ISO IEC 27701-2019 PDF

Full title and description

ISO/IEC 27701:2019 — Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. This standard defines requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) as an extension to an organisation’s information security management system (ISMS), with specific guidance for PII controllers and PII processors.

Abstract

ISO/IEC 27701:2019 specifies PIMS-related requirements and provides guidance to support protection of personally identifiable information (PII) when processed within an ISMS. The document extends ISO/IEC 27001 and ISO/IEC 27002 by adding privacy-specific requirements, control objectives and guidance, and includes mappings to privacy frameworks and regulations to help organisations demonstrate sound privacy governance and alignment with legal obligations.

General information

• Status: Withdrawn (superseded by a later edition).
• Publication date: August 5, 2019.
• Publisher: ISO and IEC (joint publication; developed by ISO/IEC JTC 1/SC 27).
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 1.0 (2019).
• Number of pages: 66 pages.

Scope

The standard applies to all types and sizes of organizations (public, private, non-profit, and government) that process PII and wish to implement, maintain or improve a Privacy Information Management System (PIMS) within the context of an ISMS. It sets out PIMS-specific requirements and guidance for organisations acting as PII controllers and/or PII processors and is intended to be used alongside ISO/IEC 27001 and ISO/IEC 27002.

Key topics and requirements

• Extension of ISO/IEC 27001 requirements to incorporate privacy-specific PIMS requirements (clauses addressing context, leadership, planning, support, operation, performance evaluation and improvement).
• Additional guidance aligned with ISO/IEC 27002 to address controls with privacy impact.
• Separate Annex A (reference goals and controls for PII controllers) and Annex B (reference goals and controls for PII processors).
• Mappings to privacy frameworks and standards such as ISO/IEC 29100 and to regulations (example: a GDPR mapping annex).
• Guidance on roles and responsibilities for privacy governance, including controller vs processor distinctions, accountability and contractual controls for third parties.
• PII lifecycle management — collection, retention, use, disclosure, transfer, archival and deletion.
• Privacy risk assessment and integration with information security risk processes, including treatment of privacy-related risks.
• Requirements for documentation (policies, procedures, Statement of Applicability) and evidence to support audits and certification.
• Operational topics such as data subject rights, consent handling, breach detection/notification, privacy by design and default, and vendor/processor oversight.

Typical use and users

ISO/IEC 27701:2019 was used by privacy officers, information security managers, CISOs, compliance and legal teams, data protection officers, internal and external auditors, certification bodies, privacy consultants and organisations that process personal data (both controllers and processors) seeking a consistent, auditable approach to privacy management aligned with an ISMS.

Related standards

Closely related standards and documents include ISO/IEC 27001 (Information security management systems), ISO/IEC 27002 (Code of practice for information security controls), ISO/IEC 29100 (Privacy framework), ISO/IEC 27018 (cloud PII protection), ISO/IEC 29151 (PII code of practice), national/adopted variants (EN/AS national adoptions), and the later ISO/IEC 27701:2025 edition that supersedes the 2019 version.

Keywords

Privacy Information Management System (PIMS), personal data, PII, data protection, privacy by design, ISO/IEC 27001 extension, controller, processor, GDPR mapping, privacy controls, risk assessment, Statement of Applicability, privacy governance.

FAQ

Q: What is this standard?

A: ISO/IEC 27701:2019 is an international standard that extends ISO/IEC 27001 and ISO/IEC 27002 to define requirements and guidance for a Privacy Information Management System (PIMS) focused on protecting personally identifiable information.

Q: What does it cover?

A: It covers PIMS-specific requirements and guidance for PII controllers and processors, control objectives and controls for privacy (annexes for controllers and processors), mappings to privacy frameworks and regulations, privacy risk management, and integration of privacy into an organisation’s ISMS.

Q: Who typically uses it?

A: Privacy officers, CISOs, security and compliance teams, data protection officers, auditors, certification bodies, and organisations (both controllers and processors) that need a structured, auditable privacy management approach.

Q: Is it current or superseded?

A: The 2019 edition has been withdrawn and superseded by a later edition (ISO/IEC 27701:2025). Organisations should plan transitions to the 2025 edition; for historical implementations, the 2019 text remains a reference but is no longer the current published edition.

Q: Is it part of a series?

A: Yes — ISO/IEC 27701:2019 is part of the broader ISO/IEC 27000 family of information security standards and is designed to work in conjunction with ISO/IEC 27001 and ISO/IEC 27002; it also maps to other privacy standards such as ISO/IEC 29100 and ISO/IEC 27018.

Q: What are the key keywords?

A: PIMS, privacy, personal data/PII, controller, processor, ISO/IEC 27001 extension, privacy controls, GDPR mapping, privacy by design, risk assessment, privacy governance.