ISO/IEC 27701
Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines
Overview
Extends ISO 27001 and ISO 27002 with specific requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). Maps directly to GDPR requirements and provides a certifiable framework for privacy compliance.
Applicability
Privacy information management systems (PIMS) for GDPR compliance
Relevance to Digital Services Act (DSA)
Key Coverage Areas
Standard Sections & Chapters
PIMS-specific requirements (extends ISO 27001 clause 5)
PIMS-specific guidance for PII controllers
PIMS-specific guidance for PII processors
PII controller controls (mapping to GDPR)
PII processor controls (mapping to GDPR)
Related Digital Services Act (DSA) Articles
Article 14: Terms and conditions
View Article →Transparency and accountability in policy communication
Implementation Guidance:
Ensure terms and conditions comply with privacy and transparency requirements
Mapped Obligations:
- Describe content moderation methods (algorithms, human review) and complaint procedures
Article 15: Transparency reporting obligations for providers of intermediary services
View Article →Transparency and records of processing
Implementation Guidance:
Implement transparent reporting mechanisms per ISO 27701
Mapped Obligations:
- Publish annual transparency reports in machine-readable format
- Report complaint handling metrics including processing times and decisions
Article 16: Notice and action mechanisms
View Article →Data subject requests and complaints
Implementation Guidance:
Handle user complaints with privacy compliance
Mapped Obligations:
- Implement user-friendly electronic reporting mechanisms for illegal content
Article 17: Statement of reasons
View Article →Transparency and explanation of decisions
Implementation Guidance:
Provide clear reasoning for content moderation decisions
Article 24: Transparency reporting obligations for providers of online platforms
View Article →Identity verification and data collection
Implementation Guidance:
Verify trader identities while maintaining privacy compliance
Mapped Obligations:
- Report all account suspensions categorized by reason (illegal content, false notices, false complaints)
- Ensure no personal data is included in any submitted information
Article 27: Recommender system transparency
View Article →Transparency in algorithmic decision-making
Implementation Guidance:
Provide transparency about recommender system parameters and logic
Article 28: Online protection of minors
View Article →Consent and transparency for advertising
Implementation Guidance:
Ensure advertising complies with privacy and transparency requirements
Mapped Obligations:
- Implement appropriate and proportionate measures for high level of privacy, safety, and security for minors
- Must not use personal data profiling for advertising to known minors
- Comply without processing additional personal data to determine if users are minors
Article 33: Very large online platforms and very large online search engines
View Article →User-friendly design and transparency
Implementation Guidance:
Design interfaces with privacy by design principles
Mapped Obligations:
- Maintain transparency about monthly active user counts for ongoing designation assessment
Article 37: Independent audit
View Article →Privacy audits
Implementation Guidance:
Include privacy compliance in audit scope
Mapped Obligations:
- Maintain confidentiality while enabling transparency reporting
Article 42: Transparency reporting obligations
View Article →Enhanced transparency and reporting
Implementation Guidance:
Publish comprehensive transparency reports meeting DSA requirements
Mapped Obligations:
- Publish transparency reports within 2 months of designation and then every 6 months
Quick Information
- Organization
- ISO/IEC
- Category
- Privacy Management
- Certification
- ✓ Available