ISO 27701 LTD (ISO³), ISO to the power of three, has been the fruition of development since the start of the twenty first century, to support the 2020 vision that data means business.

To profit at all, let alone to maximise profit, a 2020 company must ensure that it, and its data processors, have the capability and competencies to guarantee that data is kept confidential, the data integrity inviolate, and that it is always available at the point of use.

The convergence of Confidentiality, Integrity, and Availability is a function of dynamic data management conforming to ISO 27701, ISO 27001, and ISO 22301.

ISO³ brings you the skills, experience, and knowledge, to protect data, and reassure your customers of your competitive advantage by providing externally audited assurance of ISO compliance at a fixed fee.

A business’s profits today are a function of data. Data is the lifeblood of business development, and for many organisations, data may be the business. Within a business data will take many forms:

  • The business’s own intellectual property
  • The business’s licensed intellectual property
  • Financial data
  • Client’s data
  • Personally Identifiable data as defined by the Data Protection Act 2018
  • Publically available data
  • Staff data

The challenge for businesses today is the convergence of data requirements demands different staff skills. Historically the disciplines of Information Security, Business Continuity, and Data Protection have been totally separate areas of specialisation.

In 2020 to address the issues data presents internally, and to satisfy clients that their data is held confidentially, with appropriate integrity, and availability, requires one all-embracing approach.

Unless the flow of data into an organisation, its storage in multiple locations, and ultimately its destruction is understood and controlled, the consequences may be disastrous.



Consultancy based upon hourly rates can mount up to some hidden surprises.

At ISO³ we are happy to quote on a fee capping basis.

We will conduct a free pre-consultancy evaluation of the effort required and provide a quote for the monthly fees, over the agreed timescale, ending with external audit. Should we fail to obtain a successful audit, we will continue to work free, until success is achieved.

We are happy to provide this service for compliance with ISO 27701 (Confidentiality – Data Protection), ISO 27001 (Integrity – Information Security), ISO 22301 (Availability – Business Continuity), or all three.

N.B. The auditors fees are excluded from these quotations, as the audit must be independent and you, the client, must negotiate with a UKAS accredited Certification Company separately.


The cost of an initiative to develop a dynamic data management system is often estimated in terms of external costs and fees. However, the real cost can be that of the demands on internal resource.

If the progress of the project depends upon significant internal engagement, were these hidden costs truly calculated, the business case would not be persuasive. Surely your reason for engaging external specialist resource is to free up your staff to concentrate on what they do best, and to employ externals to do what they do best?

ISO³ has refined an effective delivery mechanism with a minimal staff overhead. This advanced method is called Prototyping.

Prototyping entails the consultant engaging with individuals for as little time as is necessary, as and when there is information required to produce a section of a planned deliverable. The cumulative information will permit the consultant to draft a deliverable, or prototype, which will then be shared with the originators to check veracity.

Once in a publishable form, these deliverables will form the dynamic data management system. This agile approach ensures a light touch staff engagement, with change embedded in operational practices.

Proprietary processes ……………

Thumbs up


A data “Controller” is liable, in essence, for any data protection irregularity perpetrated by any of its data “Processors”, irrespective of whatever audits that the Controller conducted, or reassurances received.

Anyone who stores personal data is a controller, and anyone who has access to it is a processor, such as external payroll company, HR software hosting organisation, Legal counsel, etc.

If however, the Controller ensures that the Processor is audited against ISO 27701, the liability passes to the third party auditors, and away from the Controller.

It is stated in the General Data Protection Regulation (EU) 2016/679, Article 28:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

A further supporting observation is made in Recital: 81

The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

The UK Data Protection Act 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018. It sits alongside the GDPR, and tailors how the GDPR applies in the UK, for example by providing exemptions.


Use of this website

We value your privacy. Unlike most websites, at ISO³ we do not collect information about visitors to this website.

There is no data stored or communicated to other parties.

Data Protection Generally

ISO³ may, in the course of the conduct of its business, obtain some of your data. Any such data will be obtained with your explicit consent and will only be used for those specific purposes to which you consented.

Data subject rights

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

A more detailed explanation of the UK Data Protection Act 2018 can be found on the website for the UK Information Commissioner’s Office.