ISO27701 Privacy Information Management System

1. Standard positioning
International Authority: ISO/IEC 27701 is the first globally recognized international standard for privacy information management, complementary to regional regulations such as GDPR, and applicable to cross-border data processing scenarios.
Scalable architecture: Its design is based on the Information Security Management System (ISMS) of ISO/IEC 27001, achieving the dual goal of "information security+privacy protection" by adding privacy control requirements.
Scope of application: Applicable to any entity that processes personally identifiable information (PII), including data controllers and data processors.

2. Core objectives
Establish a systematic process to identify, assess, and manage privacy risks.
Ensure that the organization complies with global privacy regulations and reduces legal and reputational risks.
Enhance the trust of customers, partners, and regulatory agencies in data governance capabilities.

1. Standard positioning and structure
ISO/IEC 27701 is an extension of ISO/IEC 27001 (Information Security Management Systems), focusing on privacy protection.
It includes clauses, control measures, and appendices, and the clauses are structurally similar to ISO/IEC 27001 for easy integration.
The control measures section has added privacy related requirements on the basis of ISO/IEC 27002.

2. Key concepts
Privacy Information (PII): refers to information that can identify an individual's identity.
PII controller: The organization or individual that determines the purpose and method of PII processing.
PII processor: An organization or individual that processes PII according to the instructions of the PII controller.

3. Core requirements
Privacy Policy: Organizations need to establish a privacy policy that clearly outlines their commitment to protecting PII.
Risk assessment: Adopting a risk oriented approach to identify and manage privacy risks.
Data subject rights: Ensure that the rights of data subjects (personal information owners) are respected, such as access, correction, deletion, etc.
Compliance and Continuous Improvement: Ensure the continuous effectiveness of the system through audits and management reviews.

4. Implementation points
Roles and Responsibilities: Clarify the responsibilities of key roles such as Privacy Protection Officer (DPO).
Data processing requirements: Ensure that the collection, processing, and transmission of PII comply with legal and ethical requirements.
Third party management: Strictly manage third-party outsourcing and cross-border data transmission.

5. Relationship with other standards
ISO/IEC 27701 works in conjunction with ISO/IEC 27001 and ISO/IEC 27002, while also being compatible with regulations such as GDPR (General Data Protection Regulation).

6. Goals and Values
Objective: To assist organizations in systematically managing privacy information, ensuring transparency and security in data processing.
Value: Reduce compliance risks, enhance customer trust, and improve the organization's competitiveness in data protection.

By implementing ISO/IEC 27701, organizations can better protect personal privacy information, meet regulatory requirements, and enhance their privacy management capabilities.

1. Enhance compliance
Meet regulatory requirements: Help organizations meet increasingly stringent privacy protection regulations around the world, such as the EU's General Data Protection Regulation (GDPR) and China's Personal Information Protection Law.
Reduce legal risks: By establishing and maintaining a privacy information management system, reduce the risk of legal litigation, fines, and reputation damage caused by privacy violations.

2. Enhance customer trust
Enhance customer confidence: Show customers the organization's professionalism and sense of responsibility in privacy protection, and increase customer trust in the organization.
Promote business cooperation: In data sensitive industries (such as finance, medical, Internet, etc.), privacy protection ability is an important consideration for customers to choose partners.

3. Optimize internal management
Clear division of responsibilities: By establishing a privacy information management system, clarify the responsibilities and roles of various departments and personnel within the organization in terms of privacy protection.
Enhance management efficiency: standardize the processing flow of privacy information, improve the transparency and efficiency of data management, and reduce privacy risks.

4. Enhance market competitiveness
Differentiated competitive advantage: In market competition, privacy protection capability has become one of the important competitive advantages for enterprises. Through certification, organizations can stand out in the market.
Expanding international markets: A privacy management system that meets international standards helps organizations expand their international business, especially when collaborating with multinational corporations.

5. Promote continuous improvement
Regular evaluation and improvement: Through internal audits, management reviews, and supervisory audits, organizations can continuously identify issues in privacy management and make timely improvements.
Adapting to regulatory changes: Privacy regulations are constantly updated, and certification systems require organizations to regularly evaluate and adjust privacy management measures to adapt to regulatory changes.

6. Enhance brand image
Positive brand image: Privacy protection is an important component of corporate social responsibility, and certification can enhance an organization's brand image and increase public trust in it.
Attracting excellent talents: In the context of increasing attention to data privacy, companies that focus on privacy protection are more likely to attract and retain excellent talents.

7. Dealing with the risk of data leakage
Reduce the risk of data breaches: By establishing a privacy information management system, organizations can better identify and manage privacy risks, reducing the likelihood of data breaches.
Quick response to events: In the event of a privacy incident, being able to respond quickly according to established procedures and reduce the impact of the event.

（I.） Application materials
When applying for certification, the following core materials need to be submitted to the certification body:

1. System documents
Privacy Policy and Objectives: Clarify the organization's privacy protection principles and compliance commitments.
Program files: including "Data Subject Rights Response Procedure", "Privacy Impact Assessment (PIA) Guidelines", "Data Breach Emergency Plan", etc.
Job description: such as DPO responsibilities, data processor and controller responsibility division documents.

2. Risk assessment and compliance records
Privacy Risk Assessment Report (PIA): An analysis document for high-risk PII processing activities, such as cross-border transmission and biometric data.
Legal Compliance Checklist: A mapping table that lists applicable privacy regulations and corresponding control measures (such as the correspondence between GDPR provisions and ISO 27701 Appendix A/B).

3. Operational evidence
Internal Audit Report: Prove that PIMS has undergone internal audit and rectified non conformities.
Management review record: The review conclusion of the effectiveness and improvement plan of PIMS by senior management.
Training records: attendance sheet, assessment results, etc. for employee privacy awareness training.

4. Technical Implementation Certificate
List of security control measures: configuration instructions for technologies such as encryption, access control, log auditing, etc.
Third party management documents: DPA (Data Processing Agreement) and audit records signed with data processors/subcontractors.

5. Application Form
Certification application form: includes basic organizational information, business scope, PIMS coverage statement, etc.
Scope Statement: Clarify the departments, systems, and data types applicable to the system.


（II.） Basic application requirements
    
1. Enterprise qualification: Enterprises need to hold the "Enterprise Legal Person Business License", "Production License" or equivalent documents issued by the Administration for Industry and Commerce
2. System operation time: The applicant has established a system in accordance with the requirements of ISO/IEC 27701 standard and implemented it for more than 3 months
3. Evaluation and Review: At least one data protection/privacy impact assessment, internal audit, and management review have been completed
4. Compliance: During the operation of the system and within one year before its establishment, no administrative penalties have been imposed by the competent authorities
5. ISO/IEC 27001 certification: According to the current version (ISO/IEC 27701:2019) requirements, organizations must first obtain ISO/IEC 27001 certification before passing ISO/IEC 27701 certification. However, ISO/IEC 27701:2025, which will be released in 2025, will no longer require obtaining ISO/IEC 27001 certification first.