ISO 27701:2019 · Privacy Information Management
The ISO 27701
PIMS framework
ISO/IEC 27701 turns an ISO 27001 information security management system into a Privacy Information Management System (PIMS). Here is how the standard is structured, what it adds, and where controller and processor obligations differ.
ISO 27701 is an extension of ISO 27001 — you implement it on top of an ISMS, not instead of one.
ISO/IEC 27701:2019 · Extension to ISO 27001 · Last reviewed June 2026
Direct Answer
What is a PIMS?
A Privacy Information Management System (PIMS) is the privacy equivalent of an ISMS: a documented set of policies, roles, processes, and controls for governing how an organisation collects, uses, shares, and protects personally identifiable information (PII). ISO/IEC 27701:2019 specifies the requirements for a PIMS and provides guidance for both PII controllers and PII processors. Rather than re-inventing a management system, it extends the one you already operate under ISO 27001 and the controls described in ISO 27002.
How it is structured
Four building blocks, two annexes
ISO 27701 reuses the ISO 27001 management system and ISO 27002 controls, then layers privacy requirements on top. You apply the controller and processor controls according to your role.
PIMS requirements (ISO 27001)
Extends each ISO 27001 clause (4–10) with privacy-specific requirements, so the management system governs the processing of personally identifiable information (PII), not just information security.
- PII added to the scope of the ISMS
- Privacy roles and responsibilities defined
- Privacy risks assessed alongside security risks
- Management review covers privacy objectives
PIMS guidance (ISO 27002)
Adds privacy interpretation to the ISO 27002 controls already implemented under ISO 27001 — the same controls, read through a privacy lens.
- Existing security controls reused, not duplicated
- Privacy-specific implementation guidance
- Logging and access control extended to PII
- Supplier and incident controls cover privacy
PII controller controls
Additional controls for organisations that decide why and how PII is processed — lawful basis, consent, PII principal rights, and disclosure.
- Conditions for collection and processing
- Obligations to PII principals
- Privacy by design and by default
- PII sharing, transfer, and disclosure
PII processor controls
Additional controls for organisations that process PII on a controller’s behalf — acting on documented instructions, sub-processor management, and return or disposal.
- Process only on documented instructions
- Support the controller’s obligations
- Manage and authorise sub-processors
- Return or securely dispose of PII
Informative annexes complete the standard: Annex C maps to ISO 29100, Annex D to the GDPR, and Annex E to ISO 27018 and ISO 29151 — which is what makes ISO 27701 a useful bridge to specific privacy regulations.
Know your role
Controller or processor?
PII controller controls
You decide why and how PII is processed. Annex A adds controls for lawful basis, consent, purpose limitation, PII principal rights, and disclosure to third parties.
Explore controller controlsPII processor controls
You process PII on a controller’s behalf. Annex B adds controls for acting on documented instructions, managing sub-processors, and returning or disposing of PII.
Explore processor controlsFrequently Asked Questions
Common questions about the ISO 27701 PIMS framework.
Can you get ISO 27701 certified without ISO 27001?
No. ISO 27701 is an extension to ISO 27001, not a standalone standard. You need an ISO 27001 ISMS in place — either already certified or certified at the same time — because ISO 27701 adds privacy requirements on top of that management system.
What is the difference between ISO 27701 Annex A and Annex B?
Annex A lists the additional controls for PII controllers (organisations that determine the purposes and means of processing). Annex B lists the additional controls for PII processors (organisations that process PII on a controller’s behalf). An organisation applies the annex — or both — that matches its role.
Does ISO 27701 certification make you GDPR compliant?
ISO 27701 is designed to align with the GDPR — Annex D maps its controls to specific GDPR articles — so a PIMS gives you much of the operational evidence regulators expect. Certification demonstrates accountability, but it is not a legal determination of GDPR compliance on its own.
How long does ISO 27701 take to implement?
Added to an existing ISO 27001 ISMS, a PIMS programme typically takes a few months because the management-system foundation already exists. Building ISO 27001 and ISO 27701 together takes longer. Timelines vary with scope, the volume of PII processed, and your starting maturity.
Continue your ISO 27701 research
- ISO 27701 hub — PIMS overview, benefits, controls, and certification in one place.
- ISO 27701 & GDPR alignment — how the PIMS maps to GDPR obligations through Annex D.
- ISO 27701 certification process — the ISO 27001 prerequisite, Stage 1 and Stage 2, and surveillance.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read moreController Controls (Annex A)
PII controller-specific controls mapped to GDPR obligations.
Read moreProcessor Controls (Annex B)
PII processor-specific controls for data processing agreements.
Read moreISO 27701 Certification Guide
Combined ISO 27001 + 27701 audit path to a PIMS certificate.
Read moreISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreISO 27701 × GDPR Alignment
How ISO 27701 maps onto GDPR Articles — and what it proves.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours