verified_user
Standardful
首頁chevron_right標準chevron_rightISO/IEC 27701:2025
現行有效國際標準update 標準更新:2025年10月fact_check 事實核查:2026年6月28日

ISO/IEC 27701:2025

安全技術 面向隱私資訊管理的 ISO/IEC 27001 與 ISO/IEC 27002 擴充要求與指南

apartment發布組織:國際標準化組織 (ISO)

標準簡介

ISO/IEC 27701:2025 是由 國際標準化組織 (ISO) 發布的現行有效標準,常用於科技、服務業、金融銀行、醫療健康、政府等產業,並適用於全球等市場。

本頁整理了 ISO/IEC 27701:2025 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。

privacy_tip

Privacy Extension to ISMS

Extends ISO 27001 with privacy-specific requirements, creating a Privacy Information Management System (PIMS) that maps controls to both PII controller and PII processor roles.

balance

GDPR Alignment

Annex D provides a detailed mapping between ISO 27701 controls and GDPR articles — enabling organizations to demonstrate compliance with European privacy regulations through certification.

groups

Dual-Role Coverage

Provides separate control sets for PII controllers (Annex A) and PII processors (Annex B), allowing organizations to certify for one or both roles depending on their data processing activities.

list_alt PIMS Framework

  • Extension of ISO/IEC 27001 ISMS with privacy controls
  • Clause 7: PII controller-specific guidance and controls
  • Clause 8: PII processor-specific guidance and controls
  • Annex A: PII controller reference control objectives
  • Annex B: PII processor reference control objectives
  • Annex D: Mapping to GDPR requirements
  • Privacy risk assessment and treatment methodology
  • Integration with existing information security management

誰需要合規?

groups

Organizations that process personally identifiable information and want to demonstrate privacy compliance — especially those subject to GDPR, CCPA, LGPD, or other privacy regulations. Applicable to PII controllers, PII processors, or both.

關鍵要求

1

Privacy Risk Assessment

Extend the ISO 27001 risk assessment process to include privacy risks specific to PII processing. Consider the impact on data subjects and the likelihood of privacy breaches.

2

PII Controller Obligations

Implement controls for lawful basis of processing, consent management, data subject rights (access, rectification, erasure, portability), privacy by design, and data protection impact assessments.

3

PII Processor Requirements

Process PII only on documented instructions from the controller. Implement controls for sub-processor management, data breach notification, cross-border transfers, and data return or deletion.

4

Privacy Governance

Appoint responsible personnel (e.g., Data Protection Officer), maintain records of PII processing activities, conduct privacy impact assessments, and establish procedures for handling data subject requests.

5

Third-Party Management

Establish and maintain agreements with PII processing partners. Verify third-party privacy controls through audits, assessments, or certifications. Manage sub-processor chains with appropriate contractual safeguards.

實施路線圖

1
階段 1schedule 預計週期: 3-6 周

定義 PIMS 範圍和角色

識別處理活動、司法轄區、產品、系統、控制者和處理者角色、個人數據類別、隱私義務,以及與現有信息安全或合規管理體系的接口。

2
階段 2schedule 預計週期: 6-10 周

映射隱私控制和義務

依據 ISO/IEC 27701 對隱私治理、風險評估、數據主體權利、隱私通知、合法處理、處理者管理、記錄、隱私設計和傳輸控制的要求評估差距。

3
階段 3schedule 預計週期: 10-24 周

實施 PIMS 運營

部署政策、處理記錄、DPIA 或 PIA 流程、數據主體請求處理、事件流程、供應商控制、保留計劃、培訓、指標和隱私控制證據。

4
階段 4schedule 預計週期: 持續進行

審覈並改進隱私管理

開展內部審覈、管理評審、糾正措施和認證準備度檢查。當法律、產品、供應商、數據流或組織角色變化時刷新 PIMS。

合規檢查清單

0 / 12

checklist PIMS 治理

checklist 隱私運營

checklist 保證和改進

處罰與執行

warning

No direct legal penalties — ISO/IEC 27701 is a voluntary standard. However, certification provides evidence of due diligence for privacy regulators and can mitigate penalties under GDPR (up to 4% of global turnover) and similar regulations.

常見問題解答

ISO/IEC 27701 提供什麼?

expand_more

ISO/IEC 27701 規定了建立、實施、維護和持續改進隱私信息管理體系的要求,適用於控制者、處理者或兩者兼具的組織。

ISO 27701 只是 ISO 27001 擴展嗎?

expand_more

2025 版定位爲隱私信息管理體系標準。許多組織仍將其與 ISO 27001 整合,因爲隱私控制高度依賴信息安全治理和證據。

ISO 27701 能證明 GDPR 或 LGPD 合規嗎?

expand_more

任何單一認證都不能證明符合所有隱私法律。ISO 27701 有助於組織治理、記錄、權利處理、風險評估和處理者控制,以支持法律合規項目。

ISO 27701 需要哪些證據?

expand_more

有用證據包括 PIMS 範圍、處理記錄、隱私風險評估、通知、同意記錄、數據主體請求日誌、供應商合同、傳輸評估、事件記錄、內部審覈和管理評審。

誰應負責 PIMS?

expand_more

責任通常由隱私、法律、合規、安全或風險負責人承擔,但有效運行需要產品、工程、HR、營銷、採購和支持團隊在日常工作中維護控制。

官方文件

查看全部

實施時間線

edit_document
2017年
Development begins as ISO/IEC 27552 project
check_circle
2019年8月
ISO/IEC 27701:2019 published as PIMS extension to ISO 27001
trending_up
2020年
Growing adoption as GDPR compliance demonstration tool
cloud
2023年
Microsoft, Apple, and major cloud providers achieve certification
update
2025年10月
ISO/IEC 27701:2025 update published with improved alignment

相關分類