ISO/IEC 27701
ISO/IEC 27701:2025 — Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance
(second edition)
Abstract
“ISO/IEC 27701 is an international standard that sets out requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
It also provides guidance to support organisations in putting these requirements into practice.
The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII.”
[Source: ISO summary page]
Introduction
ISO/IEC 27701 applies the conventional ISO ‘management system’ structure and terminology (as laid out in the ISO Directives) to privacy, or more precisely the protection of Personally Identifiable Information.
Whereas the first edition of this standard described a Privacy Information Management System as an extension to an Information Security Management System, the second edition formally severed that dependency. A PIMS can now be an independent, standalone governance and management structure ... that just happens to resemble ISO’s other management systems.
However it can still be aligned or integrated (to some extent) with an ISMS or indeed others, with pros (such as reducing unnecessary duplication) and cons (such as increasing complexity).
Conformity to ISO/IEC 27701 can be assessed and certified using ISO/IEC 27706.
Scope
The standard specifies a Privacy Information Management System applicable to both controllers and processors of Personally Identifiable Information.
Although the standard ostensibly concerns ‘privacy’, in practice it focuses primarily on protecting PII against risks, more precisely still it concerns cybersecurity risks and controls for personal data in the IT context.
Peripherally-related aspects of privacy (such as ‘personal space’ and ‘freedom of expression’) are not covered.
Structure
All sections:
Foreword
Introduction
1: Scope
2: Normative references - essential reading for users of the standard
3: Terms, definitions and abbreviations
4: Context of the organization - understanding internal (corporate) and external stakeholder requirements
5: Leadership - governing, driving and controlling the organisation's privacy arrangements
6: Planning - PIMS objectives, privacy policy
7: Support - privacy administration and documentation
8: Operation - systematically managing privacy risks
9: Performance evaluation - metrics and assurance
10: Improvement - feedback driving maturity
11: Further information on annexes
Annex A: PIMS reference control objectives and controls for PII controllers and PII processors - a generic privacy control catalogue similar to Annex A of ISO/IEC 27001
Annex B: Implementation guidance for PII controllers and PII processors - advice on building the PIMS
Annex C: Mapping to ISO/IEC 29100
Annex D: Mapping to the General Data Protection Regulation
Annex E: Mapping to ISO/IEC 27018 and ISO/IEC 29151
Annex F: Correspondence with ISO/IEC 27701:2019
Bibliography - further reading
Status
The first edition, published in 2019, specified PIMS as an extension to an ISMS.
The second edition, published in 2025, specifies PIMS as a standalone management system.
Commentary
ISO27k practitioners will surely recognise the cyclical, risk-based approach:
Identify privacy-related risks;
Assess and evaluate them;
Decide how to treat them (what, if anything, to do about them);
Treat them (implement the risk-treatment decisions);
Lather, rinse, repeat.