Key Takeaways
| Point |
Summary |
| Certification cycle |
3-year certificate with annual surveillance audits |
| Core activities |
Continuous improvement, internal audits, management reviews |
| Integration |
Maintain alongside ISO 27001 |
| Change management |
Update PIMS as processing activities evolve |
| Documentation |
Keep records current and evidence fresh |
| Surveillance focus |
Demonstrate ongoing operation and improvement |
Quick Answer: ISO 27701 maintenance follows the same 3-year cycle as ISO 27001. Key activities include continuous monitoring of privacy controls, regular internal audits covering PIMS scope, management reviews addressing privacy performance, and responding to changes in your PII processing activities. Annual surveillance audits verify ongoing compliance.
The 3-Year Certification Cycle
Cycle Overview
| Year |
Activity |
Focus |
| Year 1 |
Initial certification |
Full PIMS audit |
| Year 2 |
Surveillance audit |
Sample of controls, changes |
| Year 3 |
Surveillance audit |
Sample of controls, changes |
| Year 4 |
Recertification |
Full PIMS reassessment |
Surveillance Audits
| Aspect |
Details |
| Frequency |
Annually (approximately 12 months apart) |
| Duration |
Typically 1 day additional for ISO 27701 |
| Scope |
Sample of PIMS, not complete coverage |
| Focus |
Changes, improvements, selected controls |
| Outcome |
Continued certification or issues to address |
Recertification
| Aspect |
Details |
| Timing |
Before 3-year certificate expires |
| Scope |
Full PIMS reassessment |
| Approach |
Similar to initial certification |
| Outcome |
New 3-year certificate |
Continuous Improvement
Privacy Performance Monitoring
| Area |
Metrics to Track |
| Rights requests |
Volume, response times, completion rate |
| Consent |
Consent rates, withdrawals, opt-out trends |
| Incidents |
Privacy breaches, near-misses, root causes |
| Training |
Completion rates, assessment scores |
| Audit findings |
Nonconformities, observations, closures |
| Complaints |
Privacy complaints, resolution times |
Monthly/Quarterly Activities
| Frequency |
Activity |
| Monthly |
Review privacy metrics dashboard |
| Monthly |
Process any rights requests |
| Monthly |
Review and close open actions |
| Quarterly |
Update PII inventory if changes |
| Quarterly |
Review processor compliance |
| Quarterly |
Assess regulatory developments |
Annual Activities
| Activity |
Purpose |
| Internal audit |
Verify PIMS effectiveness |
| Management review |
Leadership oversight |
| Risk reassessment |
Update privacy risk register |
| Policy review |
Ensure policies remain current |
| Training refresh |
Update awareness program |
| Objectives review |
Assess and set new objectives |
Internal Audit Program
PIMS Audit Scope
| Area |
What to Audit |
| Management system |
Clauses 5-11 privacy extensions |
| Controller controls |
Annex A implementation (if applicable) |
| Processor controls |
Annex B implementation (if applicable) |
| Documentation |
Currency and completeness |
| Records |
Availability and accuracy |
| Effectiveness |
Controls working in practice |
Audit Planning
| Consideration |
Approach |
| Coverage |
All PIMS elements over cycle |
| Frequency |
At least annually before surveillance |
| Independence |
Auditors don't audit own work |
| Competence |
Privacy knowledge required |
| Integration |
Combine with ISMS audit where efficient |
Audit Outputs
| Output |
Purpose |
| Audit report |
Document findings and conclusions |
| Nonconformities |
Issues requiring correction |
| Observations |
Improvement opportunities |
| Corrective actions |
Plans to address findings |
| Follow-up |
Verification of corrections |
Management Review
Privacy Agenda Items
| Input |
What to Review |
| Previous actions |
Status of decisions from last review |
| Performance metrics |
Privacy KPIs and trends |
| Audit results |
Internal and external findings |
| Incidents |
Privacy breaches and near-misses |
| Changes |
Internal and external factors |
| Regulatory updates |
New requirements or guidance |
| Improvement opportunities |
Identified enhancements |
Management Review Outputs
| Output |
Content |
| Improvement decisions |
Approved changes to PIMS |
| Resource decisions |
Budget and staffing |
| Objective updates |
Revised privacy objectives |
| Risk decisions |
Accepted risks, treatment changes |
| Action items |
Assigned follow-up tasks |
Documentation
| Record |
Requirements |
| Meeting minutes |
Document discussions and decisions |
| Attendees |
Record management participation |
| Inputs reviewed |
Evidence of thorough review |
| Decisions made |
Clear record of outcomes |
| Actions assigned |
Owner, timeline, status |
Managing Change
Types of Change to Manage
| Change Type |
Privacy Implications |
| New processing activities |
May require new controls, documentation |
| New products/features |
Privacy by design assessment |
| New vendors/processors |
DPA, due diligence |
| Organization changes |
Roles, responsibilities |
| Regulatory changes |
Compliance adjustments |
| Technology changes |
Control updates |
Change Assessment Process
| Step |
Activity |
| 1. Identify |
Recognize change with privacy impact |
| 2. Assess |
Evaluate privacy implications |
| 3. Plan |
Determine required actions |
| 4. Implement |
Execute changes to PIMS |
| 5. Document |
Update documentation |
| 6. Verify |
Confirm effectiveness |
Updating Documentation
| Document |
When to Update |
| PII inventory |
New processing, changes to existing |
| Risk register |
New risks, changed risk levels |
| Policies |
Process changes, regulatory updates |
| Procedures |
Operational changes |
| SoA |
Control applicability changes |
| Processing records |
Any processing changes |
Evidence and Records Management
Records to Maintain
| Record Type |
Retention Guidance |
| Processing records |
Duration of processing + regulatory period |
| Consent records |
Duration of consent + regulatory period |
| Rights request records |
3-7 years typically |
| Incident records |
5-7 years typically |
| Audit records |
3 years minimum |
| Training records |
Duration of employment + 3 years |
Evidence for Surveillance
| Evidence Type |
Purpose |
| Current documentation |
Policies, procedures up to date |
| Operational records |
Evidence of ongoing operation |
| Metrics reports |
Performance demonstration |
| Improvement evidence |
Actions taken, results achieved |
| Change records |
How changes were managed |
Common Maintenance Challenges
Challenge 1: Keeping Documentation Current
| Problem |
Solution |
| Documents become outdated |
Scheduled review cycles |
| Changes not captured |
Change management triggers |
| Version control issues |
Document management system |
Challenge 2: Maintaining Engagement
| Problem |
Solution |
| Privacy fatigue |
Regular awareness refreshers |
| Competing priorities |
Management visibility, integration |
| Staff turnover |
Onboarding includes privacy |
Challenge 3: Evolving Requirements
| Problem |
Solution |
| New regulations |
Regulatory monitoring process |
| Customer requirements change |
Regular requirement review |
| Industry practices evolve |
Benchmark and adapt |
Challenge 4: Resource Constraints
| Problem |
Solution |
| Limited privacy staff |
Distribute responsibilities |
| Budget pressure |
Demonstrate ROI, prioritize |
| Time constraints |
Efficient processes, automation |
Surveillance Audit Preparation
4-6 Weeks Before
| Activity |
Purpose |
| Complete internal audit |
Identify and fix issues |
| Close nonconformities |
Resolve open findings |
| Update documentation |
Ensure currency |
| Gather evidence |
Prepare for auditor requests |
| Brief key staff |
Prepare for interviews |
1-2 Weeks Before
| Activity |
Purpose |
| Confirm logistics |
Schedule, location, contacts |
| Review previous audit |
Address any noted areas |
| Final evidence check |
Complete and accessible |
| Assign guides |
Staff to support auditor |
During Audit
| Activity |
Approach |
| Opening meeting |
Set expectations |
| Evidence provision |
Prompt, complete responses |
| Interview support |
Available, knowledgeable staff |
| Issue handling |
Address findings constructively |
| Closing meeting |
Understand outcomes |
Integration with ISO 27001 Maintenance
Combined Activities
| Activity |
Integrated Approach |
| Internal audit |
Combined ISMS/PIMS audit |
| Management review |
Single meeting, both agendas |
| Risk assessment |
Unified risk register |
| Documentation |
Single document set |
| Training |
Combined awareness program |
| Surveillance |
Combined audit days |
Efficiency Benefits
| Area |
Efficiency Gain |
| Audit planning |
Single planning exercise |
| Evidence collection |
Shared evidence base |
| Management time |
Fewer separate meetings |
| Staff involvement |
Coordinated activities |
| Documentation |
Reduced duplication |
Frequently Asked Questions
What happens if we fail a surveillance audit?
Minor nonconformities are common and give you time to correct issues. Major nonconformities require prompt corrective action, and the certification body may schedule a follow-up visit before continuing certification. Repeated major failures could lead to suspension.
Can we change our PIMS significantly between audits?
Yes, but changes should follow your change management process and be documented. Significant scope changes may require notifying your certification body. See certification process for more on scope changes.
How do we handle new processing activities?
New processing activities should go through your PII assessment process. Document the activity, identify the legal basis, assess privacy risks, and implement appropriate controls before processing begins. Update your PII inventory accordingly.
What if regulations change after certification?
Your PIMS should include regulatory monitoring. When regulations change, assess the impact on your privacy controls, update documentation and processes as needed, and document the changes. This demonstrates the continuous improvement auditors expect.
How Bastion Helps
We support organizations in maintaining their ISO 27701 certification efficiently.
| Service |
Description |
| Ongoing support |
Regular check-ins, guidance |
| Internal audit |
Conduct PIMS internal audits |
| Surveillance preparation |
Ready for annual audits |
| Documentation updates |
Keep policies and procedures current |
| Change management |
Support for significant changes |
| Continuous improvement |
Identify and implement enhancements |
Need help maintaining your ISO 27701 certification? Talk to our team
Sources
