ISO 27701
privacy information management system
ISO/IEC 27701:2019 is the certifiable extension that turns an ISO 27001 information security management system into a privacy information management system (PIMS). It adds privacy-specific requirements, additional controls, and a controller and processor obligation split that the ISMS does not carry on its own. This page covers the structure, the GDPR cross-walk, and how a workspace records the evidence the PIMS audit expects.
No credit card required. Free plan available forever.
ISO 27701 in context: the PIMS extension to ISO 27001
ISO/IEC 27701:2019 is the international standard that turns an ISO 27001 information security management system (ISMS) into a privacy information management system (PIMS). It does three things at once: it adds privacy-specific requirements to ISO 27001 clauses 4 to 10, it adds privacy-specific implementation guidance to the ISO 27002 controls, and it introduces two annexes of additional controls (Annex A for PII controllers, Annex B for PII processors). ISO 27701 is certifiable, but only as an extension of an ISO 27001 certification; the audit runs as ISO 27001 + ISO 27701 against the same scope and the same certification body.
The relationship most teams need to keep clear is the layering across the ISO 27001 family. The ISO 27001 framework page covers the management system standard that certifies the underlying ISMS. The ISO 27002 framework page covers the implementation guidance for the 93 ISO 27001 Annex A controls. The ISO 27017 framework page covers the cloud-specific extension and the ISO 27018 framework page covers the public cloud PII processor obligations. ISO 27701 sits across all of those: it applies wherever PII is processed, regardless of whether the workload is on-premises, in a private cloud, or in a public cloud. The Statement of Applicability cites ISO 27001 Annex A; the privacy supplements and the additional Annex A or Annex B controls reference ISO 27701 explicitly so the auditor can trace each obligation back to the right standard text.
Where ISO 27701 sits in the ISO 27001 family
Three baseline standards underpin a PIMS, and the certification body audit reads them together rather than picking one. ISO 27701 cannot be implemented in isolation; it consumes the ISO 27001 management system clauses and the ISO 27002 control catalogue and extends them with privacy-specific obligations.
ISO 27001 (the underlying ISMS)
The certifiable management system standard. ISO 27701 supplements ISO 27001 clauses 4 to 10 with privacy-specific requirements; it cannot be implemented or certified without an underlying ISO 27001 conformant ISMS. The PIMS is the privacy extension to the ISMS rather than a freestanding system.
ISO 27002 (the control catalogue)
The implementation guidance behind the 93 ISO 27001 Annex A controls. ISO 27701 supplements that guidance with privacy-specific implementation notes and adds two annexes (A for PII controllers, B for PII processors) of controls that apply on top of the ISO 27002 baseline.
ISO 27701 (the PIMS extension)
The certifiable PIMS extension. Adds privacy-specific requirements to the ISMS clauses, privacy guidance to the ISO 27002 controls, and the Annex A and Annex B additional controls. Certification runs as ISO 27001 + ISO 27701 in scope on the same certificate, audited by the same body.
ISO 27701 Annex A: additional controls for PII controllers
ISO 27701 Annex A sets out the controls a PII controller is expected to operate over and above the ISO 27002 baseline. The annex codifies the operational obligations behind controller accountability: lawfulness of processing, obligations to PII principals, privacy by design and by default, and PII sharing, transfer, and disclosure.
Conditions for collection and processing of PII
The controller identifies and documents the lawful basis for each processing activity, the purposes the PII is processed for, the categories of PII, the categories of PII principals, and the records that evidence the basis. The control codifies the lawfulness obligation as an artefact the audit walks rather than a policy paragraph.
Obligations to PII principals
The controller records the means by which it provides notice, obtains consent where consent is the basis, fulfils data subject rights, and handles automated decisions. The PIMS holds the notice template, the consent record, the request workflow, and the technical means used to act on each request.
Privacy by design and privacy by default
Privacy by design is documented as a control: the design considerations, the configurations chosen by default, and the evidence that the design and default settings minimise PII processing to what the purpose requires. The control is examined in the context of new processing activities and major changes to existing ones.
PII sharing, transfer, and disclosure
Sharing PII with third parties (sub-processors, joint controllers, recipients), cross-border transfers, and disclosures under legal obligation each have a documented basis. The PIMS records who receives the PII, why, under what safeguard, and what controller decisions support the sharing.
ISO 27701 Annex B: additional controls for PII processors
ISO 27701 Annex B sets out the controls a PII processor is expected to operate over and above the ISO 27002 baseline. Annex B is the operational evidence base most cloud and SaaS providers use to support customer GDPR Article 28 obligations, and it is the most-audited annex for service providers carrying ISO 27701 in scope.
Customer obligations the processor acts on
The processor records the processing instructions the customer gives, the categories of PII the contract covers, the duration, the purposes, and the categories of PII principals. The PIMS holds the contract reference, the operational reading of the customer instruction, and the change record when the instruction is updated.
Privacy by design at the processing layer
The processor evidences design choices that reduce the PII the processing handles: data minimisation in the platform configuration, encryption defaults, retention enforcement, separation of customer tenants, and access boundaries that limit PII exposure to what the processing purpose requires.
PII sharing under controller instruction
The processor shares PII only on documented controller instruction, including with sub-processors. The PIMS records the sub-processor list, the customer notification path for sub-processor changes, the customer right to object, and the contractual flow-down of the same obligations to each sub-processor.
Records of PII processing the processor maintains
The processor maintains records of categories of processing carried out on behalf of each controller, recipients, transfers, security measures, and retention. The records meet the Article 30(2) GDPR processor record obligation directly and feed the controller record obligation under Article 30(1) by reference.
Privacy-relevant work that produces evidence against Annex A and Annex B controls includes privacy-focused penetration tests, configuration reviews of PII-handling systems, and scanner output against verified endpoints. The cloud security assessment workflow feeds the technological evidence base where PII processing is in scope, and findings relating to sensitive data exposure and insufficient logging and monitoring sit directly inside the Annex A and Annex B control register rather than as freestanding technical issues.
ISO 27701 to GDPR mapping (Annex D)
The most-used part of ISO 27701 in privacy implementation work is Annex D, which provides the official mapping from PIMS clauses and controls to GDPR Articles 5 to 49. The mapping is what makes the PIMS evidence base readable as GDPR evidence: a control row answers a specific Article rather than a generic privacy principle.
- ISO 27701 Annex D provides the official mapping from PIMS clauses and controls to GDPR Articles 5 to 49. The mapping is what makes the PIMS audit trail readable as GDPR evidence: a control row in the PIMS register answers a specific GDPR article rather than a generic privacy principle.
- GDPR Article 5 principles (lawfulness, fairness, transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability) map across ISO 27701 obligations rather than to a single control. The audit walks the principles through the PIMS register rather than expecting one row to discharge each.
- GDPR Article 28 processor obligations map closely to ISO 27701 Annex B. A controller selecting an ISO 27701-certified processor inherits Article 28 evidence through the certificate scope; the contractual obligations remain the controller responsibility but the technical and organisational measures basis is documented.
- GDPR Articles 30 records of processing, 32 security of processing, 33 breach notification to the supervisory authority, 34 breach notification to data subjects, and 35 DPIA each have direct PIMS counterparts. The PIMS audit trail evidences the operational discipline behind each Article rather than restating the legal obligation.
- GDPR Articles 44 to 49 cross-border transfers map to PIMS transfer records, the safeguards applied (SCCs, BCRs, adequacy, derogations), the supplementary measures where the transfer assessment requires them, and the consultation of the supervisory authority where mandated.
For the GDPR side of the conversation, the GDPR framework page covers the regulation itself and the obligations it places on controllers and processors. ISO 27701 is the operational layer most often used to evidence the technical and organisational measures GDPR Articles 25, 28, 32, 33, and 35 require, so the two pages are read together rather than as alternatives.
Building the PIMS evidence base
ISO 27701 audit findings most often centre on evidence rather than on control intent. The privacy obligation is named in the SoA, the controller and processor roles are documented, and the team can describe what each side does, but the artefact a certification body asks for is either missing, stale, or non-specific to the processing activity in question. The evidence model below is what survives stage 2 and surveillance review.
- Privacy policy and PIMS scope statement: the documents that anchor the PIMS, the boundary of the privacy programme, and the management endorsement that signals leadership accountability for privacy outcomes. The audit reads these alongside the ISO 27001 ISMS scope and policy.
- Records of processing activities (RoPA): the single source of truth for processing purposes, categories of PII, categories of PII principals, recipients, transfers, retention, and security measures. The RoPA reads as the spine of the PIMS rather than an artefact assembled for each audit.
- Privacy impact assessment (PIA / DPIA) records: the structured assessment of necessity and proportionality, the risks to PII principals, the measures envisaged, and the residual risk decision per processing activity that crosses the controller PIA threshold.
- Data subject request register: the request intake, the identity verification, the controller decision, the technical means used, the response, and the timing record per request, with an audit trail that demonstrates the rights regime is operating rather than only documented.
- Sub-processor and recipient register for processors: the list of recipients and sub-processors, the contractual flow-down, the customer notification record per change, and the audit right exercised where the customer contract requires it.
- PIMS internal audit and management review records: the same internal audit and management review obligations that ISO 27001 carries, applied to the PIMS-specific clauses and to the privacy controls in Annex A or Annex B.
- Privacy assessment and pentest findings linked to PIMS controls: privacy-relevant findings from penetration tests, configuration reviews, and continuous scanning are attached to the PIMS controls they evidence rather than living in a separate report archive.
For the technological side of the evidence base, scanner findings against PII-handling assets need to preserve the evidence that turned the detection into a finding. The scanner output deduplication guide covers how to merge findings across scanners without losing the per-source evidence each export carried, and the false positives guide covers the validation discipline that keeps the per-control evidence chain trustworthy when the obligation in question is privacy-sensitive.
How SecPortal aligns to ISO 27701 implementation work
SecPortal is the workspace that holds the engagement, the privacy assessment findings, and the audit trail that the per-control evidence chain references. The platform does not certify the PIMS and is not a substitute for the certification body audit, but it does hold the work the implementation team relies on when building and maintaining the privacy evidence base.
- Compliance tracking with workspace-level templates that record per-control status, evidence pointers, and the controller / processor responsibility split each PII-relevant control needs to capture.
- Findings management that links privacy-relevant penetration test, configuration review, and scanner output to the specific ISO 27701 Annex A or Annex B control the finding evidences. The audit trail walks from the finding back to the standard text without manual cross-referencing.
- Engagement management that records the work behind privacy assessments and PIMS-related pentests (the scope, the targets, the methodology, the testers, the timeline), so the assessor activity is itself a piece of PIMS evidence.
- AI report generation that produces the narrative privacy compliance summary an internal audit committee or a certification body expects, with the underlying control register and evidence base preserved behind the narrative.
- Activity logs that record every status change, evidence upload, and assignment in the workspace. The log is part of the accountability evidence the PIMS surveillance audit walks each year.
- Continuous monitoring with scheduled scans against verified PII-handling endpoints, so the technological evidence behind privacy-relevant assets stays current rather than ageing between audit cycles.
For the delivery side of PIMS implementation work, the page for compliance consultants covers the project-driven delivery model that runs ISO 27001 + ISO 27701 readiness work as structured engagements, and the page for cloud security consultancies covers the delivery model many privacy-relevant cloud assessment engagements use when the PIMS scope intersects with public cloud workloads.
The certification path for ISO 27701
ISO 27701 is certifiable, but only as an extension of an ISO 27001 certification. The certification body audits the underlying ISMS plus the PIMS supplements together, and the certificate states ISO 27001 + ISO 27701 in the same scope. An organisation cannot hold an ISO 27701 certificate without also holding (or simultaneously achieving) an ISO 27001 certificate.
- Stage 1 review checks the PIMS documentation: the scope (which processing activities, which controller and processor roles), the privacy policy, the Statement of Applicability that cites ISO 27001 Annex A and the relevant ISO 27701 annex, the RoPA, and the PIA records. The review is documentary; gaps surface before stage 2 reaches operations.
- Stage 2 audit examines operational evidence: how each privacy obligation is implemented, what evidence supports the implementation, and whether the controller and processor responsibility split is documented and current. The auditor walks the per-control evidence chain and the data subject request log rather than accepting policy alone.
- Surveillance audits in years one and two re-examine a sample of PIMS clauses, a sample of controls, and any non-conformities raised at certification. Privacy controls usually feature in surveillance because the underlying processing activities and sub-processor relationships change faster than the ISMS does.
- Recertification at year three repeats the full stage 1 and stage 2 cycle, with the privacy control set typically expanded if the organisation has taken on new processing activities, entered new transfer paths, or extended the controller or processor footprint since initial certification.
Common implementation mistakes
The mistakes below recur across organisations bringing privacy-relevant processing into an existing ISMS and across organisations whose providers carry ISO 27701 attestations but whose customer-side evidence has not kept pace. Each is recoverable with a documented correction; each is hard to recover when discovered at the certification body audit.
- Treating ISO 27701 as a substitute for GDPR compliance. The standard is the technical and organisational measures basis the controller or processor uses to evidence parts of GDPR; it does not discharge the lawful basis assessment, the controller appointment of a data protection officer where one is required, or the supervisory authority cooperation obligation. The certificate is evidence of operating discipline, not a legal compliance opinion.
- Implementing the PIMS without an underlying ISO 27001 ISMS. ISO 27701 cannot be certified on its own. A PIMS audit examines clauses 4 to 10 of ISO 27001 with the privacy supplements, plus the controls in Annex A or Annex B. Without the underlying ISMS, the PIMS has no clauses to supplement.
- Confusing controller and processor scope. A single organisation often acts as a controller for some processing activities and a processor for others. Annex A applies to controller activities; Annex B applies to processor activities. A PIMS scoped only to one role leaves the other unsupported when the audit asks which annex applies to which activity.
- Letting the records of processing activities (RoPA) drift from operational reality. New processing activities, new sub-processors, new transfer paths, and changed retention rules surface continuously; a RoPA written at certification audits as out of date six months later. The PIMS needs an explicit refresh cadence that the audit can verify.
- Treating data subject request fulfilment as a policy obligation rather than an operating control. The PIMS audit looks for evidence that requests have been received, identified, verified, fulfilled, and logged within the regime time limits. A policy that names the workflow without records that demonstrate the workflow has run produces a non-conformity.
- Reading ISO 27701 as covering ISO 27017 (cloud services) or ISO 27018 (PII in public clouds). Each layers on the others. ISO 27701 covers the privacy management system; ISO 27017 covers cloud-specific controls; ISO 27018 covers public cloud PII processor obligations. An organisation that processes PII in a public cloud needs the relevant combination, not one of the three alone.
Where ISO 27701 sits alongside other compliance regimes
Most organisations carrying privacy obligations live with more than one regime, and ISO 27701 is most often deployed to evidence the technical and organisational measures clauses those regimes already require. The cross-walks below cover the regimes that most often layer onto an ISO 27701 implementation rather than replacing it.
- GDPR is the regime ISO 27701 maps most directly to. Annex D supplies the official cross-walk to Articles 5 to 49. The PIMS audit trail evidences the operational discipline behind Articles 25, 28, 30, 32, 33, 34, and 35 in particular.
- ISO 27018 covers public cloud PII processor obligations and sits beside ISO 27701 rather than underneath it. An organisation processing PII in a public cloud usually carries both standards in scope: ISO 27018 for the cloud-specific processor controls, ISO 27701 for the privacy management system around them.
- HIPAA imposes US health information privacy and security obligations that ISO 27701 does not directly map to but does support operationally. A covered entity or business associate carrying ISO 27701 inherits much of the technical and organisational measures basis HIPAA security and privacy rules require.
- SOC 2 is the trust services framework many providers publish attestations against. SOC 2 has a privacy criterion that overlaps significantly with ISO 27701 Annex B. Organisations carrying both regimes often run them on a shared evidence base rather than as parallel programmes.
- DORA draws on the ISO 27001 family controls for ICT third-party risk management evidence. Where the financial entity processes PII, the ISO 27701 PIMS supplies the privacy evidence base on top of the underlying ISO 27001 examination DORA examinations reference.
Privacy assessment work that feeds the PIMS evidence base
Privacy-relevant assessment work is the most direct source of evidence for the technological side of ISO 27701. Penetration tests against PII-handling applications, configuration reviews of platforms that affect PII (key management, retention, regional storage, identity federation), and continuous scanning of verified endpoints all produce findings that link back to specific ISO 27002 and ISO 27701 obligations.
For the engagement workflow that runs the privacy assessment from scoping through to delivery, the pentest evidence management workflow covers the operational discipline that turns each assessment into reusable PIMS evidence rather than a single-use report. The remediation tracking workflow covers the closure cycle that turns a privacy-relevant finding into evidence the control has actually been addressed rather than merely raised, and the cloud security assessment guide covers the methodology that produces the findings the PIMS evidence base inherits.
Scope and limitations
ISO/IEC 27701:2019 is published by the International Organization for Standardization and the International Electrotechnical Commission. SecPortal is the workspace that holds the engagement, the findings, the evidence, and the audit trail; certification under ISO 27001 plus ISO 27701 remains the registrant responsibility, carried out through an accredited certification body. This page describes the structure of the standard and how a workspace-driven programme plays against the privacy management obligations; the authoritative reference for the obligations remains the published standard text and any subsequent ISO and IEC revisions.
Nothing on this page is legal or audit advice. Decisions about ISO 27001 plus ISO 27701 certification scope, the privacy regimes the implementation is intended to evidence (GDPR, regional privacy law, sector-specific privacy regimes), and the lawful basis for each processing activity require the involvement of the data protection officer, privacy counsel, internal audit, and the chosen certification body. The platform supports the underlying work record those roles rely on; it does not substitute for the privacy assessment, the contractual review, or the certification body audit that determines whether the PIMS meets the standard.
Key control areas
SecPortal helps you track and manage compliance across these domains.
PIMS-specific requirements over ISO 27001
ISO 27701 supplements ISO 27001 clauses 4 to 10 with privacy-specific requirements: the scope of the PIMS, the privacy policy, privacy risk assessment, the privacy impact assessment, and the leadership accountability for privacy outcomes. The audit examines these alongside the underlying ISMS rather than as a separate management system.
PIMS-specific guidance over ISO 27002
The ISO 27002 controls inherit privacy-specific implementation guidance under ISO 27701, with explicit handling of PII at the access management, asset management, supplier relationships, and incident management layers. The Statement of Applicability cites ISO 27001 Annex A; the privacy guidance references ISO 27701 explicitly so the auditor traces each obligation back to the right standard text.
PII controller additional controls (Annex A)
ISO 27701 Annex A sets out the additional controls a PII controller is expected to operate. Conditions for collection and processing, obligations to PII principals, privacy by design and by default, PII sharing, transfer, and disclosure are codified as controls the controller evidences against the ISMS.
PII processor additional controls (Annex B)
ISO 27701 Annex B sets out the additional controls a PII processor is expected to operate. Customer obligations, privacy by design at the processing layer, PII sharing and transfers under controller instruction, and the records of processing activities are codified as controls the processor evidences against the contract.
GDPR Article 28 to ISO 27701 mapping
ISO 27701 Annex D maps the standard to GDPR Articles 5 to 49. The mapping is the most-used cross-walk in privacy implementation work because it lets a controller or processor evidence GDPR obligations through the PIMS audit trail. Article 28 processor obligations sit naturally on the Annex B controls; Article 30 records of processing activities map directly to PIMS records.
Records of processing activities (RoPA)
Article 30 GDPR and ISO 27701 both require records of processing activities. The PIMS holds them in a single, auditable form: the categories of PII, the purposes, the categories of recipients, the international transfer paths, the retention rules, and the security measures. The records read from one place rather than living across spreadsheets.
Data subject request fulfilment (rights management)
ISO 27701 codifies the operational obligations that sit behind GDPR Articles 15 to 22 (access, rectification, erasure, restriction, portability, objection, automated decisions). The PIMS records the request intake path, the verification of identity, the technical means used to fulfil the request, the controller decisions, and the outcome notified to the data subject.
Privacy impact assessment (PIA / DPIA)
Under ISO 27701 the privacy impact assessment is a documented control that the PIMS holds for processing activities the controller assesses as carrying elevated privacy risk. The structure aligns with GDPR Article 35 DPIA expectations: necessity and proportionality, risks to PII principals, the measures envisaged, and the consultation of the supervisory authority where the residual risk requires it.
Cross-border PII transfers and safeguards
ISO 27701 evidences the safeguards used when PII crosses borders: standard contractual clauses, binding corporate rules, adequacy decisions, derogations under Article 49 GDPR. The PIMS records the transfer path per processing activity, the safeguard relied on, the assessment of the receiving country, and any supplementary measures applied.
Breach notification and incident handling for PII
ISO 27701 layers privacy-specific incident handling on the ISO 27001 incident management process. The PIMS holds the breach detection trail, the materiality assessment for PII principals, the notification to the supervisory authority within the 72-hour Article 33 GDPR timeline, and the data subject communication where Article 34 requires it.
Evidence the ISO 27701 PIMS without rebuilding the ISMS audit trail
Track ISO 27001 and ISO 27701 obligations on one record, attach privacy assessment findings, and keep the evidence base ready for the PIMS surveillance review.
No credit card required. Free plan available forever.