ISO/IEC 27701 PIMS Deepdive

1. Overview

What ISO/IEC 27701 Is

ISO/IEC 27701:2019 specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. The standard is published by the International Organization for Standardization at iso.org/standard/71670. A revised edition (ISO/IEC 27701:2025) is in development to align with ISO/IEC 27001:2022's restructured Annex A; verify the current status at iso.org before scoping an engagement.

Who It Applies To

Any organization that processes personally identifiable information (PII) as either a PII controller (analogous to a GDPR controller) or a PII processor (analogous to a GDPR processor). Most common adopters: B2B SaaS handling EU/UK personal data, healthcare and HR technology vendors, marketing and ad-tech providers, and any vendor whose customers need GDPR Article 28 assurance with an internationally recognized certificate.

Relationship to ISO 27001

ISO 27701 is an extension. An organization must hold an ISO 27001 certificate to be certified to ISO 27701. The PIMS is built on the ISMS scope and is certified by the same accredited certification body. The PIMS adds:

• Privacy-specific extensions to ISO 27001 Clauses 4 through 10
• Privacy-specific extensions to ISO 27002 controls (the document refers to these as "refinements")
• Annex A: PIMS-specific controls for PII controllers
• Annex B: PIMS-specific controls for PII processors
• Annex C: mapping to ISO 29100 privacy principles
• Annex D: mapping to the GDPR
• Annex E: mapping to ISO 27018 and ISO 29151
• Annex F: applying ISO 27701 to ISO 27001 and ISO 27002

Outcome

An ISO 27701 certificate from an accredited certification body, attached to and dependent on the ISO 27001 certificate. The certificate scope statement identifies whether the organization is certified as a PII controller, a PII processor, or both. For European buyers seeking GDPR Article 28 assurance with international recognition, ISO 27701 is the practical standard.

Security Consultants delivers ISO 27701 implementation through the ISO 27701 consulting service, typically paired with ISO 27001 and GDPR programs to deliver a single integrated information security and privacy management system.

2. Scope & Applicability

Mandatory Coverage of the Underlying ISMS

The PIMS scope must be at least as broad as the ISO 27001 ISMS scope where the ISMS scope handles PII. The scope statement names the PII processing in scope and the role(s) played (controller, processor, or both).

PII Controller vs PII Processor

ISO 27701 distinguishes the two roles consistent with GDPR Article 4. A single organization can be a controller for some PII (for example, its employee data and account-holder data) and a processor for other PII (customer-managed personal data within the SaaS service). Most B2B SaaS providers are both and apply Annex A and Annex B as relevant per processing activity.

Statement of Applicability

The PIMS Statement of Applicability extends the ISO 27001 SoA with the Annex A (controller) and Annex B (processor) controls relevant to the role(s) in scope. Each control is listed with an applicability decision and justification, mirroring the ISO 27001 SoA discipline.

Mapping to Other Standards

Annex D of ISO 27701 maps the standard to the GDPR articles, making it the most defensible international standard against which to evidence GDPR Article 28 processor obligations and controller accountability. Annex C maps to ISO 29100 privacy principles. The mapping is not a substitute for GDPR compliance but provides an audit trail that helps regulators and customers connect the certificate to GDPR obligations.

3. Core Principles

PIMS-Specific Requirements (Clauses 5–8)

ISO 27701 adds privacy refinements to ISO 27001 Clauses 4 through 10. Notable additions:

• Clause 5.2.1 expanded ISMS scope to include PII processing
• Clause 5.4 risk treatment expanded to include privacy risk
• Clauses 6.5 (controller) and 6.6 (processor) extend ISO 27002 controls with privacy refinements
• Clauses 7 (controller-specific) and 8 (processor-specific) define the additional control sets

ISO 27018 Alignment

ISO 27018 is the older code of practice for protection of PII in public clouds acting as PII processors. ISO 27701 superseded the certification value of ISO 27018 in most contexts, although ISO 27018 remains technically certifiable as a control set. Most organizations now certify ISO 27701 and reference ISO 27018 as historical context.

ISO 29100 Privacy Principles

The 11 privacy principles of ISO/IEC 29100 are the conceptual foundation: consent and choice; purpose legitimacy and specification; collection limitation; data minimization; use, retention, and disclosure limitation; accuracy and quality; openness, transparency, and notice; individual participation and access; accountability; information security; privacy compliance.

4. Control Breakdown

Annex A — Controls for PII Controllers

Annex A defines additional controls applicable when the organization is a PII controller. Selected highlights:

• A.7.2 Conditions for collection and processing: identifying the lawful basis (A.7.2.2), determining when and how consent is obtained (A.7.2.3), preparing privacy impact assessments (A.7.2.5), maintaining records related to processing PII (A.7.2.8).
• A.7.3 Obligations to PII principals: information provided to PII principals (A.7.3.1–3.4), modifying or withdrawing consent (A.7.3.5), providing the right to access (A.7.3.8), correction (A.7.3.9), erasure (A.7.3.10), portability (A.7.3.11), automated decisions (A.7.3.12).
• A.7.4 Privacy by design and privacy by default: limit collection (A.7.4.1), limit processing (A.7.4.2), accuracy and quality (A.7.4.3), de-identification and deletion at the end of processing (A.7.4.4–4.5), temporary files (A.7.4.6), retention (A.7.4.7), disposal (A.7.4.8), transmission controls (A.7.4.9).
• A.7.5 PII sharing, transfer, and disclosure: identify basis (A.7.5.1), countries and recipients (A.7.5.2), records of transfers (A.7.5.3), records of disclosure (A.7.5.4).

Annex B — Controls for PII Processors

Annex B defines additional controls applicable when the organization is a PII processor. Selected highlights:

• B.8.2 Conditions for collection and processing: customer agreement (B.8.2.1), organization's purposes (B.8.2.2), marketing and advertising use (B.8.2.3), infringing instruction (B.8.2.4), customer obligations (B.8.2.5), records related to processing PII (B.8.2.6).
• B.8.3 Obligations to PII principals: pass on requests received by the processor to the controller.
• B.8.4 Privacy by design and privacy by default: temporary files (B.8.4.1), return, transfer, or disposal of PII (B.8.4.2), PII transmission controls (B.8.4.3).
• B.8.5 PII sharing, transfer, and disclosure: basis for transfer (B.8.5.1), countries and recipients (B.8.5.2), records of disclosure (B.8.5.3), notification of disclosure requests (B.8.5.4), legally binding disclosure (B.8.5.5), disclosure of subcontractors (B.8.5.6), engagement of subcontractor (B.8.5.7), change of subcontractor (B.8.5.8).

Privacy Refinements to ISO 27002 Controls (Clauses 6.5 and 6.6)

ISO 27701 refines a subset of ISO 27002 controls with privacy considerations including human resources security, asset management, access control, cryptography, operations security, communications security, supplier relationships, information security incident management, and compliance.

5. Minimum Requirements (Non-Negotiable)

Mandatory Documents

• Existing ISO 27001 mandatory documents (see our ISO 27001 service)
• PIMS scope statement identifying controller / processor role(s)
• Extended Statement of Applicability covering Annex A and / or Annex B controls
• Records related to processing PII (controller A.7.2.8; processor B.8.2.6) — equivalent to GDPR Article 30 ROPA
• Privacy Policy and supporting privacy procedures aligned with the PII principal obligations
• Subcontractor / sub-processor register with disclosure procedure (B.8.5.6–3.8.5.8)
• Privacy impact assessment template and completed PIAs for high-risk processing
• Customer agreement template covering processor obligations (B.8.2.1)
• Cross-border transfer documentation (A.7.5.x / B.8.5.x)
• Record of disclosure requests received and handled

Mandatory Processes

• PII principal request handling (controller) or pass-through (processor) within agreed timelines
• Privacy incident response with notification to controller (processor) or PII principal and supervisory authority (controller)
• Vendor / sub-processor onboarding with privacy due diligence
• Privacy training for personnel handling PII
• Periodic privacy risk assessment integrated with the ISMS risk assessment
• Periodic review of records related to processing PII
• Cross-border transfer assessment refresh on third-country legal changes

6. Technical Implementation Guidance

Build on the ISO 27001 ISMS

• Extend the ISMS scope statement to declare PII processing in scope
• Extend the SoA with Annex A / Annex B controls per role
• Integrate privacy risk into the ISMS risk methodology

Records of Processing

• Maintain controller records (A.7.2.8) and processor records (B.8.2.6)
• Treat these as the GDPR Article 30 ROPA — same instrument, dual purpose
• Review at least annually and on material change

PII Principal Rights Operations (Controller)

• Operationalize access, correction, erasure, portability, and objection consistent with A.7.3
• Integrate with the GDPR Articles 15–22 workflow if GDPR-in-scope
• Track timing and quality metrics

Customer-Facing Processor Obligations (Processor)

• Documented agreement template that the customer signs (B.8.2.1)
• Pass-through workflow for PII principal requests (B.8.3)
• Sub-processor disclosure and change procedure (B.8.5.6–3.8.5.8) — mirror the GDPR Article 28(2)–(4) flow-down

Cross-Border Transfers

• Maintain a transfer register including countries, recipients, and the basis for transfer
• For GDPR-in-scope transfers, integrate with the Transfer Impact Assessment (TIA) workflow under GDPR Article 46. See our GDPR service.

Privacy Impact Assessment

• PIA template aligned with Annex A.7.2.5 expectations and (where GDPR applies) the Article 35 DPIA structure
• Trigger PIAs at design stage for new processing
• Document residual risk and supervisory consultation where required

Privacy by Design

• Collection minimized to what the processing purpose requires
• Default settings privacy-preserving
• De-identification and deletion at end of processing (A.7.4.4–3.7.4.5)
• Retention schedule operationalized in systems

7. Policy & Procedure Requirements

• Privacy Policy (top-level)
• External Privacy Notice
• Records of Processing Procedure (controller and processor variants as applicable)
• PII Principal Rights Procedure (controller)
• Privacy Pass-Through Procedure (processor)
• Privacy Impact Assessment Procedure
• Consent Management Procedure
• Lawful Basis and Legitimate Interests Assessment Procedure (controller)
• Cross-Border Transfer Procedure with TIA template
• Sub-Processor / Subcontractor Management Procedure (processor)
• Privacy Incident Response Procedure
• Privacy Training Program
• De-identification and Retention Procedure
• Customer Agreement Template (processor; covering B.8.2.x)
• Disclosure of Government Requests Procedure

Combined with ISO 27001 + ISO 42001 deployments, most documents serve all three with framework-specific extensions. See our ISO 42001 service. For the practical case for stacking AI governance on top of an existing ISMS and PIMS, see our deep-dive blog post How to integrate ISO 42001 with ISO 27001 without rebuilding your ISMS.

8. Audit Evidence & Verification

ISO 27701 certification follows the ISO 27001 audit lifecycle: Stage 1 (documentation review), Stage 2 (implementation and effectiveness), annual surveillance audits, and three-year recertification. The certification body must be accredited for ISO 27701, which is typically a separate accreditation from ISO 27001 even if held by the same firm.

Typical Evidence Categories

• Extended Statement of Applicability
• Records related to processing PII (controller / processor)
• PII principal rights register with response timing (controller)
• Pass-through register (processor)
• PIA register and completed PIAs
• Customer agreement templates and signed customer agreements (processor)
• Sub-processor / subcontractor register and disclosure evidence
• Cross-border transfer register
• Privacy incident records
• Privacy training completion records
• Existing ISO 27001 ISMS evidence (re-used for the PIMS audit)

Common Remediation Items

• Extended SoA missing or incomplete
• Records related to processing PII not distinguished from generic ROPA / vendor list
• Sub-processor disclosure procedure (processor) absent
• PIA template not integrated with the ISMS risk methodology
• Cross-border transfer documentation thin
• Customer agreement template does not reflect Annex B requirements

9. Implementation Timeline Considerations

Typical Duration

• PIMS on top of mature ISO 27001 ISMS: 3–5 months from kickoff to Stage 2 audit
• Combined first-time ISO 27001 + ISO 27701: 6–9 months total
• Annual surveillance: combined with ISO 27001 surveillance, adding minimal incremental time

Milestones

• Role determination (controller / processor / both)
• Gap analysis against Annex A and / or Annex B
• Extended SoA drafted
• Records related to processing PII established
• PII principal rights / pass-through operations launched
• Sub-processor / cross-border transfer registers operationalized
• Privacy training rollout
• Internal audit of the PIMS extensions
• Stage 1 + Stage 2 audits
• Certificate issued

Dependencies

• Existing or in-progress ISO 27001 certification (prerequisite)
• Certification body accredited for ISO 27701
• Legal input on customer agreement template (processor) and lawful-basis documentation (controller)
• vCISO or program lead to coordinate (see vCISO service)

10. Ongoing BAU Requirements

• Annual privacy risk assessment integrated with ISMS risk assessment
• Annual internal audit cycle of the PIMS extensions
• Annual privacy training
• Records related to processing PII maintained current
• Sub-processor register reviewed and renewed
• Cross-border transfer register refreshed on third-country legal changes
• PII principal rights / pass-through workflows operating within agreed timelines
• Privacy incident response readiness
• Combined surveillance audit annually; recertification before three-year expiry

11. Maturity Levels

Minimum Compliance

• PIMS scope and SoA in place
• Records related to processing PII established
• Privacy procedures documented
• Privacy training operational
• Manual evidence collection

Intermediate

• PIA integrated with product development
• Centralized privacy and security risk register
• Cross-border transfer governance with TIA integration for GDPR
• Sub-processor lifecycle automated

Advanced

• Integrated ISO 27001 + ISO 27701 + ISO 42001 + GDPR evidence library
• Continuous monitoring of PII processing with automated records updates
• Privacy engineering embedded in CI/CD
• Public transparency reporting on government access requests

12. FAQs

Do we need ISO 27001 before ISO 27701?

Yes. ISO 27701 is an extension and requires a current ISO 27001 certificate. Many organizations pursue the two in parallel, with the certification body issuing both at the same audit.

Is ISO 27701 the same as GDPR compliance?

No. ISO 27701 is a management system standard with controls mapped to the GDPR (Annex D), but it is not itself a finding of GDPR compliance. A supervisory authority assesses GDPR compliance directly. ISO 27701 certification is, however, the strongest internationally recognized evidence of an accountable privacy program and substantially eases customer due diligence.

Are we a controller or a processor?

Most B2B SaaS organizations are both: controllers for their own employee data, account-holder data, marketing data, and operational telemetry; processors for the personal data their customers process within the SaaS service. The PIMS scope statement identifies both roles where applicable.

How is ISO 27701 different from ISO 27018?

ISO 27018 is a code of practice for PII processors in public clouds. ISO 27701 is a full management-system standard covering both controllers and processors, mapping to the GDPR, and certifiable across all sectors. Most organizations now adopt ISO 27701 and treat ISO 27018 as background.

What does ISO 27701 cost?

Incremental cost over an existing ISO 27001 program typically runs 25–50 percent of the ISO 27001 program cost in year one, depending on the breadth of PII processing and the maturity of existing privacy operations. Annual incremental surveillance is in the 20–40 percent range.

Is there a 2025 revision?

A revision of ISO 27701 has been in development to align with ISO 27001:2022's restructured Annex A. Verify the current published status at iso.org before relying on the 2019 control numbering for new certifications.

How does ISO 27701 relate to ISO 42001?

ISO 42001 is the AI Management System; ISO 27701 is the Privacy Information Management System. They share the ISO 27001 ISMS foundation. For AI products that process personal data, run all three. See our ISO 42001 service.

Does ISO 27701 cover cross-border transfers?

Yes — Annex A.7.5 (controller) and Annex B.8.5 (processor) address transfer basis, country, recipients, and records. For GDPR-in-scope transfers, integrate the ISO 27701 register with the GDPR Transfer Impact Assessment workflow.

What is the certificate cycle?

Three years, aligned with the ISO 27001 certificate cycle. Surveillance audits annually for the first two years; recertification audit before expiry.

Can a single certification body issue ISO 27001 and ISO 27701?

Yes, where the certification body holds accreditation for both. In practice the same firm typically issues both certificates at the same audit, reducing audit fatigue and cost.

What evidence do customers ask for?

The ISO 27701 certificate, the scope statement (showing controller / processor coverage), the relevant Annex A / B controls in the SoA, and the records related to processing PII. Many customer due-diligence forms specifically ask for these. ISO 27701 substantially reduces vendor-questionnaire fatigue compared to GDPR-only self-attestation.

13. Summary

ISO/IEC 27701 is the international Privacy Information Management System standard, extending ISO 27001 with controller-specific (Annex A) and processor-specific (Annex B) controls mapped to the GDPR. For multinational B2B SaaS handling personal data, ISO 27701 is the practical international counterpart to GDPR compliance: it makes accountability auditable, gives customers an internationally recognized assurance signal, and reduces vendor due-diligence overhead. Implementation rides directly on the existing ISO 27001 ISMS, with the bulk of incremental work in role definition, extended SoA, records of processing, PII principal rights operations or pass-through, and sub-processor and cross-border transfer governance.

To scope an engagement, book a call from the ISO 27701 consulting service page, or talk to us about combining ISO 27701 with ISO 27001, GDPR, or ISO 42001 for an integrated information security, privacy, and AI governance program. For the practical view of stacking AI governance, see our blog post How to integrate ISO 42001 with ISO 27001 without rebuilding your ISMS.