Docs

Appearance

Operationalizing ISO/IEC 27701 in Modulos

ISO 27701 becomes manageable when the PIMS is treated as an operating model — scope, role determination, privacy risk, control execution, evidence, continual improvement, repeated. This page is the implementation playbook for running the PIMS on Modulos using the OFF-12 + MFF-13 framework templates.

Quick decision

  • You are starting a fresh PIMS rollout → one organisation project with OFF-12, plus AI-system projects with MFF-13.
  • You already run ISO 27001 (ISMS) → add OFF-12 to the existing organisation project; reuse the shared Annex SL processes (document control, internal audit, management review, corrective action); only stand up privacy-specific work.
  • You need to determine controller / processor role → document per processing activity as control-level evidence on ORF-258 (Clause 4.3 PIMS scope). Annex A applies to controller activities; Annex B applies to processor activities.
  • You need to scope MFF-13 work → MFF-13 covers the per-AI-system privacy overlap (privacy risk assessment + treatment). One MFF-13 project per AI system that processes PII.

TL;DR

  • Two framework templates map ISO 27701 evidence: OFF-12 (org, 28 ORF requirements) + MFF-13 (app, 2 MRF requirements).
  • Two project layers: organisation project for the PIMS spine; AI-system projects for per-system privacy overlap.
  • PIMS spine on the org project: scope, privacy policy, role determination, risk method, Annex A / Annex B control selection, internal audit, management review, corrective action.
  • Per-AI-system overlap on the app project: privacy risk assessment + treatment for each AI deployment that processes PII.
  • Controller / processor role determination is owner-authored documentation stored as evidence on ORF-258. Role drives Annex A vs Annex B on ORF-265.
  • IMS integration with ISO 27001 / 42001: share Clauses 4–10 processes; keep standard-specific risk and control work explicit.
  • Edition status: Platform labels OFF-12 / MFF-13 as ISO/IEC 27701.2:2024 — the same 2025-track standard lineage as ISO/IEC 27701:2025. ISO/IEC 27701:2019 is the withdrawn prior edition.

Primary source

ISO/IEC 27701:2025Privacy information management — Requirements and guidance. Withdrawn prior edition: ISO/IEC 27701:2019. Modulos framework templates: OFF-12 (org) and MFF-13 (app), labeled ISO/IEC 27701.2:2024 in modulos_platform/content/templates/frameworks/. Available via the ISO Online Browsing Platform. © ISO.

ProjectTemplateWhen to use
One organisation projectOFF-12 (add to existing org project if you already run ISO 27001 / 42001)Scope statement, role determination, privacy policy, Annex SL processes, privacy risk method, Annex A / Annex B control selection, internal audit, management review
AI-system projectsMFF-13Per-AI-system privacy risk assessment + treatment

The split mirrors the standard's logic: organisation-wide PIMS spine on one side; per-system operational work on the other.

Set up: a sequence that works

How to operationalise ISO 27701 in Modulos

OFF-12 (org-level) mapping:

PIMS elementOFF-12 requirementClause
Organisational contextORF-2564.1
Interested partiesORF-2574.2
PIMS scope + controller / processor role determinationORF-2584.3
PIMS itselfORF-2594.4
Leadership commitmentORF-2605.1
Privacy policyORF-2615.2
Roles and responsibilitiesORF-2625.3
Risk and opportunities — generalORF-2636.1.1
Privacy risk assessmentORF-2646.1.2
Privacy risk treatment + Annex A / Annex B selectionORF-2656.1.3
Privacy objectivesORF-2666.2
Planning of changesORF-2676.3
Resources / competence / awareness / communicationORF-268ORF-2717.1–7.4
Documented informationORF-272 / ORF-273 / ORF-2747.5.1–7.5.3
Operational planning and controlORF-2758.1
Monitoring + measurementORF-2769.1
Internal audit + audit programmeORF-277 / ORF-2789.2.1 / 9.2.2
Management review (process / inputs / outputs)ORF-279 / ORF-280 / ORF-2819.3.1 / 9.3.2 / 9.3.3
Continual improvementORF-28210.1
Nonconformity and corrective actionORF-28310.2

MFF-13 (app-level) mapping:

RequirementClauseTopic
MRF-2438Privacy risk assessment (per AI system)
MRF-2448Privacy risk treatment (per AI system)

Operating rules:

  • Scope, role determination, privacy policy, risk method, internal audit, management review live on OFF-12. One organisation project per organisation.
  • Per-AI-system privacy risk + treatment live on MFF-13. One MFF-13 project per AI system that processes PII.
  • Annex A and Annex B controls are tracked as Modulos controls linked to ORF-265 (Clause 6.1.3 risk treatment). Annex A for controller activities, Annex B for processor activities. A single organisation typically operates both.

What is first-class UI vs evidence-attached

  • First-class — Modulos exposes the OFF-12 / MFF-13 framework template on the project (Settings → Frameworks) and the requirement readiness signal on each ORF / MRF requirement.
  • Evidence-attached (no dedicated UI) — PIMS scope and role-determination document, privacy risk-assessment method, privacy risk register, DPIA records, RoPA entries, control execution records, PII principals' rights tickets, supplier / sub-processor assessments, cross-border transfer impact assessments, breach-notification records, internal-audit programme + reports, management-review minutes. Each is owner-authored documentation stored as control-level evidence on the relevant requirement.

ISO 27701 doesn't prescribe the form of these artefacts — only that they exist, are current and are reviewable.

Controller vs processor — operating both annexes

Most organisations operate both annexes:

RoleAnnexTypical Modulos use
ControllerAnnex AHR data, marketing leads, B2C product user accounts — your organisation determines purposes and means
ProcessorAnnex BB2B SaaS customer data, AI inference on customer prompts — your organisation processes on documented instructions

Mechanics:

  • Document the role per processing activity on ORF-258.
  • The risk treatment plan on ORF-265 selects the applicable annex per activity.
  • Annex A / Annex B controls are operated as Modulos controls linked to ORF-265. The same documentation-driven evidence pattern applies to both annexes.

Cross-framework mapping (preview)

ISO 27701 elementAdjacent provision
Clause 4.3 PIMS scopeISO 27001 Clause 4.3 ISMS scope; ISO 42001 Clause 4.3 AIMS scope
Controller / processor role determinationGDPR Articles 4(7) / 4(8) / 26
Clause 6.1.2 privacy risk assessmentGDPR Article 35 DPIA (triggered); ISO 27001 Clause 6.1.2
Annex A controls (controllers)GDPR Article 24
Annex B controls (processors)GDPR Articles 28(2)–(4)
Breach processGDPR Articles 33–34; ISO 27001 Annex A.5.24–A.5.28
Cross-border transfersGDPR Articles 44–49
Annex SL Clauses 4–10ISO 27001 / 42001 same clauses — implement once, share evidence

IMS integration — ISO 27001 + 42001 + 27701

ISO management-system standards share the Annex SL backbone. The shared layer is document control (Clause 7.5), internal audit (Clause 9.2), management review (Clause 9.3), corrective action (Clause 10.2), competence (Clause 7.2) and communication (Clause 7.4). What stays standard-specific:

  • ISO 27701: privacy risk + treatment + Annex A (controllers) and Annex B (processors) controls; PII principals' rights; cross-border transfers.
  • ISO 27001: information-security risk + treatment + Annex A (normative) information-security controls.
  • ISO 42001: AI policy, AI risk + impact, AI lifecycle controls.

Practical pattern in Modulos: add the relevant OFF templates (OFF-9 ISMS, OFF-10 or OFF-7 AIMS, OFF-12 PIMS) to the same organisation project; share evidence across them where a single control satisfies multiple obligations (e.g., one internal-audit programme covering ISMS + AIMS + PIMS).

Related: Integration with GDPR · ISO 42001 ↔ ISO 27001 comparison.

Common pitfalls

  • Treating role determination as a one-off. Controller / processor status changes when processing activities change (new product, new B2B contract, new AI feature). The role record needs to live with the PIMS.
  • Conflating DPIA and privacy risk assessment. Clause 6.1.2 privacy risk assessment is the PIMS-wide risk method; the GDPR Article 35 DPIA is triggered for high-risk processing. The DPIA outputs feed Clause 6.1.2 / 6.1.3 but don't replace them.
  • Skipping Annex B. Organisations that are mostly controllers often forget the processor side of the business. If you process PII on behalf of customers, Annex B applies to those activities.
  • Reproducing Annex A / Annex B control text. © ISO. Reference controls by reference number; describe implementation in your own words.
  • Stale supplier register. Sub-processor inventories drift fast. Make the supplier-assessment cadence a planned obligation on ORF-275.
ISO 27701 overview

Hub: PIMS structure, controller / processor distinction, GDPR alignment

PIMS foundations (scope + roles + certification)

Scope statement, role determination, Stage 1 / Stage 2 / surveillance / recertification

Clauses 4–10 (implementation guide)

Annex SL backbone with PIMS-specific additions

Annexes (controls reference)

Annex A (controllers) + Annex B (processors) + Annex D (GDPR mapping)

Integration with GDPR

How the PIMS operationalises GDPR obligations

Source attribution

ISO/IEC 27701:2025Privacy information management — Requirements and guidance, Clauses 4–10 + Annex A (PII controllers) + Annex B (PII processors) + Annex D (GDPR mapping). © ISO/IEC. Available via the ISO Online Browsing Platform. Modulos framework templates OFF-12 and MFF-13 (labeled ISO/IEC 27701.2:2024) in modulos_platform/content/templates/frameworks/.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.