ISO 27701 - Privacy Information Management

    Standards and Frameworks

    ISO 27701 - Privacy Information Management

    Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy

    ISO 27701 is a privacy extension to ISO 27001 and ISO 27002, providing additional guidance for the protection of privacy. It was published on August 6, 2019, with a draft of the standard shared for public comment from December 12, 2018 to February 25, 2019.

    Last Updated: August 9, 2019

  • General

    The draft of ISO 27701, formerly referred to as ISO 27552, was written by the ISO/IEC Working Group responsible for ‘Identity Management and Privacy Technologies.’ A BSI-nominated Project Editor lead the development of ISO/IEC 27701–BSI is the UK-Government-appointed national standards body and represents the UK interests at both the ISO and the IEC.

    ISO 27701 specifies requirements for a Privacy Information Management System (PIMS). It provides a framework of privacy-related controls and best practices. The standard is intended to be a certifiable extension to ISO 27001. In other words, organizations that are planning to certify to ISO 27701 will need ISO 27001 certification as a precursor.

    ISO 27701 aims to

    1. supplement the Information Security Management System (ISMS) with a PIMS and privacy-specific controls,
    2. recognize overlap between different privacy laws and reduce complexity,
    3. build an evidence-based privacy program and demonstrate compliance through accredited third-party certification,
    4. serve as the basis for a potential GDPR certification mechanism.

    The published ISO 27701 standard

    1. outlines the relationship between the PIMS and the ISMS (i.e., how ISO 27701 relates to ISO 27001),
    2. lays out PIMS requirements for data controllers and processors,
    3. lists applicable privacy-related controls for controllers and processors,
    4. maps privacy-related controls to GDPR and other relevant ISO standards (29100, 27018 and 29151).

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.