Compliance365 At a glance
- Client: B2B Health SaaS with PHI/PII processing
- Goal: Add ISO 27701 to existing ISO 27001 to unlock enterprise deals and streamline DPIA/ROPA assurance for customers
Problem
Demand from hospitals and payers required robust privacy assurance beyond ISO 27001. The team had fragments of ROPA and DPIA material, but no consistent PIMS or repeatable evidence.
Approach
- Privacy governance
- Established roles (DPO/PO), cadences, and policy set (notices, consent, SRR, retention).
- Records & risk
- Completed ROPA and PII flows; created DPIA triggers and templates; aligned to processing purposes and lawful bases.
- Controls & proof
- Mapped privacy controls (minimisation, access restriction, retention) and automated evidence from M365 (SharePoint/Purview/Entra/Intune).
- Readiness & audit support
- Ran internal privacy audit; closed findings; prepared auditors’ sample set and walkthroughs.
Outcome
- ISO 27701 certification achieved in 10 weeks
- 60% reduction in evidence prep time for customer assurance
- Shorter security questionnaire cycles and faster enterprise deals
Key Results
- 50+ processing activities documented (ROPA)
- DPIA trigger coverage >95%
- Data retention matrix and consent flows embedded
What we delivered
- PIMS governance and policy set
- ROPA, DPIA templates, and records
- Evidence automation in M365
- Audit preparation and support