ISO/IEC 27701:2019 — Privacy Information Management System (PIMS)

1. ISO/IEC 27701:2019 — Privacy Extension to ISO/IEC 27001

ISO/IEC 27701:2019 extends the ISO/IEC 27001 information security management system (ISMS) framework to address privacy information management specifically. It establishes the Privacy Information Management System (PIMS) as an extension of the ISMS, providing requirements and guidance for the processing of personally identifiable information (PII). Organisations that are already ISO/IEC 27001 certified can use 27701 to demonstrate compliance with privacy regulations including the European General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), and the California Consumer Privacy Act (CCPA). The standard applies to both PII controllers (entities that determine the purposes and means of processing) and PII processors (entities that process PII on behalf of controllers).

The key architectural insight is that 27701 does not replace 27001 — it extends it. A PIMS is built on top of an existing ISMS, reusing all ISMS processes including risk assessment, internal audit, management review, and continual improvement while adding PII-specific controls and privacy-specific management processes. This integrated approach avoids the duplication of effort that would result from maintaining separate management systems and ensures that privacy considerations are embedded within the organisation’s existing governance framework rather than being treated as a separate compliance exercise.

2. PIMS Structure and Key Requirements

The standard is organised into four main sections that together provide a comprehensive privacy management framework. The first section covers PIMS-specific requirements that extend the ISMS clauses from ISO/IEC 27001, including context of the organisation (identifying privacy-related internal and external issues), leadership (demonstrating top management commitment to privacy), planning (setting privacy objectives and risk treatment plans), support (providing resources and competence), operation (implementing operational privacy controls), performance evaluation (monitoring and measuring privacy performance), and improvement (addressing nonconformities and continually improving the PIMS).

The second section provides additional ISO/IEC 27002 controls interpreted specifically for PII protection, covering areas such as access control, cryptography, physical security, and incident management from a privacy perspective. The third section provides PII controller-specific guidance covering lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests), consent management (obtaining, recording, and managing consent preferences), data subject rights handling (access, rectification, erasure, restriction, portability, objection, automated decision-making), and cross-border data transfer mechanisms (adequacy decisions, standard contractual clauses, binding corporate rules, and derogations). The fourth section provides PII processor-specific guidance covering processing instructions from controllers, confidentiality agreements, subcontractor management and due diligence, data breach notification procedures, and secure return or deletion of PII upon contract termination.

3. PIMS Integration with ISMS Processes

The standard requires that privacy risk assessment be integrated with but distinguished from information security risk assessment. Organisations must conduct a PII-specific risk assessment that considers the likelihood and impact of privacy events (not just security breaches), the nature and sensitivity of PII being processed, the expectations of data subjects, and regulatory requirements across all jurisdictions where data subjects reside. The Statement of Applicability (SoA) for an ISMS must be augmented with a PIMS SoA that documents which privacy controls have been selected, the rationale for inclusion or exclusion, and the implementation status of each control. Internal audit programmes must be expanded to cover privacy controls, and auditors with privacy-specific competence must be involved. Management review meetings must address privacy performance indicators alongside traditional security metrics, ensuring that privacy receives board-level attention.

4. Engineering and Operational Insights

Implementing 27701 requires both technical and organisational measures working in concert. On the technical side, organisations should deploy data classification engines that automatically identify and tag PII across databases, data lakes, and file shares. Pseudonymisation and anonymisation tools should be integrated into data pipelines to support privacy-by-design in analytics and AI workloads. Consent preference management APIs must propagate user choices across all processing systems in real time, including downstream data processors and subcontractors. Data subject request portals with automated workflows for access, rectification, and deletion requests should be implemented with target response times that meet regulatory deadlines (typically 30 days under GDPR). Monitoring systems must detect potential privacy breaches such as unusual data export volumes or unauthorised PII access patterns, triggering automated response workflows. From an organisational perspective, privacy champions should be embedded in product teams to provide day-to-day guidance, privacy impact assessments should be integrated into the project lifecycle stage-gate review process, and privacy awareness training should be role-specific rather than generic — covering different scenarios for engineers, product managers, sales staff, and HR personnel.