ISO/IEC 27701:2019

Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management

apartmentPublishing Organization:International Organization for Standardization (ISO)

Global Technology Services Finance & Banking Healthcare Government

Standard Introduction

ISO/IEC 27701:2019 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Technology, Services, Finance & Banking, Healthcare, Government and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO/IEC 27701:2019.

privacy_tip

Privacy Extension to ISMS

Extends ISO 27001 with privacy-specific requirements, creating a Privacy Information Management System (PIMS) that maps controls to both PII controller and PII processor roles.

balance

GDPR Alignment

Annex D provides a detailed mapping between ISO 27701 controls and GDPR articles — enabling organizations to demonstrate compliance with European privacy regulations through certification.

groups

Dual-Role Coverage

Provides separate control sets for PII controllers (Annex A) and PII processors (Annex B), allowing organizations to certify for one or both roles depending on their data processing activities.

list_alt PIMS Framework

Extension of ISO/IEC 27001 ISMS with privacy controls
Clause 7: PII controller-specific guidance and controls
Clause 8: PII processor-specific guidance and controls
Annex A: PII controller reference control objectives
Annex B: PII processor reference control objectives
Annex D: Mapping to GDPR requirements
Privacy risk assessment and treatment methodology
Integration with existing information security management

Who Needs to Comply?

groups

Organizations that process personally identifiable information and want to demonstrate privacy compliance — especially those subject to GDPR, CCPA, LGPD, or other privacy regulations. Applicable to PII controllers, PII processors, or both.

Key Requirements

Privacy Risk Assessment

Extend the ISO 27001 risk assessment process to include privacy risks specific to PII processing. Consider the impact on data subjects and the likelihood of privacy breaches.

PII Controller Obligations

Implement controls for lawful basis of processing, consent management, data subject rights (access, rectification, erasure, portability), privacy by design, and data protection impact assessments.

PII Processor Requirements

Process PII only on documented instructions from the controller. Implement controls for sub-processor management, data breach notification, cross-border transfers, and data return or deletion.

Privacy Governance

Appoint responsible personnel (e.g., Data Protection Officer), maintain records of PII processing activities, conduct privacy impact assessments, and establish procedures for handling data subject requests.

Third-Party Management

Establish and maintain agreements with PII processing partners. Verify third-party privacy controls through audits, assessments, or certifications. Manage sub-processor chains with appropriate contractual safeguards.

Penalties & Enforcement

warning

No direct legal penalties — ISO/IEC 27701 is a voluntary standard. However, certification provides evidence of due diligence for privacy regulators and can mitigate penalties under GDPR (up to 4% of global turnover) and similar regulations.