ISO/IEC 27701:2019
ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001 and ISO/IEC 27002, providing requirements and guidance for establishing, maintaining, and continually improving a Privacy Information Management System (PIMS).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (3)
Both
| Code | Title |
|---|---|
| 5.2.1 | Understanding the organization and its context (PIMS) |
| 5.2.2 | Understanding the needs and expectations of interested parties (PIMS) |
| 5.2.3 | Determining the scope of the PIMS |
| 5.2.4 | PIMS establishment, implementation, maintenance and continual improvement |
| 5.3.1 | Leadership and commitment (PIMS) |
| 5.3.2 | Privacy policy |
| 5.3.3 | Organizational roles, responsibilities and authorities (PIMS) |
| 5.4.1 | Quality Objectives |
| 5.4.1.2 | Privacy risk assessment |
| 5.4.1.3 | Privacy risk treatment |
| 5.4.2 | Articulating risk management commitment |
| 5.5.1 | Responsibility and Authority |
| 5.5.2 | Management Representative |
| 5.5.3 | Awareness (PIMS) |
| 5.5.4 | Communication (PIMS) |
| 5.5.5 | Documented information (PIMS) |
| 5.6.1 | Management Review - General |
| 5.7.1 | Monitoring, measurement, analysis and evaluation (PIMS) |
| 5.7.2 | Internal audit (PIMS) |
| 5.7.3 | Management review (PIMS) |
| 5.8.1 | Nonconformity and corrective action (PIMS) |
| 6.11.1.2 | Inclusion of PII in supplier agreements |
| 6.13.1.1 | Privacy incident management |
| 6.15.1.1 | Identification of applicable privacy legislation |
| 6.2.1.1 | Policies for information security (privacy-extended) |
| 6.5.2.1 | Classification of information (PII) |
| 6.5.3.1 | Management of removable media (PII) |
| 6.9.4.1 | Event logging (PII access) |
PII Controller
| Code | Title |
|---|---|
| 7.2.1 | Determination of Product Requirements |
| 7.2.2 | Information security awareness, education and training (cloud) |
| 7.2.3 | Communication |
| 7.2.4 | Obtain and record consent (Controller) |
| 7.2.5 | Privacy impact assessment (Controller) |
| 7.2.6 | Contracts with PII processors (Controller) |
| 7.2.7 | Joint PII controller (Controller) |
| 7.2.8 | Records related to processing PII (Controller) |
| 7.3.1 | Determining and fulfilling obligations to PII principals (Controller) |
| 7.3.10 | Design and Development Files |
| 7.3.2 | Design and Development Planning |
| 7.3.3 | Design and Development Inputs |
| 7.3.4 | Design and Development Outputs |
| 7.3.5 | Design and Development Review |
| 7.3.6 | Design and Development Verification |
| 7.3.7 | Design and Development Validation |
| 7.3.8 | Design and Development Transfer |
| 7.3.9 | Control of Design Changes |
| 7.4.1 | Purchasing Process |
| 7.4.2 | Purchasing Information |
| 7.4.3 | Verification of Purchased Product |
| 7.4.4 | PII minimization objectives (Controller) |
| 7.4.5 | PII de-identification and deletion at end of processing (Controller) |
| 7.4.6 | Temporary files (Controller) |
| 7.4.7 | Retention (Controller) |
| 7.4.8 | Disposal (Controller) |
| 7.4.9 | PII transmission controls (Controller) |
| 7.5.1 | Control of Production and Service Provision |
| 7.5.2 | Cleanliness of Product |
| 7.5.3 | Installation Activities |
| 7.5.4 | Servicing Activities |
PII Processor
| Code | Title |
|---|---|
| 8.2.1 | Service Portfolio |
| 8.2.2 | Asset Management |
| 8.2.3 | Configuration Management |
| 8.2.4 | Internal Audit |
| 8.2.5 | Monitoring and Measurement of Processes |
| 8.2.6 | Monitoring and Measurement of Product |
| 8.3.1 | Service Level Management |
| 8.4.1 | Budgeting and Accounting |
| 8.4.2 | Demand Management |
| 8.4.3 | Capacity Management |
| 8.5.1 | Change Management |
| 8.5.2 | Service Design and Transition |
| 8.5.3 | Release and Deployment Management |
| 8.5.4 | Preservation |
| 8.5.5 | Post-delivery activities |
| 8.5.6 | Control of changes |
| 8.5.7 | Engagement of a sub-contractor to process PII (Processor) |
| 8.5.8 | Change of sub-contractor to process PII (Processor) |
Your Compliance Coverage
If you comply with ISO/IEC 27701:2019, you already cover:
EU Medical Devices Regulation (MDR 2017/745)
1%
1 controls mapped
Compare →ISO 45001:2018
1%
1 controls mapped
Compare →SWIFT CSCF
1%
1 controls mapped
Compare →+ 35 more: ISO 20000-1 (1%), ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence (1%)
See all 38 mapped frameworks ↓Maps to 38 other frameworks
Frequently Asked Questions
What is ISO/IEC 27701:2019?
ISO/IEC 27701:2019 is a compliance framework from International with 3 domains and 77 controls. ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001 and ISO/IEC 27002, providing requirements and guidance for establishing, maintaining, and continually improving a Privacy Information Management System (PIMS). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does ISO/IEC 27701:2019 have?
ISO/IEC 27701:2019 has 77 controls organised across 3 domains. The largest domains are PII Controller (31 controls), Both (28 controls), PII Processor (18 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does ISO/IEC 27701:2019 map to?
ISO/IEC 27701:2019 maps to 38 other compliance frameworks. The top mapping partners are EU Medical Devices Regulation (MDR 2017/745) (1% coverage), ISO 45001:2018 (1% coverage), SWIFT CSCF (1% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with ISO/IEC 27701:2019 compliance?
Start your ISO/IEC 27701:2019 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISO/IEC 27701:2019 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 77 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required