Personal data is among the most valuable and sensitive assets that organizations work with today. With growing expectations from individuals, regulators, and business partners, it is not enough to simply say that you care about privacy—you must also demonstrate it. ISO/IEC 27701 provides a structured, internationally recognized framework that helps organizations demonstrate accountability, manage risks related to personal identifiable information (PII), and continuously improve their privacy practices.
Privacy Information Management System based on ISO/IEC 27701
The standard specifies requirements for establishing, implementing, maintaining, and continually improving a privacy information management system (PIMS). PIMS consists of a set of processes and controls for controllers and processors of personal information (PII) who are responsible for processing PII.
Benefits of PIMS for the organisation
- Strengthening personal data protection and capabilities
- Facilitating compliance with personal data protection regulations such as GDPR
- Supporting trust building with clients, regulators, and partners
- Aligning with existing information security management systems (ISMS) to streamline implementation
- Facilitating accountability and evidence-based personal data protection management
Subject of our expert services
1 | Analysis of the existing system and PIMS project planning
Analysis of the context of the organisation and gap analysis of the current state • Development of an PIMS project plan
2 | Establishment and implementation of the PIMS
Identification and description of the boundaries and scope of the PIMS • Definition of the organisational structure, roles and responsibilities of individuals and relevant committees • Design of the privacy policy • Setting up and documenting PIMS processes
3 | Information security and privacy risk management and controls management
Selection and documentation of privacy risk management methodologies • Identification, analysis and evaluation of risks • Selection of risk treatment options and controls • Preparation of Statement of Applicability (SOA) • Management of risk treatment plans
4 | Documentation of topic-specific policies and procedures
PIMS documentation structure design and management • Design and documentation of topic-specific policies and procedures • Support for the implementation of specific measures • Design and performance of training and awareness-raising activities
5 | Internal audit, supplier audit and certification audit support
Draft PIMS audit programme and planning of audit activities • Implementation of internal audit and supplier audit • Support follow-up activities and actions after the audit • Preparation for and support during the certification audit
Advanced GRC applications
The difficulty of executing PIMS processes increases with the size of the organisation and the maturity of the management system. For complex organisations with complex management systems, we recommend using advanced modular tools.
More information can be found in the Applications section.
Quality of our services
During the provision of consulting services, the standards of quality of consultancy services based on ISO 20700, information security based on ISO/IEC 27001 and project management based on ISO 21502 are applied.
Competences of our consultants:
- Certified ISO/IEC 27701 Lead Implementer
- Certified ISO/IEC 27001 Lead Implementer *
- Certified ISO/IEC 27005 Lead Risk Manager *
- Certified ISO/IEC 27002 Lead Manager
- Certified Data Protection Officer *
When conducting an internal audit (first-party audit) or second-party audit, the best practice of auditing management systems, as defined in ISO 19011, ISO/IEC 27007, ISO/IEC TS 27008 and other relevant standards, is applied.
Competences of our auditors:
- Certified ISO/IEC 27701 Lead Auditor *
- Certified ISO/IEC 27001 Lead Auditor *
* NOTE: ISO/IEC 17024 accredited or relevant ISACA certification.