We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / ISO 27701
ISO / IEC · Global

ISO/IEC 27701

A privacy extension (PIMS) to ISO 27001 for managing personal data.

1. Introduction

ISO/IEC 27701 is the international standard that extends an information security management system (ISMS) into a privacy information management system (PIMS). Published first in August 2019 as an amendment to ISO/IEC 27001 and ISO/IEC 27002, it provides a certifiable framework for organisations to demonstrate that they systematically manage the processing of personally identifiable information (PII). Rather than reinventing governance, ISO 27701 layers privacy-specific requirements and controls on top of an existing ISO 27001 ISMS, so that security and privacy are governed under a single, integrated management system.

For any organisation subject to the GDPR, the UK Data Protection Act, India's Digital Personal Data Protection Act (DPDP Act, 2023), the UAE PDPL, Brazil's LGPD, California's CCPA/CPRA or sector-specific privacy law, ISO 27701 offers a defensible, auditable way to operationalise those legal obligations. It is one of the very few privacy standards against which an accredited certification body can issue a certificate, making it a powerful trust signal for customers, regulators and partners. This guide provides an auditor-grade walkthrough of the standard's structure, an exhaustive master assessment checklist covering every clause and Annex control, and a practical implementation and audit approach.

Copyright note
ISO/IEC 27701 is a copyrighted standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The official normative text must be purchased from ISO, IEC or an authorised national standards body (for example BIS in India, BSI in the UK). This guide is an original explanatory summary written by CyberSigma auditors and paraphrases requirements in our own words. It does not reproduce the copyrighted text of the standard and is not a substitute for the licensed document.

2. What is ISO 27701

ISO/IEC 27701:2019, titled 'Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines', specifies the requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It is intended to be used by all types and sizes of organisation, including public and private companies, government entities and not-for-profit organisations, that are PII controllers and/or PII processors processing PII within an ISMS.

The standard is deliberately built as an extension, not a stand-alone system. To be certified against ISO 27701, an organisation must have (or simultaneously achieve) an ISO 27001-conformant ISMS whose scope covers the processing of PII. ISO 27701 then:

  • Modifies and augments the ISO 27001 clauses 4 to 10 (context, leadership, planning, support, operation, performance evaluation, improvement) with PII-specific requirements — for example requiring the scope to consider privacy obligations and the risk assessment to consider risks to PII principals.
  • Provides privacy-specific implementation guidance that refines the 93 (2022 revision) / 114 (2013 revision) security controls of ISO 27002 as they apply to PII.
  • Introduces two brand-new sets of privacy controls in its annexes: Annex A for organisations acting as PII controllers, and Annex B for organisations acting as PII processors.
  • Maps its controls to the GDPR articles (Annex D), to ISO/IEC 29100 privacy principles (Annex C) and to ISO/IEC 27018 and ISO/IEC 29151 (Annex F).

A crucial concept is the distinction between a PII controller (the entity that determines the purposes and means of processing) and a PII processor (the entity that processes PII on behalf of a controller). ISO 27701 requires an organisation to determine its role — it may be a controller, a processor, or both for different processing activities — and to apply the corresponding Annex A and/or Annex B controls. The standard adopts the privacy terminology of ISO/IEC 29100, using 'PII principal' for the individual (the data subject) and 'PII' for personal data.

3. Who must comply

ISO 27701 certification is voluntary; no law mandates the certificate itself. However, it is adopted by organisations that need to demonstrate accountable, defensible privacy management. The following categories most commonly pursue it:

Organisation typeWhy ISO 27701 appliesTypical role
SaaS / cloud service providersCustomers and RFPs demand demonstrable privacy governance over hosted PII; complements ISO 27017/27018.PII processor (often also controller for own staff/marketing data)
Enterprises subject to GDPR / DPDP / LGPDNeed an auditable way to evidence accountability, records of processing and data-subject rights handling.PII controller
BPO, KPO, IT-services and outsourcing firmsProcess large volumes of client PII under contract; certificate reassures clients and reduces due-diligence friction.PII processor
Healthcare, insurance and pharmaHandle special-category / sensitive PII (health data) requiring elevated safeguards.Controller and processor
Banks, fintech and payment firmsCombine privacy obligations with security regimes such as PCI DSS and RBI norms.Controller and processor
Marketing, adtech and CRM providersProfiling, consent and lawful-basis management are core risk areas scrutinised by regulators.Controller (and processor for client campaigns)
Public sector and government agenciesStatutory duty to protect citizen PII; certification demonstrates good governance.PII controller
  • Prerequisite: the organisation must already operate, or be building, an ISO 27001 ISMS — ISO 27701 cannot be certified in isolation.
  • Scope trigger: any organisation that acts as a PII controller or PII processor and wants third-party assurance of its privacy programme is a candidate.
  • Commercial driver: increasingly appearing as a contractual or tender requirement, and used to reduce the burden of bespoke customer privacy audits.

4. Structure of ISO 27701

ISO 27701 is organised into normative management-system clauses (which mirror and extend the ISO 27001 Annex SL structure), a refinement of the ISO 27002 controls, and two annexes of new privacy controls plus several informative mapping annexes. The table below summarises the full structure.

Clause / AnnexTitleNaturePurpose
Clause 4Context of the organisation (PIMS-specific)Normative (extends 27001 Cl.4)Determine internal/external issues, interested parties and PIMS scope considering PII processing and role.
Clause 5Leadership (PIMS-specific)Normative (extends 27001 Cl.5)Top-management commitment, PIMS policy and privacy roles/responsibilities.
Clause 6Planning (PIMS-specific)Normative (extends 27001 Cl.6)Risks and opportunities, PII risk assessment and treatment, PIMS objectives.
Clause 7Support (PIMS-specific)Normative (extends 27001 Cl.7)Resources, competence, awareness, communication and documented information.
Clause 8Operation (PIMS-specific)Normative (extends 27001 Cl.8)Operational planning and control; execution of PII risk treatment.
Clause 9Performance evaluation (PIMS-specific)Normative (extends 27001 Cl.9)Monitoring, measurement, internal audit and management review of the PIMS.
Clause 10Improvement (PIMS-specific)Normative (extends 27001 Cl.10)Nonconformity, corrective action and continual improvement.
Clause 6.2 mappingPIMS-specific guidance related to ISO/IEC 27002Normative refinementPrivacy-specific interpretation of ISO 27002 security controls.
Annex APIMS-specific reference control objectives and controls (PII Controllers)Normative31 controls across 4 privacy areas for controllers; feeds the Statement of Applicability.
Annex BPIMS-specific reference control objectives and controls (PII Processors)Normative18 controls across 4 privacy areas for processors.
Annex CMapping to ISO/IEC 29100InformativeAligns PIMS controls to the 11 privacy principles.
Annex DMapping to the GDPRInformativeMaps PIMS clauses/controls to GDPR articles.
Annex EMapping to ISO/IEC 27018 and ISO/IEC 29151InformativeCross-reference to cloud PII and PII-protection code of practice.
Annex FHow to apply ISO 27701 to ISO 27001 and ISO 27002InformativeExplains the extension/refinement mechanics.

Annex A (controllers) groups its controls into four privacy control areas: A.7.2 Conditions for collection and processing; A.7.3 Obligations to PII principals; A.7.4 Privacy by design and privacy by default; and A.7.5 PII sharing, transfer and disclosure. Annex B (processors) groups its controls into: B.8.2 Conditions for collection and processing; B.8.3 Obligations to PII principals; B.8.4 Privacy by design and privacy by default; and B.8.5 PII sharing, transfer and disclosure.

5. Master assessment checklist

This is the core of the guide. It enumerates every management-system clause requirement and every Annex A (controller) and Annex B (processor) control. For each group we give what an auditor must verify and the typical evidence expected. No control area is skipped. Organisations should apply the management clauses and ISO 27002 refinements universally, Annex A if they are a controller, and Annex B if they are a processor.

5.1 Clause 4 — Context of the organisation (PIMS)

What to verifyTypical evidence
Internal and external issues relevant to PII processing have been identified, including the applicable privacy laws and the organisation's role as controller and/or processor.Context analysis document, legal register, role-determination record (controller/processor per activity).
Interested parties (PII principals, regulators, customers, sub-processors) and their privacy requirements are documented.Interested-parties register with mapped privacy obligations.
The PIMS scope is defined, documented and considers the interfaces and dependencies of PII processing.PIMS scope statement referencing processing activities, locations and roles.

5.2 Clause 5 — Leadership (PIMS)

What to verifyTypical evidence
Top management demonstrates leadership and commitment to the PIMS and integrates privacy requirements into business processes.Signed PIMS/privacy policy, management review minutes, resourcing decisions.
A privacy (PIMS) policy is established, appropriate to the organisation, and communicated.Approved privacy information management policy and communication records.
Roles, responsibilities and authorities for privacy are assigned, including a point of accountability (e.g. DPO where required).Org chart, DPO appointment letter, RACI for privacy responsibilities.

5.3 Clause 6 — Planning (PIMS)

What to verifyTypical evidence
Risks and opportunities to the PIMS are addressed, and the risk assessment explicitly considers risks to PII principals (not only to the organisation).Risk methodology, risk assessment covering privacy impact to individuals.
A PII risk treatment plan and a Statement of Applicability covering ISO 27001 Annex A and ISO 27701 Annex A/B controls exist and are justified.Risk treatment plan, Statement of Applicability with inclusion/exclusion rationale.
PIMS objectives are established, measurable and consistent with the privacy policy.Documented privacy objectives with targets and owners.

5.4 Clause 7 — Support (PIMS)

What to verifyTypical evidence
Resources, competence and privacy-specific training are provided to relevant staff.Training plan, attendance records, competence matrix, awareness campaign material.
Awareness of the privacy policy and individual responsibilities is maintained across the workforce.Awareness assessment results, acknowledgement records.
Communication (internal and external) on privacy matters is defined, and documented information for the PIMS is controlled.Communication plan, document control register, version history.

5.5 Clause 8 — Operation (PIMS)

What to verifyTypical evidence
Operational processes needed to meet privacy requirements are planned, implemented and controlled, including changes.Operating procedures, change records, evidence of control execution.
The PII risk treatment plan is implemented and outsourced processes are controlled.Treatment plan status, sub-processor controls and oversight records.

5.6 Clause 9 — Performance evaluation (PIMS)

What to verifyTypical evidence
Monitoring and measurement of PIMS performance and privacy controls are performed and analysed.Metrics/KPI reports, control-effectiveness measurements.
Internal audits of the PIMS are planned and conducted covering all clauses and applicable controls.Internal audit programme, audit reports, findings log.
Management reviews of the PIMS occur at planned intervals with defined inputs and outputs.Management review minutes with action items and decisions.

5.7 Clause 10 — Improvement (PIMS)

What to verifyTypical evidence
Nonconformities are identified, corrected and their causes addressed through corrective action.Nonconformity and corrective-action register with root-cause analysis.
The PIMS is continually improved in effectiveness.Improvement log, trend analysis, closed actions demonstrating uplift.

5.8 ISO 27002 privacy refinement (Clause 6.2 guidance)

What to verifyTypical evidence
Security controls from ISO 27002 (e.g. access control, cryptography, logging, supplier management, incident management) are applied with the privacy-specific guidance ISO 27701 adds.Refined control descriptions in the SoA, procedures reflecting privacy considerations.
Access to PII is restricted, PII in logs is minimised, and cryptography protects PII at rest and in transit.Access reviews, log-masking configuration, encryption standards and key-management records.
Supplier and cloud-service agreements incorporate privacy obligations.Contracts/DPAs with security-plus-privacy clauses, supplier assessments.

5.9 Annex A.7.2 — Conditions for collection and processing (Controllers)

What to verifyTypical evidence
Purposes for processing PII are identified and documented (A.7.2.1).Records of processing, purpose specification per activity.
A lawful basis is identified and documented for each processing purpose (A.7.2.2).Lawful-basis register, legitimate-interests assessments.
Where consent is the basis, it is obtained, recorded and demonstrable (A.7.2.3).Consent capture logs, consent wording, timestamps.
Privacy impact assessments (DPIAs) are conducted where processing is high-risk (A.7.2.4).DPIA reports, DPIA trigger criteria.
Contracts with PII processors are in place and address controller instructions (A.7.2.5).Data processing agreements, controller-processor contracts.
Joint PII controller responsibilities are defined where applicable (A.7.2.6).Joint-controller arrangements documenting respective duties.
Records related to processing PII are maintained (A.7.2.7).Record of processing activities (ROPA / Article 30-style records).
The organisation determines and documents its role as PII controller (A.7.2.8).Role-determination record per processing activity.

5.10 Annex A.7.3 — Obligations to PII principals (Controllers)

What to verifyTypical evidence
Obligations to PII principals are determined and documented (A.7.3.1).Rights obligations register mapped to applicable law.
Information (privacy notice) is provided to PII principals about processing (A.7.3.2).Published privacy notices, layered notices at collection points.
The mechanism for providing information is appropriate and accessible (A.7.3.3).Notice delivery evidence, accessibility of notices.
A process exists to modify or withdraw consent (A.7.3.4).Consent-withdrawal workflow, preference centre records.
A process exists for PII principals to object to processing (A.7.3.5).Objection-handling procedure and case records.
Access, correction and erasure requests (data-subject rights) are handled (A.7.3.6).DSAR log, request workflow, response timelines.
Obligations to provide a copy of PII (portability) are met (A.7.3.7).Portability request handling and export format evidence.
Requests from PII principals are handled within required timeframes (A.7.3.8).SLA tracking of rights requests, timestamps.
Automated decision-making is subject to defined obligations (A.7.3.9).Inventory of automated/profiling decisions, human-review process.
Corrections/erasures are communicated to third parties who received the PII (A.7.3.10).Notification-to-recipient records.

5.11 Annex A.7.4 — Privacy by design and privacy by default (Controllers)

What to verifyTypical evidence
Collection of PII is limited to what is necessary for the identified purposes (A.7.4.1).Data minimisation review, field-level justification of forms/systems.
Processing is limited to the identified purposes (A.7.4.2).Purpose-limitation controls, use-restriction policies.
PII is accurate and kept up to date (A.7.4.3).Data-quality procedures, accuracy checks.
Data minimisation objectives are defined and de-identification used where possible (A.7.4.4).Minimisation targets, anonymisation/pseudonymisation records.
PII is deleted or de-identified at the end of the processing period (A.7.4.5).Retention schedule, deletion/de-identification logs.
Temporary files containing PII are managed and disposed of (A.7.4.6).Temp-file handling procedure, cleanup evidence.
Retention of PII is limited to what is necessary (A.7.4.7).Retention policy, expiry and purge records.
Secure disposal of PII is performed (A.7.4.8).Secure-disposal certificates, media-destruction logs.
Transmission controls protect PII in transit (A.7.4.9).Encryption-in-transit configuration, transmission procedures.

5.12 Annex A.7.5 — PII sharing, transfer and disclosure (Controllers)

What to verifyTypical evidence
The basis for transferring PII between jurisdictions is identified and documented (A.7.5.1).Transfer-mechanism register (SCCs, adequacy, BCRs).
Countries and international organisations to which PII may be transferred are documented (A.7.5.2).Transfer inventory listing destination countries/entities.
Records of PII disclosures to third parties are maintained (A.7.5.3).Disclosure log with recipient, purpose and date.
Records of PII disclosures required by law (e.g. to authorities) are maintained (A.7.5.4).Lawful-disclosure register, request-from-authority records.

5.13 Annex B.8.2 — Conditions for collection and processing (Processors)

What to verifyTypical evidence
The customer's (controller's) processing agreement is honoured and instructions are documented (B.8.2.1).Processing agreement, documented controller instructions.
Processing is limited to what the controller instructs; other purposes are flagged (B.8.2.2).Purpose-restriction controls, exception-handling records.
The processor supports the controller in meeting its obligations (marketing and advertising use is not made without instruction) (B.8.2.3).Contract clauses, evidence no independent use of PII.
Infringing instructions are identified and the controller informed (B.8.2.4).Escalation procedure and records of instruction challenges.
The processor's obligations to the customer are met and documented (B.8.2.5).Records of controller support and assistance.
Records related to processing PII on behalf of the customer are maintained (B.8.2.6).Processor ROPA, per-customer processing records.
The organisation determines and documents its role as PII processor (B.8.2.7).Role-determination record.

5.14 Annex B.8.3 — Obligations to PII principals (Processors)

What to verifyTypical evidence
The processor provides the controller with the means to fulfil PII-principal obligations (B.8.3.1).Tooling/APIs and procedures to support DSARs, evidence of assistance to controller.

5.15 Annex B.8.4 — Privacy by design and privacy by default (Processors)

What to verifyTypical evidence
Temporary files containing PII are managed and disposed of (B.8.4.1).Temp-file handling procedure and cleanup logs.
PII is returned, transferred or disposed of per contract at end of processing (B.8.4.2).Return/deletion evidence at contract termination.
Transmission controls protect PII in transit (B.8.4.3).Encryption-in-transit configuration and procedures.

5.16 Annex B.8.5 — PII sharing, transfer and disclosure (Processors)

What to verifyTypical evidence
The basis for international PII transfers is identified and documented (B.8.5.1).Transfer-mechanism register for processor-initiated transfers.
Countries and organisations to which PII may be transferred are documented (B.8.5.2).Transfer inventory.
Records of PII disclosures to third parties are maintained (B.8.5.3).Disclosure log.
Notification of legally binding disclosure requests is provided to the controller (B.8.5.4).Records of authority requests and controller notifications.
Sub-processors are engaged only with controller authorisation and under equivalent obligations (B.8.5.5).Sub-processor register, authorisation records, flow-down clauses.
Changes to sub-processors are communicated to the customer (B.8.5.6).Sub-processor change notifications and objection window records.
Records of PII disclosures required by law are maintained (B.8.5.7).Lawful-disclosure register.

6. Scoping

Scoping the PIMS correctly is decisive: too narrow and the certificate misleads stakeholders; too broad and the programme becomes unmanageable. Because ISO 27701 extends ISO 27001, the PIMS scope must be a subset of, or aligned to, the ISMS scope, and it must be expressed in terms of PII processing.

  • Determine the role(s): identify for each processing activity whether the organisation is a PII controller, a PII processor, or both. This dictates whether Annex A, Annex B, or both apply.
  • Inventory PII processing activities: catalogue what PII is processed, for what purposes, by which systems, in which locations, and for which categories of PII principals.
  • Map data flows and boundaries: include internal systems, sub-processors, cloud services and cross-border transfers within scope.
  • Align to the ISMS: the PIMS scope statement should reference the underlying ISO 27001 scope; PII processing outside the ISMS boundary must be brought in or explicitly excluded with justification.
  • Document interfaces and dependencies: outsourced processing, shared services and joint-controller arrangements must be identified.
  • Produce a Statement of Applicability that spans ISO 27001 Annex A plus ISO 27701 Annex A and/or Annex B, with rationale for inclusion or exclusion of each control.
Scoping pitfall
A common error is certifying an ISMS scope that does not actually cover the systems processing the highest-risk PII (for example, the marketing CRM or a customer support platform). Auditors will trace real data flows; ensure the PIMS scope reflects where PII genuinely lives, not just the flagship product.

7. Implementation approach

A phased implementation keeps the programme controlled and evidences maturity to the certification body. The following five phases assume an ISO 27001 ISMS either exists or is being built in parallel.

Phase 1 — Initiation and gap assessment

  • Activities: obtain leadership sponsorship; confirm ISO 27001 status; determine controller/processor roles; run a gap assessment against Clauses 4-10 and Annex A/B; identify applicable laws (GDPR, DPDP, PDPL, LGPD).
  • Deliverables: gap-assessment report, role-determination record, applicable-law register, project charter and plan.

Phase 2 — Design and documentation

  • Activities: define PIMS scope; write the privacy policy and supporting procedures; establish the PII risk methodology; build the record of processing activities (ROPA); draft the Statement of Applicability.
  • Deliverables: PIMS scope statement, privacy policy suite, ROPA, risk methodology, draft SoA.

Phase 3 — Risk assessment and treatment

  • Activities: perform PII risk assessment (impact to individuals and organisation); conduct DPIAs for high-risk processing; select and plan Annex A/B controls; produce the risk treatment plan.
  • Deliverables: PII risk register, DPIA reports, risk treatment plan, finalised SoA.

Phase 4 — Control implementation and operation

  • Activities: implement lawful-basis and consent management, privacy notices, DSAR handling, retention and deletion, transfer mechanisms, sub-processor management, privacy-by-design gates and training/awareness.
  • Deliverables: operational privacy controls, consent/DSAR tooling, retention schedule, transfer register, awareness records.

Phase 5 — Internal audit, review and certification

  • Activities: run internal audits across all clauses and applicable controls; hold management review; remediate findings; select an accredited certification body; undergo Stage 1 (documentation) and Stage 2 (implementation) audits.
  • Deliverables: internal audit report, management review minutes, corrective-action closure, certification-readiness pack, ISO 27701 certificate.

8. Maturity / capability model

ISO 27701 does not itself define a maturity scale, but auditors and consultants routinely assess PIMS control implementation against a five-level capability model to prioritise remediation. The scale below is a practical assessment aid.

LevelNameDescriptionIndicative evidence
0Non-existentNo privacy management; processing occurs without governance.No policy, no ROPA, ad-hoc handling.
1Initial / ad-hocSome privacy activity but undocumented and reactive.Isolated notices, informal DSAR handling.
2RepeatableBasic processes documented but inconsistently applied.Draft policy, partial ROPA, some consent capture.
3DefinedPIMS processes standardised, documented and communicated across scope.Approved policy suite, complete ROPA, SoA, training.
4ManagedControls measured and monitored; metrics drive decisions.KPIs, control-effectiveness testing, internal audits.
5OptimisingContinual improvement; privacy embedded by design and proactively enhanced.Trend-driven improvements, automated controls, mature DPIA gating.

For certification, controls should be at Level 3 (Defined) as a minimum and demonstrably operating; Levels 4 and 5 evidence the continual-improvement expectations of Clauses 9 and 10.

9. Assessment and audit approach

  1. Confirm prerequisites: verify a conformant ISO 27001 ISMS exists (or is audited concurrently) and that its scope covers the PII processing to be certified.
  2. Stage 1 audit (readiness / documentation review): the certification body reviews the PIMS scope, policy, ROPA, SoA, risk assessment and internal-audit and management-review evidence to confirm readiness.
  3. Address Stage 1 findings: remediate documentation gaps and confirm the SoA correctly reflects controller/processor roles.
  4. Stage 2 audit (implementation / effectiveness): auditors sample evidence to confirm controls are implemented and operating — tracing lawful basis, consent, DSAR handling, retention, transfers and sub-processor oversight.
  5. Raise and classify findings: nonconformities are recorded as major or minor; observations note improvement opportunities.
  6. Corrective action: the organisation performs root-cause analysis and implements corrections within agreed timeframes; major nonconformities must be cleared before certification.
  7. Certification decision: an independent reviewer at the certification body grants the ISO 27701 certificate, typically valid for three years.
  8. Surveillance audits: conducted (usually annually) to confirm continued conformance and improvement.
  9. Recertification: a full audit before the three-year certificate expires.

10. Evidence request list

Auditors will request evidence across the following categories. Prepare these in an indexed evidence repository mapped to clauses and controls.

  • Governance: PIMS scope statement, privacy policy, DPO/role appointments, RACI, management review minutes.
  • Records and inventory: record of processing activities (ROPA), PII inventory, data-flow maps, role-determination records.
  • Risk and impact: PII risk methodology and register, risk treatment plan, DPIA reports, Statement of Applicability.
  • Lawful basis and consent: lawful-basis register, legitimate-interests assessments, consent capture and withdrawal logs.
  • Transparency: privacy notices at all collection points, layered notice evidence.
  • Individual rights: DSAR log and workflow, objection/erasure/portability handling records, response-time SLAs.
  • Data lifecycle: retention schedule, deletion/de-identification logs, secure-disposal certificates.
  • Transfers and sharing: cross-border transfer register (SCCs/adequacy/BCRs), disclosure log, lawful-disclosure records.
  • Third parties: data processing agreements, sub-processor register and authorisations, supplier assessments.
  • Security refinements: access reviews, encryption/key-management, log-masking, incident and breach-notification records.
  • Assurance: internal audit reports, competence/training records, awareness campaign evidence, corrective-action register.

11. Roles and responsibilities

RoleKey responsibilities
Top management / BoardProvide leadership, approve the privacy policy, allocate resources, own accountability for the PIMS.
Data Protection Officer (DPO) / Privacy leadAdvise on obligations, oversee DPIAs and ROPA, act as contact for regulators and PII principals, monitor compliance.
PIMS / ISMS managerOperate the management system, maintain the SoA and risk register, coordinate audits and reviews.
Legal / ComplianceDetermine lawful bases, manage transfer mechanisms and contracts/DPAs, track regulatory change.
IT / Security teamImplement technical controls — encryption, access control, logging, deletion, retention automation.
Process / business ownersMaintain accurate ROPA entries, enforce purpose limitation and minimisation in their processes.
Procurement / Vendor managementEnsure processors and sub-processors are contractually bound and assessed.
Internal auditIndependently audit the PIMS against ISO 27701 clauses and applicable controls.
All staffFollow privacy policy, complete training, report privacy incidents and rights requests.

12. KPIs to track

  • Percentage of processing activities with a documented lawful basis and complete ROPA entry.
  • Data-subject rights requests (DSARs) closed within the statutory/target timeframe.
  • Mean and maximum DSAR response time.
  • Number of DPIAs completed for high-risk processing versus triggers identified.
  • Percentage of PII assets covered by the retention schedule and subject to automated deletion.
  • Consent capture and withdrawal success rates; percentage of records with valid, demonstrable consent where consent is the basis.
  • Number and severity of privacy incidents and personal-data breaches; time to detect and to notify.
  • Percentage of processors/sub-processors under a signed data processing agreement.
  • Privacy training completion rate and awareness assessment scores.
  • Open versus closed corrective actions from internal and external audits, and their ageing.
  • Cross-border transfers covered by a valid transfer mechanism.

13. Readiness checklist

  • ISO 27001 ISMS is in place and its scope covers the PII processing to be certified.
  • Controller/processor role determined and documented for every processing activity.
  • PIMS scope statement and privacy policy approved and communicated.
  • Record of processing activities (ROPA) complete and current.
  • PII risk assessment (including impact to individuals) and treatment plan completed.
  • Statement of Applicability covers ISO 27001 Annex A plus ISO 27701 Annex A and/or B with justifications.
  • Lawful basis identified and consent management operational where required.
  • Privacy notices published at all collection points.
  • DSAR / individual-rights process implemented and tested with SLAs.
  • Retention schedule, deletion and secure-disposal processes operating.
  • Cross-border transfer mechanisms and transfer register in place.
  • Data processing agreements signed with all processors and sub-processors.
  • DPIA process defined with clear trigger criteria.
  • Privacy-by-design gates integrated into project and change processes.
  • Staff trained; awareness evidence retained.
  • Internal audit and management review of the PIMS completed with actions closed.
  • Accredited certification body engaged for Stage 1 and Stage 2 audits.

14. Common gaps

  • Treating ISO 27701 as a stand-alone standard and attempting certification without a valid ISO 27001 ISMS.
  • Incomplete or outdated ROPA that does not reflect actual processing or new systems.
  • Risk assessment considering only organisational risk and ignoring impact on PII principals.
  • SoA that omits or fails to justify Annex A/B controls, or applies the wrong annex for the organisation's role.
  • Privacy notices that are generic, out of date, or missing at some collection points.
  • DSAR handling that lacks defined SLAs, evidence trail, or portability/erasure capability.
  • No retention schedule, so PII is kept indefinitely; deletion not evidenced.
  • Cross-border transfers occurring without a documented, valid transfer mechanism.
  • Sub-processors engaged without controller authorisation or without flow-down obligations.
  • Consent that cannot be demonstrated (no timestamps, wording or withdrawal mechanism).
  • Privacy-by-design not embedded — controls bolted on after systems go live.
  • DPIAs not triggered or not performed for genuinely high-risk processing.
  • Weak sub-processor change notification, denying customers a chance to object.

15. ISO 27701 mapped to other frameworks

FrameworkRelationship to ISO 27701Key overlap
ISO/IEC 27001Mandatory foundation — 27701 extends its management-system clauses.Context, leadership, risk, audit, improvement; shared ISMS.
ISO/IEC 27002Refined by 27701's privacy-specific guidance.Security controls interpreted for PII protection.
GDPRAnnex D maps PIMS clauses/controls to GDPR articles.Lawful basis, DSARs, DPIAs, records, transfers, breach handling.
India DPDP Act 2023Not mapped in the standard but strongly supportive.Consent, notice, data-principal rights, purpose limitation.
ISO/IEC 29100Provides the privacy-principle vocabulary (Annex C mapping).11 privacy principles underpinning the controls.
ISO/IEC 27018Cloud PII processor code of practice (Annex E mapping).Processor obligations for cloud environments.
ISO/IEC 29151Code of practice for PII protection (Annex E mapping).Controller control refinements.
NIST Privacy FrameworkComplementary US-oriented model.Govern/Identify/Control/Communicate/Protect functions align with PIMS.
SOC 2 (Privacy TSC)Independent US attestation with privacy criteria.Notice, choice, collection, retention, disclosure, access.

16. How CyberSigma helps

How CyberSigma helps
CyberSigma's CERT-In empanelled auditors and privacy specialists take you from readiness to certificate. We run a role-based gap assessment against every ISO 27701 clause and Annex A/B control, build or refine your ISO 27001 ISMS foundation, and deliver the full PIMS artefact set — scope, privacy policy suite, ROPA, PII risk assessment, DPIAs, Statement of Applicability, retention schedule and transfer register. We operationalise lawful-basis and consent management, DSAR handling, privacy-by-design gates and sub-processor governance, aligning them to the GDPR, India's DPDP Act, UAE PDPL and LGPD in one integrated programme. Finally we conduct internal audits, prepare you for Stage 1 and Stage 2, and support you through certification and ongoing surveillance. Talk to CyberSigma to accelerate your ISO 27701 journey with an auditor-grade, evidence-first approach.
Free 1-minute check
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →

Frequently asked questions

Can I certify ISO 27701 on its own?
No — ISO 27701 is an extension of ISO 27001, so you need an ISO 27001 ISMS (existing or concurrent) as its foundation.
Official documents

Need help with ISO 27701?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.