< Previous standard      ^ Up a level ^      Next standard >

 ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance (second edition)

Abstract

“ISO/IEC 27701 is an international standard that sets out requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

It also provides guidance to support organisations in putting these requirements into practice.

The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII.”

[Source: ISO summary page]

Introduction

 Whereas the first edition of this standard described a Privacy Information Management System as an extension to an Information Security Management System, the second edition formally severed that dependency. 

A PIMS can now be an independent, standalone governance and management structure ... that just happens to resemble ISO’s other management systems.

However it can still be aligned or integrated (to some extent) with an ISMS or indeed others, with pros (such as reducing unnecessary duplication) and cons (such as increasing complexity).

Conformity to ISO/IEC 27701 can be assessed and certified using ISO/IEC 27706.

Scope of the standard

The standard specifies a Privacy Information Management System applicable to both controllers and processors of Personally Identifiable Information.

 Although the standard ostensibly concerns ‘privacy’, in practice it focuses primarily on protecting PII against risks, more precisely still it concerns cybersecurity risks and controls for personal data in the IT context.

Peripherally-related aspects of privacy (such as ‘personal space’ and ‘freedom of expression’) are not covered.

Content of the standard

The standard applies the conventional ISO ‘management system’ structure and terminology (as laid out in the ISO Directives) to privacy, or more precisely the protection of Personally Identifiable Information:

1. Scope
2. Normative references
3. Terms, definitions and abbreviations
4. Context of the organization - understanding stakeholder requirements
5. Leadership - governing, driving and controlling the organisation’s privacy arrangements
6. Planning - PIMS objectives, privacy policy
7. Support - administration, documentation ...
8. Operation - systematically assessing and treating privacy risks
9. Performance evaluation - metrics and assurance
10. Improvement - feedback driving continual improvement

Annexes:

- a generic catalogue or reference set of privacy control objectives and controls, akin to Annex A of ISO/IEC 27001

- PIMS implementation guidance, similar to earlier editions of ISO/IEC 27003

- mappings to related standards (ISO/IEC 29100, 27018 and 29151), to the first edition, and to GDPR.

 

Status

The first edition, published in 2019, specified PIMS as an extension to an ISMS.

 The second edition, published in October 2025, specifies PIMS as a standalone management system. 

Personal comments

ISO27k practitioners will surely recognise the cyclical, risk-based approach:

1. Identify privacy-related risks;
2. Assess and evaluate them;
3. Decide how to treat them (what, if anything, to do about them);
4. Treat them (implement the risk-treatment decisions);
5. Lather, rinse, repeat.

< Previous standard      ^ Up a level ^      Next standard >