Key Takeaways
| Point |
Summary |
| Prerequisite |
Complete ISO 27001 checklist first |
| Focus areas |
PIMS requirements, controller controls, processor controls |
| Documentation |
Privacy-specific policies, PII inventory, legal basis |
| Implementation |
Privacy controls operational and effective |
| Verification |
Internal audit and management review completed |
| Readiness indicator |
All critical items complete before certification audit |
Quick Answer: ISO 27701 compliance requires extending your ISMS with privacy-specific requirements. Key areas include documenting PII processing context, implementing controller or processor controls based on your role, establishing data subject rights processes, and demonstrating privacy governance through audit and management review.
Prerequisites Checklist
Before starting ISO 27701, confirm your ISO 27001 foundation:
ISO 27001 Foundation
| Item |
Status |
| [ ] ISO 27001 certification achieved or in progress |
|
| [ ] ISMS scope documented and appropriate |
|
| [ ] Risk assessment methodology established |
|
| [ ] Internal audit program operational |
|
| [ ] Management review process in place |
|
| [ ] Document control procedures working |
|
PIMS Establishment Checklist
Context and Scope (Clause 5)
| Item |
Status |
Notes |
| [ ] PII processing activities identified |
|
|
| [ ] Internal context for privacy documented |
|
|
| [ ] External context (regulations, contracts) documented |
|
|
| [ ] Privacy stakeholders identified |
|
|
| [ ] Stakeholder requirements documented |
|
|
| [ ] PIMS scope statement defined |
|
|
| [ ] Scope covers all PII processing |
|
|
| [ ] Controller/processor roles determined |
|
|
Leadership (Clause 6)
| Item |
Status |
Notes |
| [ ] Privacy policy established |
|
|
| [ ] Privacy policy communicated |
|
|
| [ ] Privacy roles assigned |
|
|
| [ ] Privacy responsibilities documented |
|
|
| [ ] Management commitment demonstrated |
|
|
| [ ] Adequate resources allocated |
|
|
| [ ] DPO appointed (if required) |
|
|
Planning (Clause 7)
| Item |
Status |
Notes |
| [ ] Privacy risks identified |
|
|
| [ ] Privacy risks assessed |
|
|
| [ ] Risk treatment plan includes privacy |
|
|
| [ ] Privacy objectives defined |
|
|
| [ ] Objectives are measurable |
|
|
| [ ] Plans to achieve objectives documented |
|
|
Support (Clause 8)
| Item |
Status |
Notes |
| [ ] Privacy resources adequate |
|
|
| [ ] Privacy competence requirements defined |
|
|
| [ ] Privacy training delivered |
|
|
| [ ] Privacy awareness program active |
|
|
| [ ] Internal privacy communications established |
|
|
| [ ] External privacy communications managed |
|
|
| [ ] Privacy documentation controlled |
|
|
Operation (Clause 9)
| Item |
Status |
Notes |
| [ ] Operational planning includes privacy |
|
|
| [ ] Privacy controls implemented |
|
|
| [ ] Change management covers privacy |
|
|
| [ ] Outsourced processes address privacy |
|
|
Performance Evaluation (Clause 10)
| Item |
Status |
Notes |
| [ ] Privacy monitoring established |
|
|
| [ ] Privacy metrics defined |
|
|
| [ ] Internal audit includes PIMS |
|
|
| [ ] Privacy audit conducted |
|
|
| [ ] Management review covers privacy |
|
|
Improvement (Clause 11)
| Item |
Status |
Notes |
| [ ] Privacy nonconformity process exists |
|
|
| [ ] Corrective action includes privacy |
|
|
| [ ] Continual improvement documented |
|
|
Controller Controls Checklist (Annex A)
Complete this section if you act as a PII controller.
A.7.2: Conditions for Collection and Processing
| Control |
Status |
Evidence |
| [ ] A.7.2.1 - Purposes identified and documented |
|
|
| [ ] A.7.2.2 - Legal basis identified for each purpose |
|
|
| [ ] A.7.2.3 - Purpose limitation controls in place |
|
|
| [ ] A.7.2.4 - Consent mechanisms operational |
|
|
| [ ] A.7.2.5 - Privacy impact assessment process exists |
|
|
| [ ] A.7.2.6 - Processor contracts in place |
|
|
| [ ] A.7.2.7 - Joint controller arrangements (if applicable) |
|
|
| [ ] A.7.2.8 - Processing records maintained |
|
|
A.7.3: Obligations to PII Principals
| Control |
Status |
Evidence |
| [ ] A.7.3.1 - Obligations to data subjects identified |
|
|
| [ ] A.7.3.2 - Privacy notices provided |
|
|
| [ ] A.7.3.3 - Consent withdrawal mechanism |
|
|
| [ ] A.7.3.4 - Consent modification capability |
|
|
| [ ] A.7.3.5 - Objection mechanism available |
|
|
| [ ] A.7.3.6 - Access request process (DSAR) |
|
|
| [ ] A.7.3.7 - Rectification process |
|
|
| [ ] A.7.3.8 - Erasure process |
|
|
| [ ] A.7.3.9 - Third-party notification process |
|
|
| [ ] A.7.3.10 - PII copy provision capability |
|
|
A.7.4: Privacy by Design and Default
| Control |
Status |
Evidence |
| [ ] A.7.4.1 - Collection limitation implemented |
|
|
| [ ] A.7.4.2 - Processing limitation implemented |
|
|
| [ ] A.7.4.3 - Accuracy measures in place |
|
|
| [ ] A.7.4.4 - Minimization objectives defined |
|
|
| [ ] A.7.4.5 - De-identification applied where possible |
|
|
| [ ] A.7.4.6 - Temporary files managed securely |
|
|
| [ ] A.7.4.7 - Retention periods defined and enforced |
|
|
| [ ] A.7.4.8 - Secure disposal procedures |
|
|
| [ ] A.7.4.9 - Processing transmission controls |
|
|
A.7.5: PII Sharing, Transfer, and Disclosure
| Control |
Status |
Evidence |
| [ ] A.7.5.1 - Third parties identified |
|
|
| [ ] A.7.5.2 - Disclosures recorded |
|
|
| [ ] A.7.5.3 - Disclosure controls implemented |
|
|
| [ ] A.7.5.4 - Third-party agreements in place |
|
|
Processor Controls Checklist (Annex B)
Complete this section if you act as a PII processor.
B.8.2: Conditions for Collection and Processing
| Control |
Status |
Evidence |
| [ ] B.8.2.1 - Customer contracts/DPAs in place |
|
|
| [ ] B.8.2.2 - Processing purposes documented |
|
|
| [ ] B.8.2.3 - Marketing restrictions enforced |
|
|
| [ ] B.8.2.4 - Infringing instruction process |
|
|
| [ ] B.8.2.5 - Customer assistance procedures |
|
|
| [ ] B.8.2.6 - Processing records maintained |
|
|
B.8.3: Obligations to PII Principals
| Control |
Status |
Evidence |
| [ ] B.8.3.1 - Information for notices provided |
|
|
| [ ] B.8.3.2 - Rights request assistance capability |
|
|
B.8.4: PII Sharing, Transfer, and Disclosure
| Control |
Status |
Evidence |
| [ ] B.8.4.1 - Disclosure notification process |
|
|
| [ ] B.8.4.2 - Transfer basis documented |
|
|
| [ ] B.8.4.3 - Disclosures recorded |
|
|
B.8.5: Sub-Processor Management
| Control |
Status |
Evidence |
| [ ] B.8.5.1 - Sub-processors disclosed |
|
|
| [ ] B.8.5.2 - Sub-processor contracts in place |
|
|
| [ ] B.8.5.3 - Change notification process |
|
|
| [ ] B.8.5.4 - Sub-processor authorization |
|
|
| [ ] B.8.5.5 - Sub-processor agreements appropriate |
|
|
B.8.6: Data Return and Deletion
| Control |
Status |
Evidence |
| [ ] B.8.6.1 - Return/deletion capability |
|
|
| [ ] B.8.6.2 - Temporary file management |
|
|
| [ ] B.8.6.3 - Retention controls |
|
|
| [ ] B.8.6.4 - Secure disposal procedures |
|
|
Documentation Checklist
Required Documents
| Document |
Status |
Location |
| [ ] PIMS scope statement |
|
|
| [ ] Privacy policy |
|
|
| [ ] PII inventory/processing records |
|
|
| [ ] Legal basis register |
|
|
| [ ] Privacy risk assessment |
|
|
| [ ] Statement of Applicability (privacy) |
|
|
| [ ] Privacy risk treatment plan |
|
|
| [ ] Consent procedures (if applicable) |
|
|
| [ ] Data subject rights procedures |
|
|
| [ ] Privacy notice(s) |
|
|
| [ ] Processor/controller agreements |
|
|
Required Records
| Record |
Status |
Retention Period |
| [ ] Processing activity records |
|
|
| [ ] Consent records |
|
|
| [ ] Rights request records |
|
|
| [ ] Privacy incident records |
|
|
| [ ] Training records |
|
|
| [ ] Internal audit records |
|
|
| [ ] Management review records |
|
|
| [ ] Disclosure records |
|
|
Pre-Audit Readiness Checklist
Stage 1 Readiness
| Item |
Status |
| [ ] All mandatory documents exist |
|
| [ ] PIMS scope clearly defined |
|
| [ ] PII processing context documented |
|
| [ ] Controller/processor roles clear |
|
| [ ] Privacy policy current and communicated |
|
| [ ] Risk assessment includes privacy |
|
| [ ] Statement of Applicability complete |
|
| [ ] Internal audit conducted |
|
| [ ] Management review completed |
|
Stage 2 Readiness
| Item |
Status |
| [ ] Stage 1 findings addressed |
|
| [ ] Controls implemented and operational |
|
| [ ] Evidence of control effectiveness available |
|
| [ ] Records demonstrate ongoing operation |
|
| [ ] Staff can explain their privacy responsibilities |
|
| [ ] Data subject processes tested |
|
| [ ] Metrics demonstrate performance |
|
| [ ] Improvements documented |
|
Common Gaps to Address
Frequently Missed Items
| Gap |
Resolution |
| Incomplete PII inventory |
Conduct discovery, interview stakeholders |
| Missing legal basis |
Complete legal basis register |
| No DSAR process |
Implement request handling workflow |
| Inadequate consent records |
Enhance consent capture |
| Missing processor agreements |
DPA program for all processors |
| No privacy metrics |
Define and implement KPIs |
| Incomplete retention policy |
Define periods by data type |
| Missing sub-processor oversight |
Establish sub-processor program |
How Bastion Helps
We guide you through each checklist item efficiently, ensuring nothing is missed.
| Service |
Description |
| Gap assessment |
Evaluate current state against checklist |
| Implementation support |
Address gaps systematically |
| Documentation |
Develop required documents |
| Pre-audit review |
Verify readiness before certification |
| Finding resolution |
Address any audit findings |
Ready to work through your ISO 27701 compliance checklist? Talk to our team
Sources
