Documentation Overview

ISO 27701 requires specific documented information to demonstrate conformity. This documentation builds on ISO 27001 requirements, adding privacy-specific elements. Understanding what auditors expect helps you prepare efficiently for certification.

Documentation Principle

ISO 27701 follows the same documentation philosophy as ISO 27001: document what you need to ensure effective operation and provide evidence of results. Avoid over-documentation, but ensure critical processes and decisions are recorded.

Mandatory Documents

These documents are explicitly required by ISO 27701:

PIMS Scope and Boundaries

  • PIMS scope statement aligned with ISMS scope
  • Organizational boundaries
  • Processing activities in scope
  • PII types covered
  • Justification for any exclusions

Controller/Processor Role Determination

  • Analysis of processing activities
  • Role determination for each activity (controller, processor, or both)
  • Justification for role assignments
  • Impact on applicable Annex controls

Privacy Policy

  • Extends information security policy
  • Privacy principles and commitments
  • Alignment with applicable regulations
  • Management commitment to privacy

Privacy Risk Assessment

  • Methodology for privacy risk identification
  • Risk assessment results
  • Risk evaluation and treatment decisions
  • Integration with information security risk assessment

Statement of Applicability (SoA)

  • Annex A controls (if controller) with justifications
  • Annex B controls (if processor) with justifications
  • Implementation status of each control
  • Justification for any exclusions

Privacy Risk Treatment Plan

  • Actions to address unacceptable privacy risks
  • Responsibilities and timelines
  • Resource allocation
  • Progress tracking

Required Records

Records provide evidence of PIMS operation:

Processing Records (Article 30 Style)

  • Categories of processing activities
  • Purposes of processing
  • Categories of data subjects and PII
  • Categories of recipients
  • Transfers to third countries
  • Retention periods
  • Security measures description

Competence and Training Records

  • Privacy training attendance
  • Role-specific privacy competence evidence
  • Awareness program completion

Internal Audit Records

  • Audit program including privacy scope
  • Audit reports covering PIMS
  • Privacy-specific findings
  • Corrective action tracking

Management Review Records

  • Privacy performance inputs
  • Privacy-related decisions
  • Improvement actions
  • Resource allocation for privacy

Nonconformity and Corrective Action

  • Privacy-related nonconformities
  • Root cause analysis
  • Corrective actions taken
  • Effectiveness verification

Controller-Specific Evidence

For organizations certified as PII Controllers:

Lawful Basis Documentation

  • Legal basis determination for each processing activity
  • Legitimate interest assessments (where applicable)
  • Documentation of lawful basis changes

Consent Records

  • Consent collection mechanisms
  • Consent records (who, when, what, how)
  • Consent withdrawal handling
  • Re-consent processes where required

Privacy Impact Assessments

  • DPIA methodology
  • DPIA records for high-risk processing
  • Residual risk acceptance
  • Consultation with DPA (if required)

Privacy Notices

  • External privacy notices (website, apps)
  • Collection-specific notices
  • Employee privacy notices
  • Version history and updates

Data Subject Rights

  • Request handling procedures
  • Request logs and response records
  • Identity verification process
  • Response timeline compliance

Third-Party Agreements

  • Data processing agreements with processors
  • Joint controller arrangements
  • Data sharing agreements
  • Transfer mechanisms (SCCs, adequacy, etc.)

Processor-Specific Evidence

For organizations certified as PII Processors:

Controller Instructions

  • Documented processing instructions from controllers
  • Scope of processing permitted
  • Handling of instruction changes

Subprocessor Management

  • Subprocessor list
  • Authorization records from controllers
  • Subprocessor agreements
  • Due diligence assessments
  • Change notification records

Assistance to Controllers

  • Process for handling controller requests
  • Records of assistance provided
  • Data subject request forwarding

Data Return/Deletion

  • End-of-contract procedures
  • Data return records
  • Deletion certificates
  • Retention justification (if any)

Audit Preparation Tips

Organize Evidence by Clause

Create an evidence matrix mapping:

  • Each ISO 27701 requirement to specific evidence
  • Each SoA control to implementation evidence
  • Include document locations and owners

Ensure Currency

  • Documents reflect current practices
  • Records cover the audit period
  • Version control is maintained
  • Recent reviews are documented

Demonstrate Operation

  • Show processes are actually followed
  • Provide multiple instances of records
  • Be ready to walk through live processes
  • Identify staff who can speak to practices

Common Evidence Gaps

Auditors frequently find these missing:

  • Role determination analysis
  • Privacy risk assessment (separate from security)
  • Data subject request logs
  • Subprocessor authorization records
  • Privacy-specific training records
  • DPIA records for high-risk processing
Pre-Audit Checklist

Before your audit, verify: (1) All mandatory documents exist and are current, (2) Records cover the required period, (3) SoA includes all applicable Annex controls with implementation status, (4) Internal audit covered privacy requirements, (5) Management review addressed privacy performance.

ISO 27701 Documentation Audit