Guide to ISO/IEC 27701:2019 Clauses

The worldwide standard for a privacy information management system is ISO/IEC 27701. (PIMS). It is a privacy addition to ISO/IEC 27002 Security Controls and ISO/IEC 27001 Information Security Management.

These are some particular organisational roles:

  • PII controllers (among them are those who act as joint PII controllers)
  • PII processors

Following are the clauses mentioned in ISO 27701:

Clause 1: Scope

In here, the prerequisites for the management system's intended use are outlined. As an addition to ISO/IEC 27001 and ISO/IEC 27002, ISO/IEC 27701 aims to provide rules and recommendations for setting up, implementing, maintaining, and improving a privacy information management system. focused on the individuals who are in charge of and accountable for handling PII, including PII controllers and PII processors.

Clause 2: Normative references

Documents cited in a standard are considered normative references. These include: ISO/IEC 27000 Overview and vocabulary for information security management systems ISO/IEC 27001 Information security management systems: requirements The ISO/IEC 27002 Code of Practice for Information Security Controls Framework for privacy established by ISO/IEC 29100

Clause 3: Terms and definitions

Important terminology used throughout the standard that are not defined in ISO/IEC 27000 and ISO/IEC 29100 are given a few extra definitions in this section.

Clause 4: General

In relation to ISO/IEC 27701, this clause "sets the scene." It gives a high-level overview of the document's organisation and identifies where the PIMS-specific requirements are located in reference to ISO/IEC 27001 and ISO/IEC 27002.

Clause 5: PIMS specific requirements related to ISO/IEC 27001

The purpose of this clause is to incorporate the protection of privacy into the information security criteria of ISO/IEC 27001 as well.

Determine your function as a processor and/or controller within the framework of the company, and take into account the influence of internal and external elements including privacy-specific rules and contractual requirements. Depending on your function, you must implement and apply the pertinent controls from Annexes A and/or B to your current statement of applicability.

Additionally, you must take into account the parties with an interest in the processing of PII, the scope of your PIMS, and the efficient implementation, upkeep, and ongoing improvement of the system. To ensure the protection of privacy, consideration and extension of ISO/IEC 27001's requirements for management, planning, support, operation, performance evaluation, and improvement must be taken into account. Risks to information and processing of PII must now be evaluated and handled carefully, in particular.

Clause 6: PIMS specific guidance related to ISO/IEC 27002

This clause aims to expand ISO/IEC 27002's information security recommendations to include privacy protection.

For instance, based on compliance, contractual, and stakeholder needs, enterprises need to take into account the extra implementation guidance regarding information security policies to incorporate pertinent privacy declarations.

Roles and duties in respect to the processing of PII are described with greater clarity. This includes being informed of incident reporting requirements and the repercussions of a privacy violation.

Advice is provided to guarantee that PII is taken into account while classifying your information. You must be aware of the PII your company handles, where it is kept, and the systems it passes through. Additionally, people need to know what PII is and how to spot it.

On incident management, removable media, user access on PII processing systems and services, cryptographic protection, reassigning PII storage space, back-up and recovery of PII, event log reviews, information transfer policies, and confidentiality agreements, more thorough implementation guidance is provided.

Additionally, this clause's instructions encourage you to take PII into account before transmitting data over open networks and as part of the system's development and design. Relationships with suppliers as well as their expectations and obligations must be addressed.

Clause 7: Additional guidance for PII controllers

This section deals with PIMS-specific implementation advice for PII controllers. It is associated with the measures detailed in Annex A.

For instance, in order to be in compliance with the laws that apply, you must specify the precise purposes for the PII you process and have a legal justification for doing so. If the intent behind processing PII evolves or expands, updates should be made.

Aside from these topics, the guidance also outlines contracts with PII processors, clear roles and responsibilities with any joint controllers, considerations of special category data and consent requirements, privacy impact assessment requirements to reduce risk to PII principals, and considerations of special category data and considerations.

People whose PII you process should understand why and how information is processed, along with a point of contact for inquiries. On consent, withdrawals, and PII access, correction, or deletion, specific instructions are provided. Additionally offered are third-party obligations, managing requests, and automated decision-making advice.

The accuracy and quality of PII, constraints on the amount collected based on the purpose of processing, and end of processing criteria should all be taken into account when implementing privacy by design for processes and systems. Importantly, PII sharing, transfer, and disclosure information is provided to assist you in moving your records between jurisdictions.

Clause 8: Additional guidance for PII Processors

This section addresses implementation advice for PII processors particular to PIMS. The restrictions indicated in Annex B are relevant.

For instance, in order to help customers meet their obligations, including those of PII principles, customer contracts should mention your company's function as a PII Processor. To utilise PII data for marketing and advertising, prior consent is required.

There is advice provided on how to locate and keep track of the records required to prove compliance with the agreed-upon PII processing you carry out.

Detailed instructions are provided on how to assist your customer with specific requests, manage temporary files created during processing, return, transfer, or securely dispose of PII, and use the proper transmission controls.

In order to accommodate jurisdictional transfers, third-party and subcontractor requirements, and management of legally enforceable PII disclosures, thorough PII sharing, transfer, and disclosure guidance is provided.


The ISO/IEC 27701 standard contains a number of Annexes. While annexes C–F contain additional information that can help with setting up and running an effective PIMS, annexes A and B are for controllers and processors, respectively. Following are covered in Annexes:

Annex A

An inventory of PII controller controls. A reason for any control that is excluded must be included in the statement of applicability even though not all controls will be necessary.

Annex B

An inventory of PII processor controls. A reason for any control that is excluded must be included in the statement of applicability even though not all controls will be necessary.

Annex C

Controls for PII controllers are mapped to the privacy principles in ISO/IEC 2900. This illustrates how compliance with ISO/IEC 27701's requirements and controls relate to the privacy principles in ISO/IEC 29100.

Annex D

Articles 5 to 49 of the GDPR are mapped to the provisions in ISO/IEC 27701 (except 43). This demonstrates how fulfilling GDPR regulations might be relevant to conforming to ISO/IEC 27701 requirements and controls.

Annex E

Clauses in ISO/IEC 27701 mapped to:

• Requirements for PII processors in public clouds under ISO/IEC 27018

• ISO/IEC 29151 for guidelines and extra controls for PII controllers.

Annex F

Provides information on how to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002. It offers various application examples as well as a clear map of how information security words are extended to encompass privacy. 

LinkedIn Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. To know more; visit our Privacy Policy & Cookies Policy.