Appearance
ISO/IEC 27701 — PIMS foundations
ISO 27701 is a management-system standard. Audits test whether the PIMS works in practice — privacy governance, risk management, control execution, continual improvement. This page covers the foundations: the Clause 4.3 scope statement, the controller / processor role distinction that drives Annex A vs Annex B application, and the Stage 1 / Stage 2 / surveillance / recertification cycle.
Quick decision
- You need to write the PIMS scope statement → Clause 4.3. Cover processing activities, categories of PII, PII principals, organisation's role per activity (controller / processor / both).
- You determine purposes and means of processing → you are a PII controller for that activity. Apply Annex A controls.
- You process PII on behalf of another organisation → you are a PII processor for that activity. Apply Annex B controls.
- You operate ISO 27001 already → the 2019 PIMS edition required ISMS-first; the 2025 edition makes the PIMS standalone. Either way, the Annex SL clauses are shared.
TL;DR
- PIMS scope (Clause 4.3) is mandatory documented information naming processing activities, PII categories, principals and organisation's role.
- Controller / processor distinction drives which annex applies. Annex A = controller controls; Annex B = processor controls. Many organisations operate as both.
- Stage 1 = documentation review. Stage 2 = operational audit. Same three-year cycle as ISO 27001 / 42001.
- Edition status: ISO/IEC 27701:2025 is the current published edition; ISO/IEC 27701:2019 is the withdrawn prior edition. Modulos labels OFF-12 / MFF-13 as ISO/IEC 27701.2:2024, the same 2025-track standard lineage.
- Auditors sample operational reality — control execution records, PII principals' rights handling, supplier evidence, breach-notification process.
Primary source
ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance, Clauses 4.1, 4.2, 4.3, 5.3, 6.1.2, 6.1.3, 9.2, 9.3. Withdrawn prior edition: ISO/IEC 27701:2019. Available via the ISO Online Browsing Platform. © ISO.
PIMS scope you can defend (Clause 4.3)
A defensible PIMS scope statement is:
- Specific — names processing activities (e.g., "HR processing of employee data", "customer-data processing for SaaS service X").
- PII-aware — names which categories of PII are inside the scope (employee data, customer data, special-category data).
- Role-aware — specifies the organisation's role (controller / processor / both) per processing activity.
- Principal-aware — names the PII principals affected (employees, customers, end-users, prospects).
- Reviewable — describes how scope changes are approved and recorded.
For AI systems, the PIMS scope often extends to the data pipeline (training data, inference data) and to downstream consequences of automated decision-making.
Controller vs processor
The controller / processor distinction is the most consequential decision in any PIMS:
| PII controller | PII processor | |
|---|---|---|
| Determines | Purposes and means of processing | Acts on documented instructions from a controller |
| GDPR equivalent | Article 4(7) | Article 4(8) |
| PIMS annex | Annex A | Annex B |
| Typical examples | Organisation processing its own employee or customer data; B2C SaaS controller of end-user accounts | B2B SaaS processing customer data on behalf of customer organisations; AI inference services |
A single organisation is typically a controller for some activities (HR data, marketing leads) and a processor for others (customer data in a B2B SaaS context). The PIMS applies the relevant annex per processing activity, not per organisation.
For AI systems, the role determination often depends on whether the AI provider sets the purposes (e.g., a general-purpose chatbot) or whether the customer sets the purposes (e.g., a customer-built AI on a SaaS inference platform).
The certification audit cycle
Governance loop
Four stations, one operating model.
PIMS audit loop
Audit readiness is a cadence, not a sprint.
Plan
Define PIMS scope, privacy policy and risk method
Operate
Execute Annex A / Annex B controls and collect evidence
Assure
Internal audits and management review
Improve
Corrective actions and updates
The dashed arc marks restart — every cycle re-enters Plan with what changed since the last pass.
| Stage | Timing | Auditor focus |
|---|---|---|
| Stage 1 | Initial certification | Scope, privacy policy, role determination, risk + treatment, internal audit, management review |
| Stage 2 | Initial certification | Operational evidence — control execution, PII principals' rights handling, supplier governance, breach process |
| Year 1 surveillance | ~12 months | Sample of clauses + always: nonconformities, audit, review, changes |
| Year 2 surveillance | ~24 months | Same depth as year 1 |
| Recertification | ~36 months | Full audit at Stage 2 depth; new three-year certificate |
Audit pack
How four export types collapse into one shippable bundle.
Inputs
Project PDF export
Top controls (PDF exports)
Evidence files (attachments)
Key assets (Markdown exports)
Audit pack
Single shippable bundle
All four input types, versioned together, ready for the auditor.
Snapshot Exports are snapshots. Keep scope stable before exporting — the bundle freezes whatever was in place at export time.
What auditors typically test
- PIMS scope and PII categories are current and the PIMS operates within them.
- Controller / processor role determination is documented per processing activity.
- Privacy risk assessment (Clause 6.1.2) is reproducible and drives Annex A / B selection.
- Annex A (or B) controls are executed with evidence.
- PII principals' rights (access, rectification, erasure, portability) are handled within statutory deadlines.
- Supplier / sub-processor governance is operating.
- Cross-border transfer arrangements (where applicable) are documented and current.
- Breach notification works to required deadlines (typically 72 hours under GDPR Article 33).
- Internal audit findings feed corrective actions; management review takes decisions.
How to operationalise PIMS foundations in Modulos
Modulos models the PIMS scope + role determination against the OFF-12 framework template:
| OFF-12 requirement | Description | ISO 27701 clause |
|---|---|---|
ORF-256 | Understanding the organisation and its context | 4.1 |
ORF-257 | Understanding the needs and expectations of interested parties | 4.2 |
ORF-258 | Determining the scope of the PIMS | 4.3 |
ORF-259 | Privacy information management system | 4.4 |
ORF-261 | Privacy policy | 5.2 |
ORF-262 | Roles, responsibilities and authorities | 5.3 |
ORF-264 | Privacy risk assessment | 6.1.2 |
ORF-265 | Privacy risk treatment + control selection | 6.1.3 |
ORF-277 / ORF-278 | Internal audit + audit programme | 9.2.1 / 9.2.2 |
ORF-279 / ORF-280 / ORF-281 | Management review (process, inputs, outputs) | 9.3.1 / 9.3.2 / 9.3.3 |
The PIMS scope statement and controller / processor role determination are owner-authored documentation stored as control-level evidence on ORF-258. The Annex A / Annex B control selection is captured on ORF-265 (Clause 6.1.3 risk treatment).
Cross-framework mapping (preview)
| ISO 27701 element | Adjacent provision |
|---|---|
| Clause 4.3 PIMS scope | ISO 27001 Clause 4.3 ISMS scope; ISO 42001 Clause 4.3 AIMS scope |
| Controller / processor distinction | GDPR Article 4(7) controller / 4(8) processor |
| Clause 6.1.2 privacy risk assessment | GDPR Article 35 DPIA; ISO 27001 Clause 6.1.2 |
| Stage 1 / Stage 2 cycle | Identical across ISO 27001, 42001, 9001 |
| Internal audit (Clause 9.2) | ISO 27001 / 42001 / 9001 Clause 9.2 |
| Breach notification | GDPR Article 33; ISO 27001 Annex A.5.24–A.5.28 |
Related pages
ISO 27701 overview
Hub: PIMS structure, controller / processor distinction, GDPR alignment
Clauses 4–10 (implementation guide)
Annex SL backbone — Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement
Annexes (controls reference)
Annex A (controllers) + Annex B (processors) + Annex D (GDPR mapping)
Operationalizing in Modulos
OFF-12 + MFF-13 rollout, PIMS evidence patterns
Source attribution
ISO/IEC 27701:2025 — Privacy information management — Requirements and guidance, Clauses 4.1, 4.2, 4.3, 4.4, 5.2, 5.3, 6.1.2, 6.1.3, 9.2, 9.3 + Annex A (controllers) + Annex B (processors). © ISO/IEC. Available via the ISO Online Browsing Platform.
Disclaimer
This page is for general informational purposes and does not constitute legal or certification advice.