ISO 27701 (Privacy Information Management — Extension to ISO 27001)

ISO/IEC 27701:2019, "Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines," establishes a Privacy Information Management System (PIMS) as an extension layer on top of ISO 27001. Organizations certified to ISO 27001 can extend their certification scope to include ISO 27701, adding PIMS-specific requirements. The standard provides a mapping to GDPR, specifically Annex D mapping ISO 27701 controls to GDPR Articles, making it a practical demonstration tool for GDPR compliance — though not a legal certification under GDPR Article 42 (which covers product-level seals, not management systems). The standard distinguishes between requirements for PII controllers (Clause 7) and PII processors (Clause 8), with separate control sets reflecting their different legal obligations.

ISO 27701's controller-specific requirements (Clause 7) mirror GDPR data governance obligations: establishing lawful bases for processing (7.2.1), defining retention schedules (7.4.7), conducting PIAs/DPIAs for high-risk processing (7.2.5), and implementing data subject rights management processes (7.3). The processor-specific requirements (Clause 8) focus on acting only under controller instructions (8.2.1), maintaining processing records (8.2.6), providing controller audit assistance (8.2.3), and restricting sub-processor engagement (8.5.7). A key engineering obligation in Clause 7.4.4 requires organizations to implement data minimization — ensuring that only data necessary for the specified purpose is collected, with technical controls not merely policy statements. Clause 7.4.6 addresses accuracy: ongoing processes to verify and correct PII, not just initial accuracy checks.

ISO 27701's control extensions to ISO 27002 — Annex B for controllers and Annex C for processors — provide specific technical controls for privacy engineering. Control 7.4.1 requires defining purposes of PII processing with sufficient specificity to enable downstream technical enforcement of purpose limitation. Control 7.4.5 mandates a PII disclosure management process, including a log of authorized disclosures and a mechanism to respond to queries about disclosures within defined timeframes. For organizations pursuing both ISO 27001 and ISO 27701 certification, the gap analysis focuses on operationalizing these controls as auditable system behaviors — log entries, workflow states, and documented decisions — rather than policy documents alone.

We deliver ISO 27701 PIMS implementations as extensions to existing ISO 27001 programs, scoping the gap assessment against both controller and processor control sets where applicable. Our PIMS tooling operationalizes data subject rights management as a tracked workflow system producing audit evidence, and maps processing activities to GDPR legal bases with DPIA triggers integrated into the change management process.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.