Download the Checklist
Get instant access to our ISO 27701 Readiness Assessment Checklist
- ✓ PIMS Requirements
- ✓ Controller & Processor Controls
- ✓ GDPR Mapping
- ✓ Gap Analysis Template
Free for organizations pursuing ISO 27701
What's Included in This Checklist
Our ISO 27701 Readiness Assessment Checklist is designed to help organizations evaluate their privacy management practices against ISO 27701:2019 requirements. As an extension to ISO 27001/27002, this checklist focuses specifically on privacy controls for both data controllers and processors.
ISO 27701 Control Categories
The checklist covers all key areas defined in ISO 27701:
PIMS-Specific Requirements
Privacy extensions to ISO 27001 clauses
- Context of the Organization
- Leadership & Planning
- Support & Operation
- Performance Evaluation
PII Controller Controls
Requirements for data controllers
- Conditions for Collection
- Obligations to PII Principals
- Privacy by Design
- PII Sharing & Transfer
PII Processor Controls
Requirements for data processors
- Customer Agreements
- Processing Legitimacy
- Sub-contractor Management
- Data Return & Disposal
GDPR Mapping
Alignment with EU regulations
- Legal Basis for Processing
- Data Subject Rights
- Cross-Border Transfers
- Breach Notification
Checklist Structure
Each control area in the checklist includes:
| Component | Description |
|---|---|
| Control Reference | ISO 27701 clause/annex reference |
| Control Question | Clear yes/no question about control implementation |
| Role Applicability | Whether control applies to Controller, Processor, or Both |
| Evidence Examples | Types of documentation auditors typically request |
| GDPR Article Mapping | Related GDPR requirements where applicable |
Sample Checklist Questions
Here's a preview of the types of questions included:
Annex A - PII Controller Controls
A.7.2.1 - Is the purpose for PII processing identified and documented before processing begins?
Evidence: Privacy notices, data processing registers, consent forms
A.7.3.1 - Is there a process for PII principals to access their personal data upon request?
Evidence: DSR procedures, response templates, tracking logs
Annex B - PII Processor Controls
B.8.2.1 - Are there documented agreements with customers specifying processing purposes?
Evidence: DPAs, service agreements, processing instructions
B.8.5.1 - Is PII returned or securely deleted at the end of the processing relationship?
Evidence: Data deletion procedures, certificates of destruction
How to Use This Checklist
Follow these five steps to effectively assess your ISO 27701 readiness:
Determine Your Role
Identify whether your organization acts as a PII Controller, PII Processor, or both. This determines which annexes and controls are applicable to your assessment.
Map Your Data Flows
Document all PII processing activities, including what data you collect, why, how it's used, where it's stored, and who it's shared with.
Conduct Gap Assessment
Work through each applicable control systematically. Leverage your existing ISO 27001 ISMS foundation to identify privacy-specific gaps.
Implement Privacy Controls
Address identified gaps by implementing privacy-specific policies, procedures, and technical controls. Ensure alignment with applicable regulations like GDPR.
Integrate with ISMS
Extend your ISO 27001 ISMS to include PIMS requirements. Update your Statement of Applicability and ensure privacy controls are integrated into your management system.
Template Specifications
| Format | |
| Controls Covered | PIMS requirements + Controller & Processor annexes |
| Prerequisites | ISO 27001 certification recommended |
| Standard Version | ISO/IEC 27701:2019 |
| Last Updated | November 2025 |
Ready to Assess Your ISO 27701 Readiness?
Download the complete checklist and start your privacy assessment today. Ideal for organizations extending their ISMS to include privacy management.