ISO 27701 PIMS Requirements
A Privacy Information Management System (PIMS) is the framework ISO 27701 uses to systematically manage the protection of personally identifiable information (PII). Understanding the PIMS requirements helps organizations implement effective privacy governance that extends their existing Information Security Management System (ISMS).
Key Takeaways
| Point | Summary |
|---|---|
| Definition | PIMS extends ISMS to include privacy-specific management requirements |
| Foundation | Builds on ISO 27001 management system structure |
| Core elements | Context, leadership, planning, support, operations, evaluation, improvement |
| Control structure | Controller controls (Annex A), Processor controls (Annex B) |
| Documentation | PII inventory, legal bases, procedures, records |
| Continuous improvement | Regular assessment, audit, and enhancement |
Quick Answer: A Privacy Information Management System (PIMS) is the organizational framework for managing personal data protection. It extends your ISMS with privacy-specific requirements: understanding your PII processing context, implementing appropriate controls based on your role (controller or processor), and maintaining continuous improvement in privacy practices.
Understanding the PIMS Framework
PIMS vs. ISMS
| Aspect | ISMS (ISO 27001) | PIMS (ISO 27701) |
|---|---|---|
| Primary focus | Information security | Privacy and PII protection |
| Protected asset | Information assets | Personally identifiable information |
| Key stakeholder | Organization | Data subjects (individuals) |
| Risk perspective | Organizational risk | Both organizational and individual risk |
| Standalone | Yes | No, extends ISMS |
How PIMS Builds on ISMS
PIMS doesn't replace your ISMS. It adds a privacy layer:
ISMS Foundation (ISO 27001)
├── Information security policies
├── Risk management process
├── Security controls (Annex A)
└── Management system structure
PIMS Extension (ISO 27701)
├── Privacy-specific policies
├── Privacy risk considerations
├── Controller controls (Annex A)
├── Processor controls (Annex B)
└── Extended management requirementsCore PIMS Requirements
Clause 5: Context of the Organization
You must understand your PII processing context before implementing controls.
| Requirement | What It Means |
|---|---|
| External context | Privacy regulations, contractual requirements, stakeholder expectations |
| Internal context | Organizational structure, roles, capabilities, culture |
| PII processing scope | What PII you process, for what purposes, as what role |
| Interested parties | Data subjects, regulators, controllers (if processor), customers |
Key outputs:
- PIMS scope statement
- PII processing inventory
- Stakeholder and requirement register
Clause 6: Leadership and Commitment
Management must demonstrate commitment to privacy.
| Requirement | Evidence |
|---|---|
| Privacy policy | Documented policy appropriate to PII processing |
| Roles and responsibilities | Clear assignment of privacy duties |
| Resources | Adequate budget, people, and tools for privacy |
| Communication | Privacy requirements communicated throughout organization |
| Integration | Privacy integrated into business processes |
Key outputs:
- Privacy policy (may be combined with information security policy)
- Privacy roles and responsibilities matrix
- Management commitment evidence
Clause 7: Planning
Plan your approach to privacy risks and objectives.
| Requirement | Details |
|---|---|
| Risk assessment | Identify privacy risks to data subjects and organization |
| Risk treatment | Select and plan implementation of privacy controls |
| Objectives | Define measurable privacy objectives |
| Change management | Plan changes to PIMS systematically |
Privacy-specific risk categories:
| Risk Type | Examples |
|---|---|
| Legal basis risks | Processing without valid consent or legitimate interest |
| Rights risks | Inability to fulfill data subject requests |
| Purpose risks | Processing beyond original stated purposes |
| Retention risks | Keeping PII longer than necessary |
| Transfer risks | Inadequate protections for cross-border transfers |
| Processor risks | Processors not following instructions |
Clause 8: Support
Ensure adequate resources and competence for privacy.
| Requirement | Application |
|---|---|
| Resources | Budget, personnel, and systems for privacy management |
| Competence | Privacy knowledge appropriate to roles |
| Awareness | All staff understand privacy responsibilities |
| Communication | Internal and external privacy communications |
| Documented information | Privacy documentation controlled and maintained |
Competence requirements by role:
| Role | Privacy Competence |
|---|---|
| Senior management | Privacy governance, strategic risk |
| Privacy lead/DPO | Comprehensive privacy expertise |
| IT/Development | Privacy by design, technical controls |
| HR | Employee data protection |
| Marketing | Consent, marketing preferences |
| Customer service | Data subject rights handling |
Clause 9: Operation
Implement your planned privacy controls.
| Requirement | Activities |
|---|---|
| Operational planning | Execute privacy risk treatment plan |
| Control implementation | Implement controller or processor controls as applicable |
| Process integration | Embed privacy into business operations |
| Change control | Manage changes affecting PII processing |
| Outsourced processes | Ensure privacy in outsourced activities |
Clause 10: Performance Evaluation
Monitor and measure privacy performance.
| Requirement | Methods |
|---|---|
| Monitoring | Track privacy metrics and indicators |
| Internal audit | Audit PIMS against ISO 27701 requirements |
| Management review | Regular leadership review of privacy performance |
| Compliance evaluation | Assess compliance with privacy obligations |
Privacy metrics to consider:
| Metric Category | Examples |
|---|---|
| Rights requests | Volume, response time, completion rate |
| Incidents | Privacy breaches, near misses, trends |
| Training | Completion rates, assessment scores |
| Audit findings | Nonconformities, observations |
| Consent | Consent rates, withdrawal rates |
| Complaints | Volume, resolution time, outcomes |
Clause 11: Improvement
Continuously improve privacy practices.
| Requirement | Application |
|---|---|
| Nonconformity handling | Address privacy gaps and failures |
| Corrective action | Fix root causes of privacy issues |
| Continual improvement | Systematically enhance privacy practices |
| Lessons learned | Learn from incidents and near misses |
Control Requirements
Annex A: PII Controller Controls
If you determine purposes and means of processing, implement these controls:
| Control Category | Key Controls |
|---|---|
| Conditions for processing | Legal basis documentation, purpose specification |
| Obligations to PII principals | Privacy notices, rights fulfillment |
| Privacy by design | Assessment before processing, minimization |
| PII sharing | Disclosure controls, transfer safeguards |
| Jurisdiction | Cross-border transfer protections |
Total: 31 controls organized into 8 control objectives
Annex B: PII Processor Controls
If you process on behalf of controllers, implement these controls:
| Control Category | Key Controls |
|---|---|
| Customer conditions | Processing under instructions only |
| Customer obligations | Assist with rights requests, breach notification |
| Sub-processors | Authorization, contracts, oversight |
| Data handling | Return, deletion at end of relationship |
Total: 18 controls organized into 5 control objectives
Determining Applicable Controls
| Processing Role | Apply Annex A | Apply Annex B |
|---|---|---|
| Controller only | Yes | No |
| Processor only | No | Yes |
| Both roles | Yes (for controller activities) | Yes (for processor activities) |
Documentation Requirements
Mandatory Documentation
| Document | Purpose | Reference |
|---|---|---|
| PIMS scope | Define boundaries of privacy management | Clause 5.2 |
| Privacy policy | State privacy commitment and principles | Clause 6.2 |
| Risk assessment | Document privacy risk identification and evaluation | Clause 7.1 |
| Risk treatment plan | Document selected controls and implementation | Clause 7.2 |
| Statement of Applicability | Document applicable Annex A/B controls | Clause 7.2.1 |
| PII inventory | Document all PII processing activities | Annex A/B |
| Legal basis register | Document lawful basis for processing | Annex A.7.2.2 |
Recommended Documentation
| Document | Purpose |
|---|---|
| Privacy impact assessments | Evaluate high-risk processing |
| Consent records | Evidence of valid consent |
| Rights request procedures | Standardized request handling |
| Breach response procedures | Incident response specific to privacy |
| Processor agreements | Document processor instructions |
| Training records | Evidence of privacy awareness |
Implementation Approach
Phase 1: Foundation (Weeks 1-2)
| Activity | Outputs |
|---|---|
| Confirm ISO 27001 readiness | Gap assessment if not certified |
| Define PIMS scope | Scope statement |
| Identify PII processing | Initial PII inventory |
| Determine roles | Controller/processor classification |
Phase 2: Documentation (Weeks 3-4)
| Activity | Outputs |
|---|---|
| Privacy risk assessment | Risk register with privacy risks |
| Control selection | Statement of Applicability |
| Policy development | Privacy policy, procedures |
| PII inventory completion | Comprehensive processing record |
Phase 3: Implementation (Weeks 5-8)
| Activity | Outputs |
|---|---|
| Control implementation | Operational controls in place |
| Process integration | Privacy in business processes |
| Training delivery | Awareness program completion |
| Documentation finalization | Complete PIMS documentation |
Phase 4: Verification (Weeks 9-10)
| Activity | Outputs |
|---|---|
| Internal audit | Audit findings and actions |
| Management review | Review minutes and decisions |
| Corrective actions | Closed nonconformities |
| Audit preparation | Readiness for certification |
Common Questions
How does PIMS differ from GDPR compliance?
PIMS provides a management system for privacy. GDPR is a specific regulation with legal requirements. PIMS helps you systematically address GDPR (and other regulation) requirements, but certification doesn't equal legal compliance.
Can I have a PIMS without ISO 27001?
No. ISO 27701 explicitly requires an ISO 27001-based ISMS as foundation. The PIMS extends the ISMS; it cannot exist independently.
How detailed must the PII inventory be?
Detailed enough to demonstrate understanding of all PII processing. Typically includes: categories of PII, data subjects, purposes, legal bases, retention periods, recipients, and transfers.
What if we're both controller and processor?
Implement controls from both Annex A (for controller activities) and Annex B (for processor activities). Document clearly which controls apply to which processing activities.
How Bastion Helps
Building an effective PIMS requires expertise in both privacy management and practical implementation. We guide organizations through PIMS implementation efficiently.
| Service | Description |
|---|---|
| PIMS design | Structure your privacy management system appropriately |
| PII inventory | Comprehensive documentation of processing activities |
| Control implementation | Implement appropriate controller and processor controls |
| Documentation | Develop required policies and procedures |
| Audit preparation | Prepare for successful PIMS certification |
Ready to implement your Privacy Information Management System? Talk to our team
Sources
- ISO/IEC 27701:2019 - Privacy information management requirements
- ISO/IEC 27001:2022 - Information security management systems
- GDPR Article 30 - Records of processing activities
- GDPR Article 35 - Data protection impact assessment