verified_user
Standardful
首页chevron_right标准chevron_rightISO/IEC 27701:2025
有效国际标准update 标准更新:2025年10月fact_check 事实核查:2026年6月28日

ISO/IEC 27701:2025

安全技术 面向隐私信息管理的 ISO/IEC 27001 与 ISO/IEC 27002 扩展要求与指南

apartment发布组织:国际标准化组织 (ISO)

标准简介

ISO/IEC 27701:2025 是由 国际标准化组织 (ISO) 发布的有效标准,常用于科技、服务业、金融银行、医疗健康、政府等行业,并适用于全球等市场。

本页汇总了 ISO/IEC 27701:2025 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。

privacy_tip

Privacy Extension to ISMS

Extends ISO 27001 with privacy-specific requirements, creating a Privacy Information Management System (PIMS) that maps controls to both PII controller and PII processor roles.

balance

GDPR Alignment

Annex D provides a detailed mapping between ISO 27701 controls and GDPR articles — enabling organizations to demonstrate compliance with European privacy regulations through certification.

groups

Dual-Role Coverage

Provides separate control sets for PII controllers (Annex A) and PII processors (Annex B), allowing organizations to certify for one or both roles depending on their data processing activities.

list_alt PIMS Framework

  • Extension of ISO/IEC 27001 ISMS with privacy controls
  • Clause 7: PII controller-specific guidance and controls
  • Clause 8: PII processor-specific guidance and controls
  • Annex A: PII controller reference control objectives
  • Annex B: PII processor reference control objectives
  • Annex D: Mapping to GDPR requirements
  • Privacy risk assessment and treatment methodology
  • Integration with existing information security management

谁需要合规?

groups

Organizations that process personally identifiable information and want to demonstrate privacy compliance — especially those subject to GDPR, CCPA, LGPD, or other privacy regulations. Applicable to PII controllers, PII processors, or both.

关键要求

1

Privacy Risk Assessment

Extend the ISO 27001 risk assessment process to include privacy risks specific to PII processing. Consider the impact on data subjects and the likelihood of privacy breaches.

2

PII Controller Obligations

Implement controls for lawful basis of processing, consent management, data subject rights (access, rectification, erasure, portability), privacy by design, and data protection impact assessments.

3

PII Processor Requirements

Process PII only on documented instructions from the controller. Implement controls for sub-processor management, data breach notification, cross-border transfers, and data return or deletion.

4

Privacy Governance

Appoint responsible personnel (e.g., Data Protection Officer), maintain records of PII processing activities, conduct privacy impact assessments, and establish procedures for handling data subject requests.

5

Third-Party Management

Establish and maintain agreements with PII processing partners. Verify third-party privacy controls through audits, assessments, or certifications. Manage sub-processor chains with appropriate contractual safeguards.

实施路线图

1
阶段 1schedule 预计周期: 3-6 周

定义 PIMS 范围和角色

识别处理活动、司法辖区、产品、系统、控制者和处理者角色、个人数据类别、隐私义务,以及与现有信息安全或合规管理体系的接口。

2
阶段 2schedule 预计周期: 6-10 周

映射隐私控制和义务

依据 ISO/IEC 27701 对隐私治理、风险评估、数据主体权利、隐私通知、合法处理、处理者管理、记录、隐私设计和传输控制的要求评估差距。

3
阶段 3schedule 预计周期: 10-24 周

实施 PIMS 运营

部署政策、处理记录、DPIA 或 PIA 流程、数据主体请求处理、事件流程、供应商控制、保留计划、培训、指标和隐私控制证据。

4
阶段 4schedule 预计周期: 持续进行

审核并改进隐私管理

开展内部审核、管理评审、纠正措施和认证准备度检查。当法律、产品、供应商、数据流或组织角色变化时刷新 PIMS。

合规检查清单

0 / 12

checklist PIMS 治理

checklist 隐私运营

checklist 保证和改进

处罚与执行

warning

No direct legal penalties — ISO/IEC 27701 is a voluntary standard. However, certification provides evidence of due diligence for privacy regulators and can mitigate penalties under GDPR (up to 4% of global turnover) and similar regulations.

常见问题解答

ISO/IEC 27701 提供什么?

expand_more

ISO/IEC 27701 规定了建立、实施、维护和持续改进隐私信息管理体系的要求,适用于控制者、处理者或两者兼具的组织。

ISO 27701 只是 ISO 27001 扩展吗?

expand_more

2025 版定位为隐私信息管理体系标准。许多组织仍将其与 ISO 27001 整合,因为隐私控制高度依赖信息安全治理和证据。

ISO 27701 能证明 GDPR 或 LGPD 合规吗?

expand_more

任何单一认证都不能证明符合所有隐私法律。ISO 27701 有助于组织治理、记录、权利处理、风险评估和处理者控制,以支持法律合规项目。

ISO 27701 需要哪些证据?

expand_more

有用证据包括 PIMS 范围、处理记录、隐私风险评估、通知、同意记录、数据主体请求日志、供应商合同、传输评估、事件记录、内部审核和管理评审。

谁应负责 PIMS?

expand_more

责任通常由隐私、法律、合规、安全或风险负责人承担,但有效运行需要产品、工程、HR、营销、采购和支持团队在日常工作中维护控制。

官方文档

查看全部

实施时间线

edit_document
2017年
Development begins as ISO/IEC 27552 project
check_circle
2019年8月
ISO/IEC 27701:2019 published as PIMS extension to ISO 27001
trending_up
2020年
Growing adoption as GDPR compliance demonstration tool
cloud
2023年
Microsoft, Apple, and major cloud providers achieve certification
update
2025年10月
ISO/IEC 27701:2025 update published with improved alignment

相关分类