ISO 27701 Privacy Information Management Skill

Always mention GDPR alignment in your first paragraph when explaining what ISO 27701 is. ISO 27701 was specifically designed to help organizations demonstrate compliance with GDPR, UK GDPR, and similar privacy regulations — this is its primary value proposition and users need to hear this upfront, not buried in a regulatory table.

Also clarify the organization's role: PII Controller, PII Processor, or both — this determines which Annex A controls apply.

Match your output to the task type:

Standard Overview

ISO 27701:2025 — Standalone PIMS (Current)

ISO/IEC 27701:2025 ("Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance") was published 14 October 2025 as the second edition. Its most significant change: it is now a standalone management system standard — organizations can implement and certify a PIMS without first implementing ISO 27001.

The standard adopts the ISO High-Level Structure (HLS) (same framework as ISO 27001:2022 and ISO 42001:2023), making integration with other management systems straightforward. Integration with ISO 27001 is still fully supported and encouraged.

Annex A structure (78 total controls):

• A.1: PII Controller controls — 31 controls across 4 domains
• A.2: PII Processor controls — 18 controls across 4 domains
• A.3: Shared information security controls — 29 controls
• Annex B: Implementation guidance (new in 2025)

Transition deadline for 2019 certified organizations: October 2028

ISO 27701:2019 — Extension Edition (Legacy)

The 2019 edition extended ISO 27001:2013 and ISO 27002:2013 and required ISO 27001 certification as a prerequisite. Controls were split across Annex A (controller) and Annex B (processor). All 2019 certifications must transition to 2025 by October 2028.

For detailed transition guidance, read references/transition-guide.md.

Clause Structure (HLS Clauses 4–10)

All mandatory PIMS requirements live in Clauses 4–10. No clause may be excluded:

Core Workflows

1. Gap Analysis

When asked to perform or help with a gap analysis:

1. Clarify: version (2019/2025), role (controller/processor/both), sector, existing frameworks (ISO 27001, GDPR programme, etc.)
2. Produce a table covering ALL mandatory clause requirements (4–10) + applicable Annex A controls
3. For each item: Status (Implemented / Partial / Not Implemented / N/A), Evidence Needed, Gap Notes
4. Summarise critical gaps and recommended priority order
5. Offer to generate a remediation roadmap

Status definitions:

• ✅ Implemented — control/requirement is fully in place with evidence
• 🟡 Partial — some evidence exists but gaps remain
• ❌ Not Implemented — no evidence of implementation
• N/A — documented exclusion in SoA with justification

Key gap areas to probe first:

• Records of Processing Activities (RoPA) — does one exist and is it current?
• Data Subject Rights procedure — documented, tested, within response SLAs?
• Consent management — lawful basis documented for every processing activity?
• Data transfer mechanisms (SCCs, BCRs, adequacy) — documented per transfer?
• Privacy by design — embedded in SDLC / product development process?
• Processor contracts — do all include required privacy clauses (A.1.2.7)?
• Privacy risk assessment methodology — defined, applied, and recorded?
• DPO / privacy role — appointed, resourced, and empowered?
• DPIA process — triggered for high-risk processing, completed with records?

Consult references/annex-a-controls.md for the full control listing.

2. Policy & Document Generation

When generating policies or documents:

• Always include: Purpose, Scope, Policy Statement, Roles & Responsibilities, Procedures/Controls, Review Cycle, References
• Map each document to the relevant clause(s) and Annex A control(s)
• Include a document control block: Version | Author | Approved By | Date | Next Review

Core PIMS documents and their primary mappings:

3. Control Implementation Guidance

For any Annex A control, structure your response as:

Control: [ID] [Name]

• Purpose: Why this control exists / what privacy risk it addresses
• What to implement: Concrete, actionable steps
• Evidence for audit: What an auditor will look for
• Common pitfalls: What teams typically miss
• Regulatory link: Which GDPR article / regulation this addresses

Consult references/annex-a-controls.md for full control listings with descriptions.

When covering PII Processor (Annex A.2) obligations, always use ISO 27701's own terminology — these are the exact phrases auditors and clients will look for:

Using these exact ISO 27701 terms (rather than paraphrasing) matters: they map directly to audit evidence requests and DPA contractual clauses.

4. Privacy Risk Assessment

Privacy risks differ from security risks — they concern harm to PII principals (individuals whose data is processed), not just organizational harm.

Risk register columns: Processing Activity | Personal Data Types | PII Principals Affected | Threat | Vulnerability | Likelihood (1–5) | Severity of Harm (1–5) | Risk Score | Treatment | Control(s) | Owner | Due Date | Residual Risk

Treatment options: Accept | Avoid | Transfer | Mitigate

DPIA trigger criteria — a DPIA is required when processing is likely to result in high risk to individuals, especially when:

• Systematic profiling with significant effects
• Processing of special category data at scale
• Systematic monitoring of public areas
• New technologies with untested privacy implications

Important: The SoA must reflect the controls selected through the risk treatment process.

5. Statement of Applicability (SoA)

SoA columns for ISO 27701:2025:

Role-based SoA scope:

• PII Controller only: Include A.1 (31 controls) + A.3 (29 controls) = 60 controls
• PII Processor only: Include A.2 (18 controls) + A.3 (29 controls) = 47 controls
• Both controller and processor: Include A.1 + A.2 + A.3 = 78 controls

Implementation Status values: Implemented | Partially Implemented | Planned | Not Applicable

ISO 27701:2019 → 2025 Key Differences

Mandatory Documentation Checklist

Produce this when asked for certification readiness:

Mandatory records (ISO 27701:2025):

• PIMS Scope (4.3)
• Privacy Policy (5.2)
• Privacy risk assessment methodology (6.1)
• Privacy risk assessment results (6.1)
• Privacy risk treatment plan (6.1)
• Statement of Applicability (6.1)
• Privacy objectives and achievement plans (6.2)
• Competence evidence for privacy roles (7.2)
• Privacy awareness training records (7.3)
• Records of Processing Activities / RoPA (8)
• Data Subject Rights handling records (8)
• Processor contracts with required privacy clauses (8)
• DPIA records for all high-risk processing activities (8)
• Operational privacy risk assessment results (8.2)
• Privacy monitoring and measurement results (9.1)
• Internal audit programme and results (9.2)
• Management review results (9.3)
• Privacy nonconformities and corrective actions (10.1)

Key Statements to Make Explicit

These points are frequently asked, frequently misunderstood, and must be stated clearly whenever they are relevant — do not leave them implied:

On GDPR compliance:

• ISO 27701 is not a GDPR safe harbor. Certification does not guarantee GDPR compliance and does not shield an organization from regulatory enforcement.
• ISO 27701 has not been approved as a formal Article 42 GDPR certification scheme in most EU member states — it therefore carries no legal presumption of compliance.
• What it does provide: strong evidence of Article 24/32 technical and organisational measures (TOMs) and accountability documentation under Article 5(2).

On certification requirements (version-specific):

• ISO 27701:2019 requires ISO 27001 as a prerequisite — it cannot be certified as a standalone standard. Organizations must hold (or pursue simultaneously) ISO 27001 certification.
• ISO 27701:2025 is a standalone standard — ISO 27001 is no longer a prerequisite, though integration is fully supported and commonly pursued together.
• The 2019 edition is still the most widely certified; most existing certifications are under 2019. Transition to 2025 is required by October 2028.

On scope limitations:

• ISO 27701 certification only covers the defined PIMS scope. Processing activities outside that scope receive no certification coverage.
• Historical violations (pre-certification) are not remedied by achieving certification.

Regulatory Alignment Quick Reference

ISO 27701:2025 includes an updated GDPR correspondence annex and aligns with major global privacy regulations. For detailed mappings, read references/regulatory-mapping.md.

Reference Files

Load the appropriate reference file based on the task:

• references/annex-a-controls.md — Complete listing of all 78 Annex A controls (A.1 controller, A.2 processor, A.3 shared security) with descriptions and common gaps
• references/transition-guide.md — Detailed 2019 → 2025 transition guide: control mapping table, gap analysis approach, transition audit steps
• references/regulatory-mapping.md — GDPR article-by-article mapping, CCPA, LGPD, PIPEDA, and other privacy regulation alignment

When to load reference files:

• User asks about a specific control → load annex-a-controls.md
• Transitioning from 2019 certification → load transition-guide.md
• GDPR / regulatory alignment question → load regulatory-mapping.md
• Gap analysis or SoA generation → load annex-a-controls.md