ISO 27701 Privacy Information Management System (PIMS), a privacy extension to ISO 27001 Information Security Management System (ISMS), can support your organization in meeting the regulatory requirements and manage privacy risks related to Personally Identifiable Information (PII).

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS.

Almost every organization processes Personally Identifiable Information (PII). Further, the quantity and types of PII processed is increasing, as is the number of situations where an organization needs to cooperate with other organizations regarding the processing of PII. Protection of privacy in the context of the processing of PII is a societal need, as well as the topic of dedicated legislation and/or regulation all over the world.

An organization complying with the requirements in this document will generate documentary evidence of how it handles the processing of PII. Such evidence can be used to facilitate agreements with business partners where the processing of PII is mutually relevant. This can also assist in relationships with other stakeholders. The use of this document in conjunction with ISO/IEC 27001 can, if desired, provide independent verification of this evidence.



  • Support compliance to privacy regulations – such as the European Union General Data Protection Regulation (EU GDPR) and local privacy law & regulations such as Personal Data Protection Act (PDPA) in Singapore.
  • Provide confidence to stakeholders and customers that you are maintaining the highest standards in managing privacy risks related to PII.
  • Clear roles & responsibilities – for PII controllers and PII processors holding responsibility and accountability for PII processing.
  • Minimize risks – of disruptions of critical processes and financial losses associated with a breach