ISO/IEC 27701 Privacy Information Management System

ISO/IEC 27701:2019 is a certifiable extension to ISO 27001 and ISO 27002, providing guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).

The ISO/IEC 27701 Privacy Information Management Systems Standard is applicable to all organisations, including public and private companies, government entities and not-for-profit organisations, that control or process personally identifiable information (PII).

As the leading provider of information security certification in Australia, Intertek SAI Global is positioned to help you achieve your privacy certification objectives. Our national network of expert auditors combined with our industry-leading customer service teams ensures you understand what your audit involves, and how to prepare.

Key Benefits of ISO/IEC 27701 Certification

Some of the key benefits to organisations that certify to ISO 27701:2019 include: building trust with stakeholders in your ability to manage personal information; meeting compliance requirements with privacy regulations; and creating business agreement opportunities with clear roles and responsibilities defined.

Build Trust in Managing Personal Information

Certification to ISO/IEC 27701 demonstrates your organisation’s ability to meet international industry benchmarks in managing data privacy requirements. This compliance enhances your organisations reputation as a trusted partner with customers and stakeholders.

Meet Regulatory Requirements

The ISO/IEC 27701 standard supports compliance with data privacy regulations specific to your organisation. By certifying to ISO 27701, you can demonstrate your ability to meet commercial, contractual, legal and regulatory requirements.

Drive Business Opportunities

ISO/IEC 27701 provides clear guidance on roles and responsibilities for Personally Identifiable Information (PII) Controllers and Processors, and what is required to protect privacy. This compliance helps facilitate clear business agreements, ensuring the customer is protected.

What Is ISO/IEC 27701:2019?

ISO/IEC 27701:2019 is the internationally benchmarked standard for Privacy Information Management Systems (PIMS) and provides guidance on policies and procedures needed to comply with data protection and privacy regulations.

Developed by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC), the full name of this standard is “ISO/IEC 27701:2019 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.”

Designed to be implemented with ISO 27001 or added to an existing ISO 27001 Information Security Managment System, ISO 27701 provides guidance for protecting data privacy. It takes into account the privacy protections required for controlling or processing personally identifiable information (PII), and ensures your processes and systems are limited to what is necessary for its purpose.

Intertek SAI Global is the largest JAS-ANZ accredited Certification Body to deliver ISO/IEC 27001 certification. This means that Intertek SAI Global’s processes, systems and auditors are rigorously assessed to ensure you receive the best in customer support and delivery.
Clause 1-3: Scope

Clauses 1-3 of the ISO/IEC 27701:2019 standard outlines the requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). It mentions the normative references used in the standard, as well as the terms, definitions and abbreviations that apply.

Clause 4: General

Clause 4 of ISO/IEC 27701:2019 provides the structure of the standard. It shows the location of PIMS-specific requirements and controls that impact ISO 27001:2013 and ISO 27002:2013.

Clause 5: PIMS-Specific Requirements Related to ISO/IEC 27001

Clause 5 of ISO/IEC 27701:2019 extends the requirements of ISO/IEC 27001 to incorporate privacy protection.

 

In this clause, your organisation needs to determine whether you act as a processor and/or a controller. Depending on your role, you will need to implement relevant controls specified in Annexes A and/or B.

 

Requirements for leadership, planning, support, operation, performance evaluation and improvement in ISO 27001 must be evaluated and extended to ensure the protection of privacy.

Clause 6: PIMS-Specific Guidance Related to ISO/IEC 27002

Clause 6 of ISO/IEC 27701:2019 extends the controls found in ISO/IEC 27002 to incorporate privacy protection.

 

The clause ensures you consider Personally Identifiable Information (PII) before data transmission occurs, as part of system development and design.

 

More implementation guidance is included on incident management, removable media, user access on systems and services that process PII, cryptographic protection, re-assigning storage space that previously stored PII, back-up and recovery of PII, event log reviews, information transfer policies, confidentiality agreements and supplier relationships.

Clause 7: Additional Guidance for PII Controllers

In clause 7 of the ISO/IEC 27701 Standard, specific implementation guidance is provided for PII controllers, with additional controls referenced in Annex A.

 

This guidance outlines considerations of special category data and consent requirements, privacy impact assessment requirements to minimise risk to PII principals, contracts with PII processors and clear roles and responsibilities with joint controllers.

Clause 8: Additional Guidance for PII Processors

Clause 8 of ISO/IEC 27701 outlines the specific requirements for PII processors, with additional controls referenced in Annex B.

 

Guidance is outlined to identify and maintain the necessary records to help demonstrate compliance with agreed PII processing you conduct.

 

The clause also provides specifications for helping you customer respond to requests, managing temporary files created during processing, returning, transferring or disposing PII securely and appropriately.

Annexes

ISO/IEC 27701 contains 6 Annexes to provide further guidance on implementing effective privacy information management systems. Annex A and B are specific to PII controllers and processors, whereas Annexes C-F provide additional support for setting up and operating a PIMS.

  • Annex A – List of controls for PII Controllers
  • Annex B – List of controls for PII Processors
  • Annex C – Mapping of Controls for PII Controllers to the ISO/IEC 2900 privacy principals
  • Annex D – Mapping of ISO/IEC 27701 clauses to GDPR articles 5 to 49 (except 43)
  • Annex E – Mapping of ISO/IEC 27701 clauses to ISO/IEC 27018 and ISO/IEC 29151
  • Annex F – Details on how to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002

5 Steps to Certification

Getting certified can be a daunting prospect, however we’ve helped break it down into 5 simple steps.

Explore what it takes to get certified with Intertek SAI Global.
Learn More

Frequently Asked Questions

Explore some of the most frequently asked questions relating to certification to the ISO 27701:2019 Standard.
What is a PII Controller and PII Processor

According to the ISO/IEC 27701:2019 standard, a PII Controller is the entity that determines the purpose and means for processing Personally Identifiable Information (PII). They define why and how PII is processed, and are responsible for the implementation of privacy and security processes to meet applicable legal requirements. This includes Joint PII Controllers.

 

A PII Processor processes Personally Identifiable Information (PII) on behalf of the PII Controller, in accordance to their specifications.

What is the difference between ISO/IEC 27001 and ISO/IEC 27701?

Where ISO/IEC 27001 is the internationally recognised standard for Information Security Management Systems, bridging the gap between risk management and security controls, ISO/IEC 27701 extends ISO/IEC 27001 to incorporate Privacy Information Security Management Systems.

Are You Ready To Take The Next Step to Certification?

Request a call from one of our certification experts to have a no-obligation discussion around getting certified to ISO/IEC 27701:2019 with Intertek SAI Global.
Contact Us

ISO 27001 Training Courses

As a leading provider of education and training, SAI Global Assurance offers a wide range of training courses to help you learn, plan, implement, assess and improve your management system.

Information Security Training

Provide your team with practical knowledge to implement, maintain, and audit an effective ISMS. There are a range of online, classroom and in-house training to select from.

View All Courses

ISO 27001 News & Resources

ISO/IEC 42001:2023 AI Management System
Management Systems Standards
With the growing development and application of Artificial Intelligence, ISO/IEC 42001 addresses the unique challenges AI poses, such as ethical considerations, transparency, and continuous learning. For organisations, it sets out a structured way to manage risks and opportunities associated with AI, balancing innovation with governance.
Read More
ISO 27001 Information Security Management Systems
Management Systems Standards
Increased consumer expectations of information security require organisations to implement an effective ISMS framework that preserves the confidentiality, integrity and availability of information.
Read More
Information Security
Audit & Certification
Regardless of information type, Information Security can include paper-based and electronic formats and determines how information is processed, stored, transferred, archived and destroyed.
Read More