Docs

Appearance

ISO/IEC 27701 — PIMS foundations

ISO 27701 is a management-system standard. Audits test whether the PIMS works in practice — privacy governance, risk management, control execution, continual improvement. This page covers the foundations: the Clause 4.3 scope statement, the controller / processor role distinction that drives Annex A vs Annex B application, and the Stage 1 / Stage 2 / surveillance / recertification cycle.

Quick decision

  • You need to write the PIMS scope statement → Clause 4.3. Cover processing activities, categories of PII, PII principals, organisation's role per activity (controller / processor / both).
  • You determine purposes and means of processing → you are a PII controller for that activity. Apply Annex A controls.
  • You process PII on behalf of another organisation → you are a PII processor for that activity. Apply Annex B controls.
  • You operate ISO 27001 already → the 2019 PIMS edition required ISMS-first; the 2025 edition makes the PIMS standalone. Either way, the Annex SL clauses are shared.

TL;DR

  • PIMS scope (Clause 4.3) is mandatory documented information naming processing activities, PII categories, principals and organisation's role.
  • Controller / processor distinction drives which annex applies. Annex A = controller controls; Annex B = processor controls. Many organisations operate as both.
  • Stage 1 = documentation review. Stage 2 = operational audit. Same three-year cycle as ISO 27001 / 42001.
  • Edition status: ISO/IEC 27701:2025 is the current published edition; ISO/IEC 27701:2019 is the withdrawn prior edition. Modulos labels OFF-12 / MFF-13 as ISO/IEC 27701.2:2024, the same 2025-track standard lineage.
  • Auditors sample operational reality — control execution records, PII principals' rights handling, supplier evidence, breach-notification process.

Primary source

ISO/IEC 27701:2025Privacy information management — Requirements and guidance, Clauses 4.1, 4.2, 4.3, 5.3, 6.1.2, 6.1.3, 9.2, 9.3. Withdrawn prior edition: ISO/IEC 27701:2019. Available via the ISO Online Browsing Platform. © ISO.

PIMS scope you can defend (Clause 4.3)

A defensible PIMS scope statement is:

  • Specific — names processing activities (e.g., "HR processing of employee data", "customer-data processing for SaaS service X").
  • PII-aware — names which categories of PII are inside the scope (employee data, customer data, special-category data).
  • Role-aware — specifies the organisation's role (controller / processor / both) per processing activity.
  • Principal-aware — names the PII principals affected (employees, customers, end-users, prospects).
  • Reviewable — describes how scope changes are approved and recorded.

For AI systems, the PIMS scope often extends to the data pipeline (training data, inference data) and to downstream consequences of automated decision-making.

Controller vs processor

The controller / processor distinction is the most consequential decision in any PIMS:

PII controllerPII processor
DeterminesPurposes and means of processingActs on documented instructions from a controller
GDPR equivalentArticle 4(7)Article 4(8)
PIMS annexAnnex AAnnex B
Typical examplesOrganisation processing its own employee or customer data; B2C SaaS controller of end-user accountsB2B SaaS processing customer data on behalf of customer organisations; AI inference services

A single organisation is typically a controller for some activities (HR data, marketing leads) and a processor for others (customer data in a B2B SaaS context). The PIMS applies the relevant annex per processing activity, not per organisation.

For AI systems, the role determination often depends on whether the AI provider sets the purposes (e.g., a general-purpose chatbot) or whether the customer sets the purposes (e.g., a customer-built AI on a SaaS inference platform).

The certification audit cycle

StageTimingAuditor focus
Stage 1Initial certificationScope, privacy policy, role determination, risk + treatment, internal audit, management review
Stage 2Initial certificationOperational evidence — control execution, PII principals' rights handling, supplier governance, breach process
Year 1 surveillance~12 monthsSample of clauses + always: nonconformities, audit, review, changes
Year 2 surveillance~24 monthsSame depth as year 1
Recertification~36 monthsFull audit at Stage 2 depth; new three-year certificate

What auditors typically test

  • PIMS scope and PII categories are current and the PIMS operates within them.
  • Controller / processor role determination is documented per processing activity.
  • Privacy risk assessment (Clause 6.1.2) is reproducible and drives Annex A / B selection.
  • Annex A (or B) controls are executed with evidence.
  • PII principals' rights (access, rectification, erasure, portability) are handled within statutory deadlines.
  • Supplier / sub-processor governance is operating.
  • Cross-border transfer arrangements (where applicable) are documented and current.
  • Breach notification works to required deadlines (typically 72 hours under GDPR Article 33).
  • Internal audit findings feed corrective actions; management review takes decisions.

How to operationalise PIMS foundations in Modulos

Modulos models the PIMS scope + role determination against the OFF-12 framework template:

OFF-12 requirementDescriptionISO 27701 clause
ORF-256Understanding the organisation and its context4.1
ORF-257Understanding the needs and expectations of interested parties4.2
ORF-258Determining the scope of the PIMS4.3
ORF-259Privacy information management system4.4
ORF-261Privacy policy5.2
ORF-262Roles, responsibilities and authorities5.3
ORF-264Privacy risk assessment6.1.2
ORF-265Privacy risk treatment + control selection6.1.3
ORF-277 / ORF-278Internal audit + audit programme9.2.1 / 9.2.2
ORF-279 / ORF-280 / ORF-281Management review (process, inputs, outputs)9.3.1 / 9.3.2 / 9.3.3

The PIMS scope statement and controller / processor role determination are owner-authored documentation stored as control-level evidence on ORF-258. The Annex A / Annex B control selection is captured on ORF-265 (Clause 6.1.3 risk treatment).

Cross-framework mapping (preview)

ISO 27701 elementAdjacent provision
Clause 4.3 PIMS scopeISO 27001 Clause 4.3 ISMS scope; ISO 42001 Clause 4.3 AIMS scope
Controller / processor distinctionGDPR Article 4(7) controller / 4(8) processor
Clause 6.1.2 privacy risk assessmentGDPR Article 35 DPIA; ISO 27001 Clause 6.1.2
Stage 1 / Stage 2 cycleIdentical across ISO 27001, 42001, 9001
Internal audit (Clause 9.2)ISO 27001 / 42001 / 9001 Clause 9.2
Breach notificationGDPR Article 33; ISO 27001 Annex A.5.24–A.5.28
ISO 27701 overview

Hub: PIMS structure, controller / processor distinction, GDPR alignment

Clauses 4–10 (implementation guide)

Annex SL backbone — Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement

Annexes (controls reference)

Annex A (controllers) + Annex B (processors) + Annex D (GDPR mapping)

Operationalizing in Modulos

OFF-12 + MFF-13 rollout, PIMS evidence patterns

Source attribution

ISO/IEC 27701:2025Privacy information management — Requirements and guidance, Clauses 4.1, 4.2, 4.3, 4.4, 5.2, 5.3, 6.1.2, 6.1.3, 9.2, 9.3 + Annex A (controllers) + Annex B (processors). © ISO/IEC. Available via the ISO Online Browsing Platform.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.