In This Guide
Standard Structure Overview
ISO 27701 is organized into eight main clauses plus six annexes. Understanding this structure helps you navigate the requirements efficiently:
| Section | Title | Type |
|---|---|---|
| Clauses 1-4 | Scope, References, Terms, General | Introductory |
| Clause 5 | PIMS-specific requirements (extending ISO 27001) | Mandatory |
| Clause 6 | PIMS-specific guidance (extending ISO 27002) | Guidance |
| Clause 7 | Additional guidance for PII Controllers | Mandatory for controllers |
| Clause 8 | Additional guidance for PII Processors | Mandatory for processors |
| Annex A | PIMS controls for PII Controllers | Control objectives |
| Annex B | PIMS controls for PII Processors | Control objectives |
| Annexes C-F | Mappings and application guidance | Informative |
Mandatory vs Guidance
Understanding which requirements are mandatory is crucial for implementation:
Mandatory Requirements (SHALL)
When ISO 27701 uses "shall," the requirement is mandatory:
- Clause 5 requirements extending ISO 27001
- Clause 7 requirements for PII Controllers
- Clause 8 requirements for PII Processors
- Annex A controls (for controllers) - unless justified exclusion
- Annex B controls (for processors) - unless justified exclusion
Guidance (SHOULD)
When ISO 27701 uses "should," it's guidance:
- Clause 6 guidance extending ISO 27002
- Implementation suggestions throughout
- Best practice recommendations
Auditor Perspective
Auditors assess conformity against "shall" requirements. "Should" items are considered good practice, and significant deviation may trigger observations. However, only "shall" requirements can result in nonconformities.
Clause 5: PIMS-Specific Requirements
Clause 5 extends ISO 27001 clauses 4-10 with privacy-specific considerations:
5.2 Context (extending Clause 4)
- 5.2.1: Determine applicable privacy legislation and regulations
- 5.2.2: Determine PII controller and/or processor roles
- 5.2.3: Determine PIMS scope aligned with ISMS scope
- 5.2.4: Establish PIMS integrated with or extending ISMS
5.3 Leadership (extending Clause 5)
- 5.3.1: Top management privacy commitment
- 5.3.2: Privacy policy addressing processing principles
- 5.3.3: Privacy roles and responsibilities defined
5.4 Planning (extending Clause 6)
- 5.4.1: Privacy risk assessment considering PII processing
- 5.4.2: Privacy objectives measurable and communicated
5.5 Support (extending Clause 7)
- 5.5.1: Privacy competence requirements
- 5.5.2: Privacy awareness for personnel
- 5.5.3: Privacy communication processes
- 5.5.4: Privacy documented information
5.6 Operation (extending Clause 8)
- 5.6.1: Operational planning for privacy
- 5.6.2: Privacy risk assessment execution
- 5.6.3: Privacy risk treatment implementation
5.7 Performance (extending Clause 9)
- 5.7.1: Privacy monitoring and measurement
- 5.7.2: Privacy internal audit program
- 5.7.3: Privacy management review inputs/outputs
5.8 Improvement (extending Clause 10)
- 5.8.1: Privacy nonconformity and corrective action
- 5.8.2: Privacy continual improvement
Clause 6: ISO 27002 Extension Guidance
Clause 6 provides privacy-specific implementation guidance for ISO 27002 controls. It covers each control domain with additional considerations for PII protection:
Key Areas of Guidance
- 6.5 Information Security Policies: Include privacy policy requirements
- 6.6 Organization: Privacy roles, segregation of duties for PII
- 6.7 HR Security: Privacy awareness, confidentiality agreements
- 6.8 Asset Management: PII asset inventory, classification
- 6.9 Access Control: Access to PII systems and data
- 6.10 Cryptography: Encryption of PII at rest and in transit
- 6.11 Physical Security: Physical protection of PII processing facilities
- 6.12 Operations Security: Secure handling of PII in operations
- 6.13 Communications Security: PII transfer security
- 6.14 System Development: Privacy by design in development
- 6.15 Supplier Relationships: PII processor management
- 6.16 Incident Management: Privacy incident handling
- 6.17 Business Continuity: PII availability requirements
- 6.18 Compliance: Privacy regulatory compliance
Clause 7: PII Controller Requirements
Clause 7 contains requirements specific to organizations acting as PII Controllers. These are mandatory for controller certification:
7.2 Conditions for Collection and Processing
- 7.2.1 Identify and document purpose: Document specific, explicit, legitimate purposes
- 7.2.2 Identify lawful basis: Determine and document legal basis for each processing activity
- 7.2.3 Determine when consent required: Identify where consent is the lawful basis
- 7.2.4 Obtain and record consent: Consent mechanisms and records
- 7.2.5 Privacy impact assessment: Conduct PIAs for high-risk processing
- 7.2.6 Contracts with processors: Documented processing agreements
- 7.2.7 Joint controller: Arrangements for joint controllership
- 7.2.8 Records of processing: Maintain processing records
7.3 Obligations to PII Principals (Data Subjects)
- 7.3.1 Determine obligations: Identify data subject rights requirements
- 7.3.2 Determine information to provide: Privacy notice content
- 7.3.3 Provide information: Deliver privacy notices effectively
- 7.3.4 Provide mechanism for rights: Enable rights exercise
- 7.3.5 Provide mechanism to withdraw consent: Consent withdrawal process
- 7.3.6 Access: Right of access mechanism
- 7.3.7 Rectification: Right to correction
- 7.3.8 Erasure: Right to deletion
- 7.3.9 Processing constraints: Objection and restriction rights
- 7.3.10 Data portability: Portability mechanism where applicable
7.4 Privacy by Design and Default
- 7.4.1 Limit collection: Data minimization at collection
- 7.4.2 Limit processing: Purpose limitation enforcement
- 7.4.3 Accuracy: Data accuracy maintenance
- 7.4.4 Minimization objectives: Storage limitation
- 7.4.5 De-identification: Anonymization and pseudonymization
- 7.4.6 Temporary files: Secure handling of temporary data
- 7.4.7 Retention: Retention and disposal
- 7.4.8 Disposal: Secure destruction
- 7.4.9 Transmission controls: Transfer security
7.5 PII Sharing, Transfer and Disclosure
- 7.5.1 Identify basis for transfer: Legal mechanism for transfers
- 7.5.2 Countries and organizations: Document transfer destinations
- 7.5.3 Records of disclosure: Maintain disclosure records
- 7.5.4 Notification of requests: Law enforcement requests
Clause 8: PII Processor Requirements
Clause 8 contains requirements specific to organizations acting as PII Processors. These are mandatory for processor certification:
8.2 Conditions for Collection and Processing
- 8.2.1 Customer agreement: Documented processing instructions
- 8.2.2 Organization's purposes: Define own legitimate processing purposes
- 8.2.3 Marketing and advertising: Restrictions on using PII for marketing
- 8.2.4 Infringing instructions: Handling potentially unlawful instructions
- 8.2.5 Customer obligations: Assist controller obligations
- 8.2.6 Records: Maintain processing records
8.3 Obligations to PII Principals
- 8.3.1 Obligations to principals: Assist controller with data subject rights
8.4 Privacy by Design and Default
- 8.4.1 Temporary files: Secure handling of temporary data
- 8.4.2 Return, transfer, disposal: End of processing handling
- 8.4.3 Transmission controls: Transfer security
8.5 PII Sharing, Transfer and Disclosure
- 8.5.1 Basis for transfer: Legal mechanism for processor transfers
- 8.5.2 Countries and organizations: Document subprocessor locations
- 8.5.3 Disclosure to third parties: Subprocessor management
- 8.5.4 Disclosure requests: Notify controller of legal requests
- 8.5.5 Legally binding disclosures: Handle mandatory disclosures
- 8.5.6 Disclosure of subcontractors: Subprocessor transparency
- 8.5.7 Engagement of subcontractors: Subprocessor authorization and contracts
- 8.5.8 Change of subcontractor: Notification of subprocessor changes
Annexes A and B: Control Objectives
The annexes provide the control framework for the Statement of Applicability:
Annex A: PII Controller Controls
31 control objectives organized into categories:
- A.7.2: Conditions for collection and processing (8 controls)
- A.7.3: Obligations to PII principals (10 controls)
- A.7.4: Privacy by design and default (9 controls)
- A.7.5: PII sharing, transfer and disclosure (4 controls)
Annex B: PII Processor Controls
18 control objectives organized into categories:
- B.8.2: Conditions for collection and processing (6 controls)
- B.8.3: Obligations to PII principals (1 control)
- B.8.4: Privacy by design and default (3 controls)
- B.8.5: PII sharing, transfer and disclosure (8 controls)
Statement of Applicability
Your PIMS Statement of Applicability must include Annex A controls (if controller), Annex B controls (if processor), or both (if dual role). Each control must be included with implementation status or justified exclusion.
Required Documentation
ISO 27701 requires specific documented information:
Mandatory Documents
- PIMS Scope: Boundaries, roles, processing activities
- Privacy Policy: Top management commitment and direction
- Role Determination: Controller/processor analysis
- Privacy Risk Assessment: Methodology and results
- Statement of Applicability: Annex A/B controls with justifications
- Privacy Risk Treatment Plan: Actions for unacceptable risks
- Processing Records: Article 30-style records
Mandatory Records
- Privacy training and awareness records
- Privacy internal audit results
- Management review records (privacy inputs/outputs)
- Nonconformity and corrective action records
- Consent records (if applicable)
- Data subject request records
- Privacy incident records
- Third-party agreements
Controller-Specific Documentation
- Lawful basis determination records
- Privacy Impact Assessment records
- Privacy notices
- Consent mechanisms documentation
- Data subject rights procedures
- Transfer impact assessments (where applicable)
Processor-Specific Documentation
- Processing instructions from controllers
- Subprocessor agreements
- Subprocessor due diligence records
- Data return/deletion procedures