Skip to Main Content
Main Menu

ISO 27701

The ISO 27701 establishes requirements and guidance for developing, managing and improving a Privacy Information Management System (PIMS) for activities in privacy management involving personally identifiable information (PII). ISO 27701 focuses on security techniques and is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management.

Who should use ISO 27701?

The requirements of ISO 27701 apply to all types and sizes of data controllers and/or processors who process PII including private and public entities, government entities, and non-profit organizations.

Key requirements of ISO 27701

Designation of privacy leader

Organizations should appoint one or more privacy officials to develop, implement and manage an organization-wide privacy governance program/policy to outline procedures to comply with relevant data protection laws and regulations. Privacy officials shall also be responsible to provide support to all organizational stakeholders on their responsibilities related to data protection tasks.

Prioritize privacy by design and default

Organizations should apply principles and related tools of privacy by design and default into all layers of the information system for the secure management of PII (e.g. practicing data minimization to collect and process only the necessary PII).

Mechanisms for data deletion

Organizations should establish policies and technical mechanisms to permanently delete, de-identify, return and/or transfer PII when the purpose of processing becomes obsolete or the PII retention period has expired.

Vendor Management

Where PIMS will be outsourced, organizations should regularly assess the vendor’s privacy and data processing practices for compliance to organizational objectives and relevant data protection laws, verify the vendor’s security posture, and consider applying privacy by design and default principles to the outsourced PIMS.

Implementation of security protocols

Organizational and technical security policies and procedures shall be implemented to safeguard confidential PII, including, but not limited to, access controls to prevent unauthorized copying of PII by terminated employees/contractors during the notice period of termination, and segregating overlapping areas of responsibilities and privileges to prevent unauthorized access.


Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance


The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top