🔐
← Back to Standards Certifiable

ISO/IEC 27701

Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines

Organization: ISO/IEC Category: Privacy Management
15
Related Articles
69
Articles with Obligations
5
Key Sections
10
Coverage Areas

Overview

Extends ISO 27001 and ISO 27002 with specific requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). Maps directly to GDPR requirements and provides a certifiable framework for privacy compliance.

Applicability

Privacy information management systems (PIMS) for GDPR compliance

Relevance to General Data Protection Regulation (GDPR)

Primary standard for GDPR compliance - direct mapping to GDPR articles and certifiable framework

Key Coverage Areas

1
Privacy Information Management System (PIMS)
2
PII controller obligations (GDPR Articles 5-11, 12-22, 24-43)
3
PII processor obligations (GDPR Article 28)
4
Data subject rights implementation
5
Privacy by design and by default
6
Data protection impact assessments (DPIAs)
7
Records of processing activities
8
Data breach notification
9
International data transfers
10
Consent management

Standard Sections & Chapters

5

PIMS-specific requirements (extends ISO 27001 clause 5)

6

PIMS-specific guidance for PII controllers

7

PIMS-specific guidance for PII processors

A.7

PII controller controls (mapping to GDPR)

A.8

PII processor controls (mapping to GDPR)

Related General Data Protection Regulation (GDPR) Articles

Article 5: Principles relating to processing of personal data

View Article →
Sections: 5, 6, A.7

PIMS implementation of GDPR principles

Implementation Guidance:

Implement ISO 27701 PIMS with all controller controls to address lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality

Mapped Obligations:

  • Process personal data lawfully, fairly and transparently
  • Limit data collection to what is necessary (data minimization)
  • Keep personal data accurate and up-to-date
  • Implement appropriate security measures to protect data
  • Document and demonstrate compliance with all principles (accountability)

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

View Article →
Sections: A.7.2, A.7.3

Transparent information and communication with data subjects

Implementation Guidance:

Establish procedures for providing information and exercising data subject rights

Mapped Obligations:

  • Respond to data subject requests within one month (extendable by 2 months for complex cases)
  • Facilitate the exercise of data subject rights under Articles 15-22
  • Inform data subjects of reasons and appeal options if refusing to act on requests

Article 15: Right of access by the data subject

View Article →
Sections: A.7.3.1, A.7.3.2

Right of access by data subject

Implementation Guidance:

Implement process for data subjects to obtain confirmation of processing and access to personal data

Mapped Obligations:

  • Confirm whether personal data is being processed when requested
  • Provide access to the personal data being processed
  • Inform about data subject rights (rectification, erasure, restriction, objection)

Article 17: Right to erasure (‘right to be forgotten’)

View Article →
Sections: A.7.3.4

Right to erasure ("right to be forgotten")

Implementation Guidance:

Establish procedures for erasure requests including verification and deletion timelines

Mapped Obligations:

  • Delete personal data without undue delay when requested by the data subject
  • Delete data immediately when consent is withdrawn and no other legal basis exists

Article 24: Responsibility of the controller

View Article →
Sections: 5, 6

Controller accountability and PIMS implementation

Implementation Guidance:

Establish and maintain PIMS demonstrating appropriate technical and organizational measures

Article 25: Data protection by design and by default

View Article →
Sections: 6.2, A.7.2.2

Privacy by design and by default controls

Implementation Guidance:

Integrate privacy into system design and configure default settings for privacy protection

Mapped Obligations:

  • Build in data protection principles like data minimization from the start
  • Use techniques like pseudonymization to protect personal data
  • Restrict access to personal data - not accessible to unlimited people without user intervention

Article 28: Processor

View Article →
Sections: 7, A.8

PII processor obligations and controls

Implementation Guidance:

Processors must implement ISO 27701 processor controls and maintain appropriate records

Mapped Obligations:

  • Controllers must only use processors with sufficient guarantees for GDPR compliance
  • Processors need written authorization before engaging sub-processors
  • Processors must only process data on documented instructions from the controller
  • Processors must ensure confidentiality of personnel handling personal data
  • Processors must implement security measures per Article 32
  • Processors must assist controllers with data subject rights requests
  • Processors must delete or return all data after services end
  • Processors must allow and contribute to compliance audits
  • Sub-processors must be bound by the same data protection obligations

Article 30: Records of processing activities

View Article →
Sections: 6.3, A.7.2.1, A.8.2.1

Records of processing activities (ROPA)

Implementation Guidance:

Maintain comprehensive records of all processing activities as required by GDPR

Mapped Obligations:

  • Controllers must maintain records containing: organization details, processing purposes, data subject categories, recipient categories, international transfers, retention periods, and security measures
  • Processors must maintain records containing: processor/controller details, processing categories per controller, international transfers, and security measures

Article 32: Security of processing

View Article →
Sections: A.7.2.8, A.8.3.1

PII-specific security controls

Implementation Guidance:

Apply security controls specific to personal data processing

Mapped Obligations:

  • Implement technical and organizational security measures appropriate to the risk
  • Consider pseudonymization and encryption of personal data
  • Ensure ongoing confidentiality, integrity, availability and resilience of systems
  • Regularly test and evaluate security measures effectiveness
  • Ensure staff only process data on controller's instructions

Article 33: Notification of a personal data breach to the supervisory authority

View Article →
Sections: A.7.2.9, A.8.3.2

Breach notification to authority procedures

Implementation Guidance:

Establish 72-hour breach notification process to supervisory authorities

Mapped Obligations:

  • Controllers must notify supervisory authority within 72 hours of breach awareness
  • Processors must notify controllers without undue delay
  • Include breach nature, affected data subjects, contact details, consequences, and mitigation measures
  • Maintain documentation for supervisory authority verification

Article 34: Communication of a personal data breach to the data subject

View Article →
Sections: A.7.2.10

Breach notification to data subjects

Implementation Guidance:

Establish procedures for timely communication to affected individuals when high risk exists

Mapped Obligations:

  • Use clear and plain language in breach notifications

Article 35: Data protection impact assessment

View Article →
Sections: 6.4

DPIA integration in PIMS

Implementation Guidance:

Integrate DPIA process into privacy information management system

Mapped Obligations:

  • Conduct a Data Protection Impact Assessment (DPIA) before high-risk processing activities
  • Perform DPIA for automated decision-making, large-scale processing of sensitive data, or systematic monitoring of public areas
  • Follow supervisory authority lists of processing requiring or not requiring DPIAs
  • Seek views of data subjects or their representatives where appropriate
  • Review and update the DPIA when risks change

Article 37: Designation of the data protection officer

View Article →
Sections: 5.2.1

DPO designation and responsibilities

Implementation Guidance:

Designate DPO with appropriate expertise and independence

Mapped Obligations:

  • Designate a DPO if your core activities involve regular and systematic monitoring of data subjects on a large scale
  • Communicate DPO contact details to the supervisory authority

Article 44: General principle for transfers

View Article →
Sections: A.7.5

International data transfer controls

Implementation Guidance:

Implement controls for international transfers including adequacy decisions, standard contractual clauses, and transfer impact assessments

Mapped Obligations:

  • Apply transfer rules to any onward transfers (when data moves from one third country to another)
  • Both controllers and processors must comply with transfer requirements

Article 83: General conditions for imposing administrative fines

View Article →
Sections: 5, 6, 7, A.7, A.8

Comprehensive PIMS to demonstrate compliance and avoid fines

Implementation Guidance:

Implement and maintain ISO 27701 PIMS to demonstrate proactive compliance efforts

Quick Information

Organization
ISO/IEC
Category
Privacy Management
Certification
✓ Available

Related Pages

← All General Data Protection Regulation (GDPR) Standards View All Articles Compliance Guide
Get Implementation Help

🤝 Still Feeling Overwhelmed?

EU cybersecurity laws can be complex. Our free tools and guides work great for most people, but if you're dealing with something particularly challenging or have tight deadlines, we're here to help.

Talk to an expert → or Browse all our free resources →