How are Clauses 4–10 different from ISO 27001?

Both follow the Annex SL backbone — Clauses 4–10 work the same way structurally. ISO 27701 substitutes privacy-specific content inside the shared clauses: 4.1 includes the organisation's role determination (PII controller / processor); 5.2 frames the policy as a privacy policy; 6.1.2 is a privacy risk assessment; 6.1.3 is privacy risk treatment producing control selection from Annex A (controllers) or Annex B (processors). The shared management-system processes (document control, internal audit, management review, corrective action) operate identically.

Why does ISO 27701 emphasise role determination in Clause 4?

Because the controller / processor role determination drives which annex applies (A or B) and which obligations apply per processing activity. Clause 4.1 expects the organisation to determine its role for each processing activity in scope. Many organisations are both — controller for some activities (own employee data) and processor for others (customer data in a B2B SaaS context) — and the PIMS applies the relevant annex per activity. The role determination is recorded as documented information.

Is the Statement of Applicability mandatory under ISO 27701?

Yes — the SoA is required as part of Clause 6.1.3 privacy risk treatment, mirroring ISO/IEC 27001 Clause 6.1.3 d. Under the 2019 edition the SoA covered ISO 27001 Annex A controls plus the 27701-specific privacy controls. The 2025 edition restructures the SoA to cover the PIMS-specific Annex A (controllers) and Annex B (processors) controls directly. Every applicable control gets a position in the SoA with inclusion / exclusion justification.

How does Clause 6.1.2 privacy risk assessment differ from a DPIA?

Clause 6.1.2 is the PIMS's risk-management process — a structured, repeatable assessment of privacy risks across the organisation's processing activities. The GDPR Article 35 DPIA is a specific assessment required for processing activities that are likely to result in high risk to data subjects. The two are complementary: the PIMS risk-management process under 6.1.2 typically triggers DPIAs where the risk threshold is met. The PIMS Annex A privacy-impact-assessment control provides the structured input to the DPIA when one is required.

How long does ISO 27701 take to implement on top of ISO 27001?

For organisations with mature ISO 27001 in place, ISO 27701 typically takes 3–6 months to Stage 2 — the Annex SL backbone is already operating, and the work is primarily the privacy-specific additions: role determination, privacy policy, privacy risk assessment, Annex A / B control selection, PII principals' rights handling, breach notification process. Starting from scratch is closer to 9–12 months because every Annex SL process also has to be stood up.

How does Modulos model Clauses 4–10 for ISO 27701?

OFF-12 (org) maps the 28 PIMS spine requirements ORF-256 through ORF-283 to Clauses 4–10. MFF-13 (app) covers two per-system requirements (MRF-243 privacy risk assessment and MRF-244 privacy risk treatment) for the per-AI-system privacy overlap. Each clause maps to one or more ORF / MRF requirements; control-level evidence is attached to controls that link to those requirements.

ISO/IEC 27701 — Clauses 4–10 implementation guide

ISO 27701 follows the Annex SL harmonized structure. Clauses 4–10 describe how to run a Privacy Information Management System; PIMS-specific content sits inside the shared backbone — role determination in Clause 4.1, privacy policy in 5.2, privacy risk assessment in 6.1.2, privacy risk treatment in 6.1.3 producing control selection from Annex A (controllers) or Annex B (processors). This page is the implementation playbook.

Quick decision

You already operate ISO 27001 → Clauses 4–10 are mostly in place; focus on the PIMS-specific additions (4.1 role determination, 5.2 privacy policy, 6.1.2/3 privacy risk + treatment, Annex A/B controls).
You are starting from scratch → stand up the Annex SL backbone and the PIMS-specific work in parallel.
You need to write the privacy risk assessment (6.1.2) → define criteria, thresholds, cadence, approval authority. Trigger DPIAs (GDPR Article 35) where the risk threshold is met.
You need to determine controller vs processor role → Clause 4.1. Per processing activity, not per organisation.

TL;DR

Annex SL backbone shared with ISO 27001 / 42001 / 9001 — Clauses 4 (Context), 5 (Leadership), 6 (Planning), 7 (Support), 8 (Operation), 9 (Performance evaluation), 10 (Improvement).
PIMS-specific additions inside the shared clauses: 4.1 role determination (controller / processor); 5.2 privacy policy; 6.1.2 privacy risk assessment; 6.1.3 privacy risk treatment + SoA selecting from Annex A (controllers) or Annex B (processors).
Statement of Applicability is required as part of Clause 6.1.3 risk treatment.
Internal audit (9.2) + management review (9.3) + corrective action (10.2) = the operating loop.
Modulos models Clauses 4–10 via OFF-12 (28 ORF requirements) and MFF-13 (2 MRF requirements).

Primary source

ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance, Clauses 4 through 10. Withdrawn prior edition: ISO/IEC 27701:2019. Available via the ISO Online Browsing Platform. © ISO.

Annex SL backbone

Clause	Headline	PIMS-specific content
4 Context	PIMS boundaries + role determination	Controller / processor role per processing activity
5 Leadership	Accountability and direction	Privacy policy + privacy responsibilities (DPO / privacy lead)
6 Planning	Risk method, treatment, objectives, change planning	Privacy risk assessment; SoA selecting Annex A or Annex B controls
7 Support	People, resources, documented information	Privacy competence + awareness; PII handling training
8 Operation	Repeatable privacy operations	Annex A / B control execution; PII principals' rights handling; breach notification
9 Performance evaluation	Measurement + governance cadence	Privacy metrics; internal audit; management review
10 Improvement	Fix and learn	Nonconformity + corrective action; continual improvement

Framework mapping

Four layers, one reusable spine.

Frameworks

EU AI ActRegulatory

ISO 42001Standard

Requirements

Art. 9.1Risk management

Art. 10.2Data governance

6.1.1Risk assessment

Components

Risk identification

Impact analysis

Evidence

Risk registerDocument

Test resultsArtifact

Controls

The reusable spine

One control satisfies many requirements across many frameworks, and groups the components and evidence beneath them.

Risk assessment process

Data validation checks

Reusable

Edge from any layer card crosses into the Controls spine — the same control may serve a regulatory article, a standards clause, a downstream component, and the evidence that closes it.

Clause 4 — Context of the organization

Goal: define the PIMS boundaries and determine the organisation's role per processing activity.

What to implement:

PIMS scope statement (Clause 4.3) — processing activities, PII categories, PII principals, organisation's role per activity.
Role determination (4.1) — controller / processor / both, per processing activity.
Interested parties (4.2) — PII principals, customers, supervisory authorities, sub-processors.

Common pitfalls:

Role determination as a blanket statement ("we are a processor") rather than per-activity.
Scope that ignores cross-border processing or sub-processor chains.

Clause 5 — Leadership

Goal: make privacy governance real — privacy policy, defined roles, governance cadence.

What to implement:

A privacy policy (5.2) — usable and auditable.
Roles and authorities (5.3) — DPO / privacy lead, RACI for the privacy programme.
Governance cadence and escalation paths — privacy incidents, exceptions, PII principal complaints.

Clause 6 — Planning

Goal: privacy risk discipline, control selection, objectives, change planning.

What to implement:

Privacy risk assessment method (6.1.2) — criteria, thresholds, cadence, approval authority. Triggers DPIAs under GDPR Article 35 where the risk threshold is met.
Privacy risk treatment (6.1.3) — selecting Annex A controls (for controllers) and / or Annex B controls (for processors). Includes the Statement of Applicability.
Privacy objectives (6.2) — measurable, owned, reviewed.
Planning of changes (6.3) — what triggers reassessment (new processing activity, vendor change, regulatory change).

Clause 7 — Support

Goal: people, resources, competence, awareness, documented information.

What to implement:

Resource planning — DPO / privacy office, time and expertise.
Competence (7.2) — privacy-specific competences for reviewers and approvers.
Awareness and training (7.3) — PII handling training; privacy by design awareness for engineers.
Communication (7.4) — internal communication on privacy decisions; external communication to PII principals via privacy notices.
Documented information (7.5) — versioning, review cadence, access control.

Clause 8 — Operation

Goal: repeatable privacy operations — control execution, PII principals' rights, breach notification.

What to implement:

Operational planning and control (8.1) — executing the Annex A / B controls.
Periodic privacy risk reassessment (8.2) — as systems, vendors, processing activities and regulatory landscape change.
PII principals' rights handling — access, rectification, erasure, portability requests within statutory deadlines (e.g., GDPR's one-month default under Article 12).
Personal-data breach notification process — internal escalation; supervisory-authority notification under GDPR Article 33 (typically 72 hours); PII-principal notification under GDPR Article 34 where required.
Supplier and sub-processor management — contractual safeguards (DPA, SCCs), monitoring, due diligence.

Clause 9 — Performance evaluation

Goal: prove the PIMS works — monitoring, internal audit, management review.

What to implement:

Monitoring and measurement (9.1) — privacy metrics (DSAR turnaround, breach-handling time, sub-processor coverage).
Internal audit programme (9.2) — scope, cadence, sampling, auditor competence.
Management review (9.3) — inputs: audit findings, breach reports, DSAR metrics, supervisory-authority interactions, sub-processor reviews, regulatory change.

Clause 10 — Improvement

Goal: make failures productive — fix nonconformities and continually improve.

What to implement:

Nonconformity and corrective action (10.2) — ownership, deadlines, root cause analysis, effectiveness verification.
Continual improvement (10.1) — driven by audits, breaches, DSAR friction, stakeholder feedback.

How to operationalise Clauses 4–10 in Modulos

OFF-12 (org-level) mapping:

PIMS element	OFF-12 requirement	Clause
Organisational context (incl. role determination)	`ORF-256`	4.1
Interested parties	`ORF-257`	4.2
PIMS scope	`ORF-258`	4.3
PIMS itself	`ORF-259`	4.4
Leadership commitment	`ORF-260`	5.1
Privacy policy	`ORF-261`	5.2
Roles and responsibilities	`ORF-262`	5.3
Risk and opportunities — general	`ORF-263`	6.1.1
Privacy risk assessment	`ORF-264`	6.1.2
Privacy risk treatment + SoA	`ORF-265`	6.1.3
Privacy objectives	`ORF-266`	6.2
Planning of changes	`ORF-267`	6.3
Resources / competence / awareness / communication	`ORF-268`–`ORF-271`	7.1–7.4
Documented information	`ORF-272` / `ORF-273` / `ORF-274`	7.5.1–7.5.3
Operational planning and control	`ORF-275`	8.1
Monitoring + measurement	`ORF-276`	9.1
Internal audit + audit programme	`ORF-277` / `ORF-278`	9.2.1 / 9.2.2
Management review (process / inputs / outputs)	`ORF-279` / `ORF-280` / `ORF-281`	9.3.1 / 9.3.2 / 9.3.3
Continual improvement	`ORF-282`	10.1
Nonconformity and corrective action	`ORF-283`	10.2

MFF-13 (app-level) mapping:

Requirement	Clause	Topic
`MRF-243`	8.2	Privacy risk assessment (per AI system)
`MRF-244`	8.3	Privacy risk treatment (per AI system)

Integrated Management System (IMS) with ISO 27001 / 42001

The PIMS Clauses 4–10 share the Annex SL backbone with ISO 27001 (ISMS) and ISO 42001 (AIMS). What stays standard-specific:

ISO 27701: privacy risk, controller / processor distinction, Annex A / Annex B privacy controls.
ISO 27001: information-security risk, Annex A (normative) information-security controls.
ISO 42001: AI risk + impact, Annex A (informative) AI lifecycle and data controls.

Practical pattern: add OFF-9 (27001) + OFF-12 (27701) + OFF-7 or OFF-10 (42001) to a single organisation project; share the Annex SL processes; keep the standard-specific risk and control work explicit.

Related: Integration with GDPR.

Cross-framework mapping (preview)

ISO 27701 clause	Adjacent provision
Clause 4.1 role determination	GDPR Article 4(7) controller / 4(8) processor
Clause 5.2 privacy policy	GDPR Article 24 controller obligations; ISO 27001 Clause 5.2 policy
Clause 6.1.2 privacy risk assessment	GDPR Article 35 DPIA; ISO 27001 Clause 6.1.2 information-security risk assessment
Clause 6.1.3 SoA	ISO 27001 Clause 6.1.3 d SoA (mandatory); ISO 42001 SoA (informative)
Clause 8 PII principals' rights	GDPR Articles 12–22 (DSAR handling)
Clause 8 breach notification	GDPR Article 33; ISO 27001 Annex A.5.24–A.5.28 incident management
Clause 8 sub-processor management	GDPR Article 28

ISO 27701 overview

Hub: PIMS structure, controller / processor distinction, GDPR alignment

PIMS foundations (scope + roles + certification)

Scope, controller / processor determination, Stage 1 / Stage 2 / surveillance / recertification

Annexes (controls reference)

Annex A (controllers) + Annex B (processors) + Annex D (GDPR mapping)

Operationalizing in Modulos

OFF-12 + MFF-13 rollout, PIMS evidence patterns

Integration with GDPR

How the PIMS produces the operational evidence GDPR requires

Source attribution

ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance, Clauses 4 through 10. © ISO/IEC. Available via the ISO Online Browsing Platform.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

ISO/IEC 27701 — Clauses 4–10 implementation guide

Quick decision

TL;DR

Annex SL backbone

Clause 4 — Context of the organization

Clause 5 — Leadership

Clause 6 — Planning

Clause 7 — Support

Clause 8 — Operation

Clause 9 — Performance evaluation

Clause 10 — Improvement

How to operationalise Clauses 4–10 in Modulos

Integrated Management System (IMS) with ISO 27001 / 42001

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

ISO/IEC 27701 — Clauses 4–10 implementation guide ​

Quick decision ​

TL;DR ​

Annex SL backbone ​

Clause 4 — Context of the organization ​

Clause 5 — Leadership ​

Clause 6 — Planning ​

Clause 7 — Support ​

Clause 8 — Operation ​

Clause 9 — Performance evaluation ​

Clause 10 — Improvement ​

How to operationalise Clauses 4–10 in Modulos ​

Integrated Management System (IMS) with ISO 27001 / 42001 ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

ISO/IEC 27701 — Clauses 4–10 implementation guide

Quick decision

TL;DR

Annex SL backbone

Clause 4 — Context of the organization

Clause 5 — Leadership

Clause 6 — Planning

Clause 7 — Support

Clause 8 — Operation

Clause 9 — Performance evaluation

Clause 10 — Improvement

How to operationalise Clauses 4–10 in Modulos

Integrated Management System (IMS) with ISO 27001 / 42001

Cross-framework mapping (preview)

Related pages

Source attribution