Docs

Appearance

ISO/IEC 27701 — Privacy Information Management System (PIMS)

ISO/IEC 27701 illustration

ISO/IEC 27701 is the international management-system standard for privacy. It specifies requirements for a Privacy Information Management System (PIMS) — a structured operating model for managing the privacy of personally identifiable information (PII) across people, processes and technology, certifiable by an accredited third-party body.

This guide cites ISO/IEC 27701:2025 as the current published edition; ISO/IEC 27701:2019 is the withdrawn prior edition. Modulos labels OFF-12 / MFF-13 as ISO/IEC 27701.2:2024 — the same 2025-track standard lineage.

Quick decision

  • You already operate ISO 27001 and need a certifiable privacy spine → ISO 27701 is the natural extension; under the 2019 edition you must operate ISO 27001 first. The 2025 edition restructures the PIMS as a standalone management-system standard.
  • You need to demonstrate GDPR operational compliance to customers / DPAs → the PIMS produces the documented evidence supervisory authorities expect. ISO 27701 maps controls to GDPR articles in informative Annex D.
  • You act as both a PII controller and a PII processor → apply both Annex A (controller controls) and Annex B (processor controls) to the relevant processing activities.
  • You want a deep read of the management-system clauses → see Clauses 4–10.

TL;DR

  • 2025 edition is the current published edition — restructures the PIMS as a standalone management-system standard following Annex SL. 2019 is the withdrawn prior edition.
  • Annex SL backbone — Clauses 4–10 shared with ISO 27001 and ISO 42001.
  • Two control annexes: Annex A privacy controls for PII controllers; Annex B privacy controls for PII processors.
  • GDPR mapping in Annex D — informative cross-reference between PIMS controls and GDPR articles.
  • Certification cycle: same Stage 1 / Stage 2 / surveillance / recertification as ISO 27001 and 42001.
  • Modulos operationalises ISO 27701 through the OFF-12 (org, 28 ORF requirements) and MFF-13 (app, 2 MRF requirements) framework templates.

Primary source

ISO/IEC 27701:2025Privacy information management — Requirements and guidance. Available via the ISO Online Browsing Platform. © ISO. The withdrawn prior edition is ISO/IEC 27701:2019. The platform-side template in modulos_platform is labelled "ISO/IEC 27701.2:2024" — this is the same 2025-track edition under finalisation.

Key facts
Publisher
ISO/IEC (joint)
Edition cited
ISO/IEC 27701:2025
Prior edition
ISO/IEC 27701:2019 (withdrawn)
Type
Certifiable management-system standard
Scope
Privacy of PII (PIMS)
Backbone
Annex SL (Clauses 4–10)

What the PIMS actually requires

ISO 27701 expects the organisation to:

  • determine the PIMS scope (Clause 4.3) including processing activities and the PII the organisation handles;
  • maintain a privacy policy (5.2);
  • assign roles and responsibilities including (where required) the data protection officer or equivalent (5.3);
  • perform a structured privacy risk assessment (6.1.2) and privacy risk treatment (6.1.3);
  • set and pursue privacy objectives (6.2);
  • operate the Annex A controls (if a PII controller) and Annex B controls (if a PII processor);
  • monitor, measure, internally audit and review (Clause 9) and continually improve (Clause 10).

Go deeper: PIMS foundations · Clauses 4–10 · Annexes.

Controller vs processor — Annex A vs Annex B

The PIMS adapts to the organisation's role under the privacy regime:

  • PII controller = determines the purposes and means of processing personal data. Applies Annex A privacy controls (e.g., conditions for collection and processing, obligations to PII principals, transfer-impact assessment).
  • PII processor = processes personal data on behalf of a controller. Applies Annex B privacy controls (e.g., obligations to the controller, sub-processor management, return / deletion of PII at end of processing).

A single organisation often operates as both a controller (for its own data) and a processor (for customer data) and applies the relevant annex per processing activity. The role distinction mirrors GDPR's Article 4(7) controller / Article 4(8) processor distinction.

Go deeper: Annexes (controls reference).

How ISO 27701 supports GDPR

ISO 27701 is voluntary; GDPR is binding regulation. The PIMS produces the documented evidence GDPR compliance work requires:

  • Article 5 principles → PIMS Annex A controls on lawfulness, transparency, data minimisation, storage limitation.
  • Article 6 lawfulness of processing → PIMS Annex A control on identifying the legal basis.
  • Article 28 processor obligations → PIMS Annex B control set.
  • Article 30 records of processing → PIMS Annex A.7.2 records of categories of processing.
  • Article 33 personal-data breach notification → PIMS Clause 6.1.3 risk treatment + ISO 27001 Annex A.5.24–A.5.28 incident management.
  • Article 35 DPIA → PIMS Clause 6.1.2 privacy risk assessment + Clause 6.1.3 privacy risk treatment, with Annex A privacy-impact-assessment evidence where the organisation is a controller.
  • Article 37 data protection officer → PIMS Clause 5.3 roles.

The standard's informative Annex D maps PIMS controls to GDPR articles directly. An ISO 27701 certificate does not certify GDPR compliance, but the PIMS is one of the most efficient ways to produce the operational evidence supervisory authorities expect.

Go deeper: Integration with GDPR.

How to operationalise ISO 27701 in Modulos

Modulos models ISO 27701 through two framework templates:

TemplateScopeMapped requirements
OFF-12 (org)Clauses 4–10 PIMS spineORF-256…ORF-283 (28 requirements)
MFF-13 (app)Per-AI-system privacy overlapMRF-243 (Clause 8.2 privacy risk assessment), MRF-244 (Clause 8.3 privacy risk treatment)

Standard rollout in Modulos:

  • One organisation project for the PIMS itself — scope, privacy policy, privacy risk-management process, internal audit, management review. Apply OFF-12.
  • AI-system projects for the per-system privacy work (privacy risk assessment + treatment for the AI deployment, particularly when personal data is processed). Apply MFF-13.
  • Where ISO 27001 (ISMS) or ISO 42001 (AIMS) also apply, share Clauses 4–10 with those management systems on the same organisation project.

Go deeper: Operationalizing in Modulos.

Cross-framework mapping (preview)

ISO 27701 elementAdjacent provision
Clause 4.3 PIMS scopeISO 27001 Clause 4.3 ISMS scope; ISO 42001 Clause 4.3 AIMS scope
Clause 5.2 privacy policyISO 27001 Clause 5.2 information-security policy; ISO 42001 Clause 5.2 AI policy
Clause 6.1.2 privacy risk assessmentGDPR Article 35 DPIA; ISO 27001 Clause 6.1.2 information-security risk assessment
Annex A (controllers)GDPR Articles 5, 6, 7, 12–22, 24, 30, 35
Annex B (processors)GDPR Article 28; SCCs (Module 2 Controller-to-Processor)
PII breach notificationGDPR Article 33; ISO 27001 Annex A.5.24–A.5.28; EU AI Act Article 73 (distinct)
PII subjects' rightsGDPR Articles 12–22
Cross-border transferGDPR Articles 44–50; Annex A transfer-impact assessment control
PIMS foundations (scope + audit context)

What a PIMS is, what auditors test, certification cycle

Clauses 4–10 (implementation guide)

Annex SL backbone — Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement

Annexes (controls reference)

Annex A (controllers) + Annex B (processors) + Annex D (GDPR mapping)

Operationalizing in Modulos

OFF-12 + MFF-13 rollout, PIMS evidence patterns

Integration with GDPR

How the PIMS produces the operational evidence GDPR requires

ISO 27001

Information-security baseline — historically the prerequisite for ISO 27701:2019

Source attribution

ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance. © ISO/IEC. Withdrawn prior edition: ISO/IEC 27701:2019. Available via the ISO Online Browsing Platform.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.