in data protection.

ISO certifications are recognised internationally in more than 160 countries. These are issued by the Professional Evaluation and Certification Board (PECB) and the PECB Management System (PECB MS). ISO/IEC 27001 deals with the implementation of an information security management system (ISMS), while ISO/IEC 27701 deals with the implementation of a privacy information management system (PIMS).

Meanwhile, the DPTM and PPTM are certifications which are usually recognised only within the local jurisdiction. The DPTM is issued by the Infocomm Media Development Authority of Singapore (IMDA), while the PPTM is issued by the National Privacy Commission of the Philippines (NPC).

ISO/IEC 27001 (Information Security Management System) provides the standards for operationalising your ISMS to protect your company’s data – be it personal, transactional, or confidential data. It ensures that the confidentiality, integrity, and availability of your data is maintained.

On the other hand, ISO/IEC 27701 (Privacy Information Management System) is more extensive. It includes more privacy principles such as the consent obligation and the retention limitation obligation, in order to protect the personally identifiable information that a business handles.

Similarly, the standards for both Singapore's DPTM and the Philippines’ PPTM are largely based on international standards.

An ISO 27001 or 27701 certification is NOT a prerequisite to obtain a DPTM or PPTM. However, since these are largely based on 27001 and 27701, the organisation must be able to conform with 27001 and 27701 principles to be awarded a DPTM or PPTM.

So which certification should I get for my organisation?

It will depend on why you need a certification. Is it to demonstrate best practices to your customers? Where are your customers located? Are you seeking to partner with a foreign organisation?

The main difference between ISO and DPTM / PPTM is the scope of its jurisdiction. ISO certifications are recognised in 165 countries and provide a universal framework that is recognised in several jurisdictions. On the other hand, the DPTM is limited to Singapore, while the PPTM is limited to the Philippines.

Thus, if you seek to partner with organisations outside of Singapore or the Philippines, an ISO/IEC certification might be better for you. The DPTM / PPTM will be irrelevant for companies in the USA and Europe. So, if you plan to take on a foreign client or sell your products globally, it is better to opt for an ISO/IEC certification.

However, if you are only doing business locally, then a DPTM or PPTM might be sufficient to build your reputation with customers and other organisations.

I thought ISO/IEC certifications were for organisations. Why do I see courses offered for individuals? Can I get ISO/IEC certified as an individual?

For ISO/IEC certifications, both organisations and individuals can get certified.

Organisations get their management systems certified by passing an audit. To get certified, a management system must demonstrate conformance of organisational practices against the standard of interest (e.g., ISO 27001).

Individuals, on the other hand, can get certified by attending training courses by the Professional Evaluation and Certification Board (PECB) or a PECB Authorised Partner. Individual certification establishes your knowledge of the ISO standard and equips you to implement it in any organisation.

Straits Interactive is a PECB Authorised Partner. Check out our ISO certification programmes for 27701 and 27001.

So, should you have an ISO-certified employee for your organisation and management system to be ISO-certified?

No, an ISO-certified employee is not a requirement to get certified. However, an ISO-certified individual who thoroughly understands the standard, such as an ISO Lead Implementer, will be a big help in accelerating your management system’s compliance.

What about other privacy certifications such as IAPP?

The International Association of Privacy Professionals (IAPP) certifies only individuals and not organisations.

Thus, IAPP certifications are for demonstrating your skill as an individual in privacy laws (CIPP*), in operationalising privacy (CIPM*), or in engineering privacy (CIPT*). These certifications will be helpful for current and aspiring Data Protection Officers (DPOs).

*CIPP - Certified Information Privacy Professional; CIPM - Certified Information Privacy Manager; CIPT - Certified Information Privacy Technologist

Straits Interactive is also an IAPP-accredited training partner. Check out our courses for CIPM and CIPP/E.

Be willing to invest in training

We asked Concepcion for one piece of advice he could give to individuals and organisations seeking certification.

Concepcion advises, “Be willing to pay for the training. Under the ISO/IEC training roadmap, we do foundation training before you can go for Lead Implementer or Lead Auditor training. [You need to] establish your basic knowledge first of what the standard is about. So that when you go for certification, you have a good appreciation of what the standard is going to do, and you are familiar with the terminologies.”

Alternatively, explore our ISO/IEC training roadmap here.