ISO/IEC 27701, Information security, cybersecurity and privacy protection

International Organization for Standardization

The international standard ISO/IEC 27701, published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), provides a structured and certifiable framework for managing privacy in organizations that handle Personally Identifiable Information (PII).


ISO/IEC 27701

Watch video

Executive summary

ISO/IEC 27701 specifies requirements and guidelines for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) aligned with information security standards.

By defining roles, responsibilities and controls applicable to PII Controllers and Processors, the standard helps to ensure compliance with applicable privacy obligations and promotes transparency in PII processing activities.

This standard can be applied to any type of organization, whether public, private or even non-profit, and can be integrated with other management systems, in particular ISO/IEC 27001.

Main content

  • Elements for creating, implementing, maintaining and improving a more comprehensive and modernized PIMS. They reinforce privacy policies and objectives, risk and responsibility management, the establishment of operational controls to protect information, the monitoring of system performance, and the assurance of continuous improvement.
  • More detailed guidance on privacy risk management, regulatory compliance, and demonstration of accountability. Guidance on how to implement controls, measure their performance, and document evidence of compliance has been expanded. This seeks to facilitate agreements and relationships with business partners, as well as demonstrate good practices in the handling of PII.
  • Greater alignment with other management standards and regulations. The new standard improves integration with ISO/IEC 27001, which deals with the requirements for an information security management system; ISO/IEC 29100, which establishes the framework and general principles of privacy; ISO/IEC 27018, which sets guidelines for protecting personal information in the public cloud; ISO/IEC 29151, the code of good practice for the protection of PII; and the European Union (EU) General Data Protection Regulation (GDPR).

Download the technical note on the ISO/IEC 27701, Information security, cybersecurity and privacy protection.