標準簡介
ISO/IEC 27701:2019 是由 國際標準化組織 (ISO) 發布的現行有效標準,常用於科技、服務業、金融銀行、醫療健康、政府等產業,並適用於全球等市場。
本頁整理了 ISO/IEC 27701:2019 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
Privacy Extension to ISMS
Extends ISO 27001 with privacy-specific requirements, creating a Privacy Information Management System (PIMS) that maps controls to both PII controller and PII processor roles.
GDPR Alignment
Annex D provides a detailed mapping between ISO 27701 controls and GDPR articles — enabling organizations to demonstrate compliance with European privacy regulations through certification.
Dual-Role Coverage
Provides separate control sets for PII controllers (Annex A) and PII processors (Annex B), allowing organizations to certify for one or both roles depending on their data processing activities.
list_alt PIMS Framework
- Extension of ISO/IEC 27001 ISMS with privacy controls
- Clause 7: PII controller-specific guidance and controls
- Clause 8: PII processor-specific guidance and controls
- Annex A: PII controller reference control objectives
- Annex B: PII processor reference control objectives
- Annex D: Mapping to GDPR requirements
- Privacy risk assessment and treatment methodology
- Integration with existing information security management
Who Needs to Comply?
Organizations that process personally identifiable information and want to demonstrate privacy compliance — especially those subject to GDPR, CCPA, LGPD, or other privacy regulations. Applicable to PII controllers, PII processors, or both.
Key Requirements
Privacy Risk Assessment
Extend the ISO 27001 risk assessment process to include privacy risks specific to PII processing. Consider the impact on data subjects and the likelihood of privacy breaches.
PII Controller Obligations
Implement controls for lawful basis of processing, consent management, data subject rights (access, rectification, erasure, portability), privacy by design, and data protection impact assessments.
PII Processor Requirements
Process PII only on documented instructions from the controller. Implement controls for sub-processor management, data breach notification, cross-border transfers, and data return or deletion.
Privacy Governance
Appoint responsible personnel (e.g., Data Protection Officer), maintain records of PII processing activities, conduct privacy impact assessments, and establish procedures for handling data subject requests.
Third-Party Management
Establish and maintain agreements with PII processing partners. Verify third-party privacy controls through audits, assessments, or certifications. Manage sub-processor chains with appropriate contractual safeguards.
Penalties & Enforcement
No direct legal penalties — ISO/IEC 27701 is a voluntary standard. However, certification provides evidence of due diligence for privacy regulators and can mitigate penalties under GDPR (up to 4% of global turnover) and similar regulations.