In This Guide
Why Scope Matters
Defining the right PIMS scope is one of the most critical decisions in ISO 27701 implementation. A well-defined scope:
- Focuses certification on what matters: Covers the processing activities that represent privacy risk
- Manages implementation effort: Avoids over-extending controls to areas without privacy relevance
- Enables meaningful certification: Produces a certificate statement that customers can rely on
- Supports compliance claims: Aligns with regulatory requirements for specific data types
Unlike information security where scope can sometimes be narrowly focused, privacy scope should generally follow data flows. If PII crosses boundaries, the PIMS scope needs to address those touchpoints.
Aligning with ISMS Scope
Since ISO 27701 extends ISO 27001, your PIMS scope must align with your ISMS scope:
Scope Relationship Options
| Option | Description | When Appropriate |
|---|---|---|
| PIMS = ISMS | Privacy scope matches information security scope exactly | All ISMS-scoped activities involve PII processing |
| PIMS subset of ISMS | Privacy scope covers only part of ISMS scope | Some ISMS activities don't involve PII |
| PIMS extends ISMS | Privacy scope requires ISMS expansion | PII processing occurs outside current ISMS scope |
The most common scenario is PIMS as subset of ISMS. Organizations often have ISO 27001 covering IT services, but only some of those services process personal data requiring ISO 27701 coverage.
Processing Activities
The core of PIMS scope is defining which processing activities are covered:
Processing Inventory
Document each processing activity with:
- Activity Name: What processing takes place (e.g., "Customer onboarding")
- Purpose: Why the processing occurs
- Data Categories: Types of PII involved
- Data Subjects: Whose data is processed
- Legal Basis: Controller's lawful ground (if controller)
- Systems: Technology supporting the processing
- Recipients: Who receives the data
- Transfers: Cross-border flows
- Retention: How long data is kept
Scope Decisions
For each processing activity, decide:
- Is it in scope for ISO 27701 certification?
- Are you acting as controller or processor?
- Which Annex A/B controls apply?
PII Types and Categories
Define what types of personal data your PIMS covers:
Common PII Categories
- Identifiers: Name, email, phone, address, ID numbers
- Financial: Payment details, bank accounts, transaction history
- Employment: Job title, salary, performance data
- Technical: IP addresses, device IDs, cookies
- Behavioral: Usage patterns, preferences, interactions
- Health: Medical records, health conditions (special category)
- Biometric: Fingerprints, facial recognition data
Data Subject Categories
Identify whose data you process:
- Customers/End users
- Employees
- Job applicants
- Contractors/Suppliers
- Website visitors
- Business contacts
If your scope includes special category data (health, biometric, racial/ethnic, religious, political, sexual orientation, trade union), additional controls and often DPIAs are required. Consider whether all special category processing needs to be in scope.
Products and Services
Clearly define which products and services are covered:
Product Scope Considerations
- Customer-Facing Products: Which products process customer PII?
- Internal Systems: HR, finance, CRM that process employee/contact data
- Development/Test: Do development environments contain real PII?
- Support Services: Helpdesk, customer support functions
- Analytics: Business intelligence, product analytics
Product Exclusion Rationale
Products might be excluded if:
- They don't process PII (purely technical services)
- PII is fully anonymized before reaching the product
- They're in pilot/beta with limited data
- They're legacy systems being decommissioned
Locations and Data Residency
Physical and logical locations where PII is processed:
Location Types
- Office Locations: Where staff access/process PII
- Data Centers: Where PII is stored
- Cloud Regions: AWS, Azure, GCP regions used
- Remote Work: Employee home locations
- Third-Party Sites: Subprocessor locations
Cross-Border Transfers
Document transfers between jurisdictions:
- Transfer origin and destination countries
- Transfer mechanism (adequacy, SCCs, BCRs, consent)
- Additional safeguards applied
- Transfer impact assessments (TIAs) where required
Data Residency Requirements
Consider regulatory requirements for data location:
- EU data staying within EEA
- Industry-specific requirements (e.g., healthcare in certain jurisdictions)
- Customer contractual requirements
- Government data localization rules
Subprocessors and Third Parties
How to handle third parties in your PIMS scope:
Subprocessor Identification
List all subprocessors who process PII on your behalf:
- Cloud infrastructure (AWS, Azure, GCP)
- SaaS tools (CRM, email, analytics)
- Payment processors
- Support service providers
- Development/testing contractors
Scope Approach for Subprocessors
| Approach | Description | Implication |
|---|---|---|
| In Scope | Subprocessor activities covered by your PIMS | Must demonstrate control over subprocessor |
| Carved Out | Subprocessor excluded, interface documented | Certificate notes exclusion, customer due diligence required |
| Rely on Certification | Subprocessor has own ISO 27701 | Document reliance, verify certificate scope alignment |
If you carve out subprocessors, your certificate scope statement will reference this. Customers will need to perform their own due diligence on carved-out parties. Generally, fewer carve-outs means stronger customer assurance.
Controller vs Processor Scope
Your scope must clearly state your role(s):
Controller Scope
When you determine purposes and means of processing:
- Employee data (you're the controller)
- Customer data for your own services
- Marketing and sales data
- Business contact data
Processor Scope
When you process on behalf of others:
- Customer data you host/process for clients
- SaaS platform data belonging to customers
- Managed service data
Dual Role
Many organizations act as both:
- Controller for: Employee data, business operations
- Processor for: Customer data in products/services
Your certificate scope statement should specify: "Acting as PII Controller and/or PII Processor for [specified activities]"
Valid Exclusions
ISO 27701 allows certain exclusions, but they must be justified:
Legitimate Exclusions
- No PII Processing: Business units or activities that don't handle personal data
- Anonymized Data Only: Activities using fully anonymized datasets
- Third-Party Responsibility: Processing fully controlled by another party
- Out of Regulatory Scope: Processing not subject to privacy regulations
Invalid Exclusions
- Excluding processing just because it's difficult to control
- Excluding high-risk processing to avoid controls
- Excluding processing that's obviously relevant to customers
- Excluding controls that are "too hard" to implement
Auditors will scrutinize exclusions carefully. Each must be justified with clear rationale. If exclusions undermine the integrity of your privacy claims, certification may be affected.
Documenting Scope
Your scope documentation should include:
Scope Statement Elements
- Organization Identity: Legal entity name and registration
- Relationship to ISMS: How PIMS relates to ISO 27001 scope
- Processing Activities: What processing is covered
- PII Categories: Types of personal data
- Data Subjects: Whose data
- Roles: Controller and/or processor
- Products/Services: What's covered
- Locations: Where processing occurs
- Exclusions: What's not covered and why
- Interfaces: Boundaries and handoffs
Example Scope Statement
"The Privacy Information Management System (PIMS) of [Company Name] covers the processing of personal information as a PII Processor for the provision of [Product/Service Name] cloud platform services to enterprise customers, and as a PII Controller for employee and business contact data supporting those services. Processing occurs at [Location] with data hosted in [Cloud Region]. Subprocessors include [List] under documented agreements. The PIMS operates as an extension to the ISO 27001:2022 certified ISMS (Certificate #XXX)."