ISO/IEC 27701 extends your ISMS (ISO 27001) to cover privacy and describes a Privacy Information Management System (PIMS). It lets you demonstrate to customers and supervisory authorities that the handling of personal data is governed systematically — a strong signal, especially in the role of a processor.
What the audit covers
The audit examines the PIMS-specific requirements and the additional measures for controllers and processors. This includes roles and responsibilities, the handling of data-subject rights, processing agreements, and the link to the principles of the GDPR.
Building on your ISMS
27701 requires a functioning ISMS. If you are already set up to ISO 27001, you can integrate privacy efficiently instead of maintaining a second, separate system. In the audit I make sure both systems mesh cleanly.
Areas we focus on
- Roles as controller and/or processor
- Mapping of PIMS measures to GDPR principles
- Handling of data-subject rights and access requests
- Processing agreements with service providers
- Record of processing activities and data flows
- Integration with the existing ISMS to ISO 27001