ISO 27701
Privacy Information Management System (PIMS) extension to ISO 27001.
Overview
ISO/IEC 27701 is an international standard that provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension to ISO/IEC 27001 and ISO/IEC 27002.
The standard helps organizations manage privacy risks related to personally identifiable information (PII) and demonstrates compliance with global privacy regulations such as GDPR.
ISO 27701 specifies requirements and provides guidance for PII controllers and PII processors, supporting the integration of privacy controls into an existing information security management system (ISMS).
Key Requirements
- Establish and maintain a Privacy Information Management System (PIMS) integrated with ISMS
- Define roles and responsibilities for PII controllers and processors
- Conduct privacy risk assessments and implement risk treatment plans
- Develop and enforce privacy policies and procedures
- Implement controls for data subject rights, consent, and data minimization
- Ensure secure processing, transfer, and deletion of PII
- Maintain incident response and breach notification processes for privacy events
- Governing Body:
- International Organization for Standardization (ISO)
- Current Version:
- ISO/IEC 27701:2019
- Type:
- Extension Standard to ISO/IEC 27001
- Scope:
- PII controllers and processors
- Relation to Other Standards:
- Extension to ISO/IEC 27001 and ISO/IEC 27002
- Organizations seeking to demonstrate privacy compliance (GDPR, CCPA, etc.)
- PII controllers and processors in any industry
- Enterprises with existing ISO 27001 certification
- IT, legal, and compliance teams managing privacy risk
- Cloud service providers handling PII
ISO 27701 Readiness Assessment
Comprehensive evaluation of your privacy management posture against ISO 27701 requirements to identify gaps and develop a remediation plan.
PIMS Policy and Procedure Development
Creation of tailored privacy policies and procedures aligned with ISO 27701 and your business operations.
Privacy Risk Assessment and Control Implementation
Support for identifying, assessing, and mitigating privacy risks in line with ISO 27701.
Data Subject Rights Management
Implementation of processes and tools to manage data subject requests and preferences.
Incident Response and Breach Notification Planning
Development of incident response and breach notification processes for privacy events.