IEC International ISO Standard IS0/IEC27701 Information security, cybersecurity Second edition and privacy protection Privacy 2025-10 information management systems - Requirements and guidance Sécurité de I'information, cybersécurite et protection de la vie privee -Systemes de management de la protection de la vie privée - Exigences et recommandations Reference number ISO/IEC 27701:2025(en) @ ISO/IEC 2025 IS0/IEC 27701:2025(en) COPYRIGHT PROTECTED DOCUMENT IS0/IEC2025 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on theinternetoranintranet,withoutpriorwrittenpermission.Permission canberequestedfromeitherIsOatthe addressbelow or ISo's member body in the country of the requester. ISO copyright office CP 40i: Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Email: [email protected] Website: www.iso.org Published in Switzerland @ IS0/IEC 2025 - All rights reserved ii IS0/IEC 27701:2025(en) Contents Page Foreword. .V Introduction .vi 1 Scope. .1 2 Normative references .1 3 Terms, definitions and abbreviations .1 4 Context of the organization. .4 4.1 Understanding the organization and its context ..4 4.2 Understanding the needs and expectations of interested parties ..5 4.3 Determining the scope of the privacy information management system 4.4 Privacy information management system. .6 5 Leadership .6 5.1 Leadership and commitment. .6 5.2 Privacy policy 6 5.3 Roles, responsibilities and authorities ..7 6 Planning .1 6.1 Actions to address risks and opportunities ..7 6.1.1 General ..7 6.1.2 Privacy risk assessment. ..7 6.1.3 Privacy risk treatment ..8 6.2 Privacy objectives and planning to achievethem 6.3 Planning of changes .10 Support. 10 7.1 Resources 10 7.2 Competence .10 7.3 Awareness 10 7.4 Communication. .10 7.5 Documented information. 11 7.5.1 General .11 7.5.2 Creating and updating documented information .11 7.5.3 Control of documented information .11 8 Operation .12 8.1 Operational planning and control 12 8.2 Privacy risk assessment 12 8.3 Privacy risk treatment. 12 9 Performance evaluation .12 9.1 Monitoring, measurement, analysis and evaluation. 12 9.2 Internalaudit 13 9.2.1 General 13 9.2.2 Internal audit programme 13 9.3 Management review 13 9.3.1 General 13 9.3.2 Management review inputs 13 9.3.3 Management review results .14 10 Improvement .14 10.1 Continual improvement .14 10.2 Nonconformity and corrective action. .14 11 Further information on annexes 14 Annex A (normative) PIMS reference control objectives and controls for PII controllers and PII processors 15 @ IS0/IEC 2025 - All rights reserved iii IS0/IEC 27701:2025(en) Annex B (normative) Implementation guidance for PII controllers and PII processors .21 Annex C (informative) Mapping to IS0/IEC 29100 51 Annex D (informative) Mapping to the General Data Protection Regulation .53 Annex E (informative) Mapping to IS0/IEC 27018 and IS0/IEC 29151 .56 Annex F (informative) Correspondence with IS0/IEC 27701:2019 .58 Bibliography .64 @ IS0/IEC 2025 - All rights reserved iv IS0/IEC 27701:2025(en) Foreword Iso (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are membersofIsoorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with IsO and IEC, also take part in the work. Theprocedures used to develop this document and those intended for its further maintenance are described in the Iso/IEc Directives, Part 1. In particular, the