ISO 27701 extends ISO 27001 into the privacy domain. If your organisation already has an ISMS, you are building an extension โ not starting from scratch. A Privacy Information Management System (PIMS) is a structured way of managing personal data across its entire lifecycle: how it is collected, stored, processed, shared, and deleted. It turns your privacy policy from a legal PDF into a set of living processes that actually protect people.
What Is a PIMS โ And Why Should You Care?
ISO 27701:2019 is the world's first international standard specifically designed for PIMS. It maps directly onto GDPR, India DPDP Act, PDPA, CCPA, and other privacy regulations. The standard distinguishes between controllers (Annex A โ 49 controls) and processors (Annex B โ 25+ controls). Your Statement of Applicability must justify which controls apply and why.
ISO 27701 certification creates the documented accountability that regulators look for when assessing privacy governance. An organisation with a certified PIMS is in a far stronger position during regulatory scrutiny than one relying on undocumented practices. It does not equal legal compliance โ but it is the clearest structural signal of privacy maturity.
Phase 1 โ Define Your PIMS Scope
Determine which business functions, data flows, and processing activities are included. Identify whether you operate as controller, processor, or both โ for each activity separately. This shapes the entire implementation.
Phase 2 โ Conduct a Gap Assessment
Map your current state against ISO 27701 Clauses 5โ8 and the applicable Annex controls. Be brutal โ a gap that slips through now becomes a nonconformity in the certification audit. Produce a prioritised remediation backlog with owners and deadlines.
Phase 3 โ Build Your Record of Processing Activities (RoPA)
The RoPA is the operational heart of your PIMS. Document every processing activity: purpose, legal basis, data categories, retention, recipients, third-country transfers, and security measures. Interview every department. You will find surprises.
Phase 4 โ Privacy Risk Assessment and DPIA Framework
Assess risks from the data subject perspective โ not just organisational risk. Build a DPIA trigger matrix for high-risk processing. Link each risk to a control treatment. Document residual risk acceptance with sign-off from leadership.
Phase 5 โ Implement Annex A and Annex B Controls
Translate your risk treatment plan into operational controls. Each control needs: a policy reference, an operational procedure, an owner, evidence artefacts, and a review cadence. Produce your Statement of Applicability โ it is a living document, not a one-time exercise.
Phase 6 โ Policies, Procedures, and Privacy Notices
Write the required policy suite: Privacy Policy, Data Retention Policy, DSR Procedure, Breach Notification Procedure, and Supplier Management Policy. Create layered privacy notices for all data collection touchpoints. Update all supplier contracts with DPA schedules.
Phase 7 โ Staff Training and Internal Audit
Run role-based privacy training for all staff. Conduct at least one full internal audit cycle against ISO 27701 before Stage 1 certification. Hold a formal Management Review meeting. Document everything โ auditors expect documented evidence of your own scrutiny.
Phase 8 โ Stage 1 and Stage 2 Certification Audit
Stage 1 is a documentation review โ auditors verify your PIMS is designed correctly. Stage 2 is operational verification โ they test whether controls actually work. After certification, maintain a rolling programme of surveillance audits and continuous improvement.
The Controls That Trip People Up Most
- A.7.2 โ Purposes of PII Processing: Organisations discover processing for purposes that were never formally documented โ or documented purposes that have quietly evolved. Every activity must have an explicit, documented purpose.
- A.7.4 โ Consent Management: Consent records must be granular, timestamped, and withdrawable. Pre-ticked boxes and "by continuing to use this site" language are disqualifying. You need a consent management platform, not a spreadsheet.
- A.8.2 โ Lawful Transfer Mechanisms: Cross-border transfers are among the most complex areas. SCCs, adequacy decisions, BCRs โ each has specific implementation requirements. Get legal involved early on transfer mapping.
- Clause 8.4 โ RoPA Maintenance: Your RoPA is a live document. Many organisations nail the initial build and then let it decay. Build a quarterly review trigger into your privacy calendar.
The most common finding in first-time ISO 27701 audits is not that privacy controls are absent โ it is that they exist informally, without documentation. Your team may handle data subject requests carefully, but if there is no written procedure, no defined response timeline, and no log of requests received, an auditor cannot confirm the control exists. In a PIMS audit, undocumented processes are treated as absent processes.
PIMS Implementation Readiness Checklist
- ISO 27001 certification in place or implementation mature
- Roles defined: controller, processor, or both โ for each activity
- Record of Processing Activities started or in progress
- Data flows mapped for major business functions
- Legal basis identified for each processing activity
- Privacy risks identified and added to risk register
- Data subject rights procedure drafted or in place
- DPIA procedure defined and applied to high-risk activities
- Vendor contracts reviewed for data processing clauses
- Privacy awareness training delivered to relevant staff
- Retention schedule defined for all categories of personal data
- Privacy lead or DPO identified and accountabilities documented
The work required to build a PIMS is mostly documentation, structured process, and a clear understanding of where personal data sits in your organisation. If the ISMS foundation is solid, the extension to a full PIMS is closer than most organisations realise.
Frequently Asked Questions
Not as a standalone certification. ISO 27701 is an extension to ISO 27001 and requires the ISMS foundation. However, you can pursue both certifications together in a single integrated programme โ this is the most efficient path for organisations starting from scratch.
For organisations already ISO 27001-certified, 3โ6 months is typical. For organisations pursuing both ISO 27001 and ISO 27701 together, 6โ12 months. The timeline depends on organisational size, existing security maturity, and the complexity of data processing activities.
Controls that exist informally without documentation. Teams may handle data subject requests carefully, but without a written procedure, defined timeline, and request log, auditors cannot confirm the control is operational. In PIMS audits, undocumented processes are treated as absent processes.
Yes. ISO 27701 has separate control annexes โ Annex A for controllers (49 controls) and Annex B for processors (25+ controls). Most SaaS organisations operate in a dual role and must implement controls from both annexes. Your Statement of Applicability documents which controls apply and in what context.
Yes โ it is the single most important document in your PIMS. It is simultaneously a regulatory requirement, audit artefact, data governance tool, and the foundation for consent management, data subject rights, retention schedules, and processor accountability. If one document had to survive, it would be the RoPA.