Experience the
WhaTap right now.

WhaTap Monitoring
2025-01-16
WhaTap Labs' global standard ISO 27701 certification machine
WhaTap
AI-Native Observability Platform

Table of contents

Example H2

In November 2024, WhaTap Labs successfully obtained the international standard ISO/IEC 27701 personal information protection management system certification.

ISO/IEC 27701 is a certification that specifies the requirements necessary to establish and operate a management system to protect personal information. It has been expanded based on ISO/IEC 27001, an existing information security management system, and provides a personal information protection management system (PIMS) that focuses on the management and protection of personal information (PII, Identifiable Information).

Through ISO/IEC 27701 certification, companies can demonstrate their ability to manage personal information more systematically and securely. It also lays the foundation for compliance with global privacy regulatory requirements such as GDPR (European Data Protection Act), CCPA (California Consumer Privacy Act), and PIPA (Korea's Personal Data Protection Act).

By obtaining ISO/IEC 27701 certification, WhaTap Labs proved that it has met international standards for personal information protection management systems. This provides customers with a more secure and reliable data management environment. Customers' personal information is managed according to systematic procedures, which minimizes the risk of security incidents such as data breaches. Furthermore, it has a system that complies with various global personal information protection regulations such as GDPR, CCPA, and PIPA to reduce domestic and international legal risks and support stable business operations.

ISO/IEC 27701 certification requirements

This certification can only be obtained if you already have ISO/IEC 27001 certification or go through a single audit at once. WhaTap Labs had already obtained ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 in 2023 and met the prerequisites for ISO/IEC 27701 certification.

For ISO/IEC 27701 certification, it is necessary to meet 49 management systems in 8 major areas required by the GDPR, including personal information protection management procedures, de-identification, and encryption. This management system addresses specific requirements that organizations must follow to protect personal information, and defines additional requirements for personal information protection based on the control items of ISO/IEC 27001 and ISO/IEC 27001.

The following is an overview of the eight main areas of ISO/IEC 27701 and the management systems (controls) contained within them.

Eight fields and management systems of ISO/IEC 27701

1. Information security policy

Existing policies relating to information security should be extended to include privacy requirements. You can establish a dedicated policy to protect personal information and incorporate it as part of an information security policy or manage it as a separate document.

  • Specify the purpose and scope of personal data processing
  • Reflects legal and regulatory requirements relating to the protection of personal information
  • Defining roles and responsibilities for protecting privacy within an organization

Policies should be periodically reviewed and updated to reflect the latest legal and technology trends, and communicated to all employees. Through this, organizations must make the entire organization aware of the importance of privacy protection.

2. Information security organization

A clear allocation of roles and responsibilities is needed to effectively manage information security and privacy protection within an organization. It can be achieved by organizing the structure of an information security organization, and each member clearly understands their roles and responsibilities.

  • Information Security Officer (CISO): Oversees the design, implementation, and maintenance of the entire security program and establishes a security strategy including privacy activities
  • Data Protection Officer (DPO): Oversees all activities relating to data protection, manages compliance with data protection laws, and communicates with relevant regulators and data subjects
  • IT administrator: managing security settings, access control, monitoring, and data backup and recovery of systems related to personal information
  • All employees: Comply with information security policies and privacy policies, and report suspicious activity or violations

Also, since privacy protection can often only be addressed internally, cooperation with external organizations is important. Organizations can enhance privacy protection by partnering with external vendors, cloud service providers, and legal advisors.

3. Human resource security

Human resource security within an organization is a key element for protecting personal information, and aims to raise the privacy awareness and responsibility of all employees, and implement appropriate security procedures in the human resources management process.

  • Conduct regular training: Provide regular training programs on legal requirements, internal policies, and the latest security threats and countermeasures relating to personal information protection
  • Training completion management: Record whether all employees have completed security training and check completion status on a regular basis
  • Immediate termination of access to personal information: If an employee leaves the company or job changes, access rights are immediately removed from relevant systems and databases
  • Security agreement management: Notify that privacy obligations will continue when leaving the company, and confirm compliance with obligations through a pledge.

Human resource security consists of proactive prevention through training and proper management at the end of the job. Through regular training, all employees are made aware of the importance of protecting personal information, and internal threats and mistakes can be prevented by thoroughly managing termination procedures. This can make an organization's privacy system more robust.

4. Asset management

Assets must be clearly identified and classified, and appropriate protective measures must be implemented for each asset.

The criticality of assets must be clearly understood through identification and classification, and appropriate protective measures must be implemented. This minimizes the risk of personal information leakage and misuse, and strengthens data protection and security systems.

5. access control

Access rights management prevents information leakage and misuse through control over users and systems that handle personal information.

  • Authorize and manage
    • Access to personal information is granted to the minimum required according to the job, and the authorization procedure is clearly documented
    • Record and track the process of granting access to personal information and making changes to new employees or job changes
    • Separate the roles of administrator and user accounts, and set separate administrator-only rights for sensitive information
  • Reviewing and Updating Permissions
    • Access rights are periodically reviewed to remove unnecessary rights and check for possible abuse of rights
    • Adjust or remove permissions as soon as changes occur, such as changing roles within the organization, leaving a company, or terminating a project
  • History management and monitoring
    • Keep personal information access records (logs) and review them regularly to detect abnormal access
    • Set the log to include access time, user ID, task history, task target, etc.
    • Establish an immediate notification and response system for abnormal approaches

6. encryption

Encryption is a core technology for protecting personal information, and it safely protects personal information from data leakage and misuse. To this end, it is necessary to establish a process for encrypting data during storage and transmission, and for managing cryptographic keys in a systematic manner.

  • Encrypt stored data
  • Protect data in transit
  • Data masking and tokenizing
  • Encryption coverage and standardization
  • Generate and distribute cryptographic keys
  • Storing and protecting cryptographic keys
  • Rotate and revoke a password key
  • Managing key usage and auditing

Encryption is an essential technical measure for protecting personal information, and must be strictly applied during storage and transmission to ensure the safety of data. Furthermore, by systematically establishing a cryptographic key management process, it is possible to increase the reliability of encryption and strengthen the organization's level of data protection.

7. Physical and environmental security

Physical security is an important element for protecting personal information storage facilities and data centers from external threats. This allows you to control facility access and environmental risks, and keep personal information safe.

8. Operational security

Operational security plays an important role in maintaining system and network stability and preventing, detecting, and responding to security incidents.

  • Security control operation
    • Prevent unauthorized access to systems through user authentication and rights management
    • Continuously address security vulnerabilities through software patches and updates
  • Real-time system monitoring
    • Detect abnormal activity by monitoring system logs and network traffic in real time
    • Analyze security events and proactively respond to potential risks through automated threat detection tools
  • log management
    • Centralized collection and storage of system, network, and application logs
    • Set the log to include access records, changes, errors, security events, etc.
    • Log data is stored for a certain period of time in accordance with regulatory requirements and periodically analyzed

Systems and networks must be managed reliably through an operational security system. This allows organizations to strengthen the technical and administrative foundation for protecting personal information and respond effectively in the event of a security incident.

At the end of the article

WhaTap Labs has demonstrated excellence in privacy protection and information security by strictly complying with the eight security categories and detailed controls mentioned above. In particular, the logs stored in the security operations area and related monitoring fully met the relevant requirements using our core solution, WhaTap (WhaTap). WhaTap Labs will continue to further secure customers' valuable information and data through continuous improvements.

WhaTap
AI-Native Observability Platform
WhaTap unifies monitoring for GPUs, applications, servers, databases, Kubernetes, and browsers on a single platform, enabling rapid response to complex IT environments. Trusted by over 1,200 companies worldwide.
목차
Example H2
배너 타이틀
Related Content
No items found.
Claude Code 모니터링
Tech
Claude Code Monitoring: A Guide to Tracking AI Developer Tool Usage
2025-08-28
Tech
Retrofit 3.0 update: major changes and what the Kotlin transition means
2025-08-13
GPU
GPU on subscription? Here’s what GPUaaS (GPU as a Service) means
2025-08-12
Experience Monitoring with WhaTap!
Try the demo