EN ISO/IEC 27701:2025

SLOVENSKI STANDARD
01-december-2025
Nadomešča:
SIST EN ISO/IEC 27701:2021
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Sistem vodenja
informacij o zasebnosti - Zahteve in smernice (ISO/IEC 27701:2025)
Information security, cybersecurity and privacy protection - Privacy information
management systems - Requirements and guidance (ISO/IEC 27701:2025)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Datenschutz-
Informationsmanagementsysteme - Anforderungen und Leitlinien (ISO/IEC 27701:2025)
Sécurité de l'information, cybersécurité et protection de la vie privée - Systèmes de
management de la protection de la vie privée - Exigences et recommandations (ISO/IEC
27701:2025)
Ta slovenski standard je istoveten z: EN ISO/IEC 27701:2025
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 27701

NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2025
ICS 35.030
Supersedes EN ISO/IEC 27701:2021
English version
Information security, cybersecurity and privacy protection
- Privacy information management systems -
Requirements and guidance (ISO/IEC 27701:2025)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Systèmes de management de la der Privatsphäre - Datenschutz-
protection de la vie privée - Exigences et Informationsmanagementsysteme - Anforderungen
recommandations (ISO/IEC 27701:2025) und Leitlinien (ISO/IEC 27701:2025)
This European Standard was approved by CEN on 4 August 2025.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 27701:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
This document (EN ISO/IEC 27701:2025) has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology" in collaboration with Technical Committee CEN-CENELEC/ JTC 13
“Cybersecurity and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by April 2026, and conflicting national standards shall be
withdrawn at the latest by April 2026.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 27701:2021.
Any feedback and questions on this document should be directed to the users’ national standards
body/national committee. A complete listing of these bodies can be found on the CEN and CENELEC
websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27701:2025 has been approved by CEN-CENELEC as EN ISO/IEC 27701:2025
without any modification.
International
Standard
ISO/IEC 27701
Second edition
Information security, cybersecurity
2025-10
and privacy protection — Privacy
information management systems
— Requirements and guidance
Sécurité de l'information, cybersécurité et protection de la vie
privée — Systèmes de management de la protection de la vie
privée — Exigences et recommandations
Reference number
ISO/IEC 27701:2025(en) © ISO/IEC 2025

ISO/IEC 27701:2025(en)
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC 27701:2025(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviations . 1
4 Context of the organization . 4
4.1 Understanding the organization and its context .4
4.2 Understanding the needs and expectations of interested parties .5
4.3 Determining the scope of the privacy information management system .5
4.4 Privacy information management system .6
5 Leadership . 6
5.1 Leadership and commitment .6
5.2 Privacy policy .6
5.3 Roles, responsibilities and authorities .7
6 Planning . 7
6.1 Actions to address risks and opportunities .7
6.1.1 General .7
6.1.2 Privacy risk assessment.7
6.1.3 Privacy risk treatment .8
6.2 Privacy objectives and planning to achieve them .9
6.3 Planning of changes .10
7 Support .10
7.1 Resources .10
7.2 Competence .10
7.3 Awareness .10
7.4 Communication .10
7.5 Documented information .11
7.5.1 General .11
7.5.2 Creating and updating documented information .11
7.5.3 Control of documented information .11
8 Operation .12
8.1 Operational planning and control . 12
8.2 Privacy risk assessment . 12
8.3 Privacy risk treatment. 12
9 Performance evaluation .12
9.1 Monitoring, measurement, analysis and evaluation . . 12
9.2 Internal audit . 13
9.2.1 General . 13
9.2.2 Internal audit programme . 13
9.3 Management review . 13
9.3.1 General . 13
9.3.2 Management review inputs . 13
9.3.3 Management review results .14
10 Improvement . 14
10.1 Continual improvement .14
10.2 Nonconformity and corrective action .14
11 Further information on annexes . 14
Annex A (normative) PIMS reference control objectives and controls for PII controllers and PII
processors .15

© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC 27701:2025(en)
Annex B (normative) Implementation guidance for PII controllers and PII processors .21
Annex C (informative) Mapping to ISO/IEC 29100 . 51
Annex D (informative) Mapping to the General Data Protection Regulation .53
Annex E (informative) Mapping to ISO/IEC 27018 and ISO/IEC 29151 .56
Annex F (informative) Correspondence with ISO/IEC 27701:2019 .58
Bibliography .64

© ISO/IEC 2025 – All rights reserved
iv
ISO/IEC 27701:2025(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with the
European Committee for Standardization (CEN) Technical Committee CEN/CLC/JTC 13, Cybersecurity and
data protection, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna
Agreement).
This second edition cancels and replaces the first edition (ISO/IEC 27701:2019), which has been technically
revised.
The main changes are as follows:
— the document has been redrafted as a stand-alone management system standard.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
v
ISO/IEC 27701:2025(en)
Introduction
0.1  General
Almost every organization processes personally identifiable information (PII). Further, the quantity and
types of PII processed are increasing, as are the number of situations where an organization needs to
cooperate with other organizations regarding the processing of PII. Protection of privacy in the context of
the processing of PII is a societal need, as well as the topic of dedicated legal requirements worldwide.
This document includes mapping to:
— the privacy framework and principles defined in ISO/IEC 29100;
— ISO/IEC 27018;
— ISO/IEC 29151;
— the EU General Data Protection Regulation.
NOTE These mappings can be interpreted to take into account local legal requirements.
This document can be used by PII controllers (including those that are joint PII controllers) and PII
processors (including those using subcontracted PII processors and those processing PII as subcontractors
to PII processors).
By complying with the requirements in this document, an organization can generate evidence of how it
handles the processing of PII. Such evidence can be used to facilitate agreements with business partners
where the processing of PII is mutually relevant. This can also assist in relationships with other interested
parties. The use of this document can provide independent verification of this evidence.
0.2  Compatibility with other management system standards
This document applies the framework developed by ISO to improve alignment among its management
system standards.
This document enables an organization to align or integrate its privacy information management system
(PIMS) with the requirements of other management system standards, and in particular with the
information security management system specified in ISO/IEC 27001.

© ISO/IEC 2025 – All rights reserved
vi
International Standard ISO/IEC 27701:2025(en)
Information security, cybersecurity and privacy protection —
Privacy information management systems — Requirements
and guidance
1 Scope
This document specifies requirements for establishing, implementing, maintaining and continually
improving a privacy information management system (PIMS).
Guidance is also provided to assist in the implementation of the requirements in this document.
This document is intended for personally identifiable information (PII) controllers and PII processors
holding responsibility and accountability for PII processing.
This document is applicable to all types and sizes of organizations, including public and private companies,
government entities and not-for-profit organizations.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 29100, Information technology — Security techniques — Privacy framework
3 Terms, definitions and abbreviations
For the purposes of this document, the terms and definitions given in ISO/IEC 29100 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships to
achieve its objectives (3.6)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not,
public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the larger
entity that is within the scope of the privacy informationmanagement system (3.23).
3.2
interested party
person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision or
activity
© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
3.3
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.
Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top management
refers to those who direct and control that part of the organization.
3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.5) and objectives
(3.6), as well as processes (3.8) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
3.5
policy
intentions and direction of an organization (3.1) as formally expressed by its top management (3.3)
3.6
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).
They can be, for example, organization-wide or specific to a project, product or process (3.8).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an operational
criterion, as a privacy objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of privacy information management systems (3.23), privacy objectives are set by the
organization (3.1), consistent with the privacy policy (3.5), to achieve specific results.
3.7
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events and consequences, or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
3.8
process
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
Note 1 to entry: Whether the result of a process is called an output, a product or a service depends on the context of
the reference.
3.9
competence
ability to apply knowledge and skills to achieve intended results

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
3.10
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on which it
is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.8);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.11
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to managing activities, processes (3.8), products, services, systems or
organizations (3.1).
3.12
continual improvement
recurring activity to enhance performance (3.11)
3.13
effectiveness
extent to which planned activities are realized and planned results are achieved
3.14
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and
interested parties (3.2) that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.10).
3.15
conformity
fulfilment of a requirement (3.14)
3.16
nonconformity
non-fulfilment of a requirement (3.14)
3.17
corrective action
action to eliminate the cause(s) of a nonconformity (3.16) and to prevent recurrence
3.18
audit
systematic and independent process (3.8) for obtaining evidence and evaluating it objectively to determine
the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it
can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
3.19
measurement
process (3.8) to determine a value
3.20
monitoring
determining the status of a system, a process (3.8) or an activity
Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.
3.21
joint PII controller
personally identifiable information (PII) controller that determines the purposes and means of the
processing of PII jointly with one or more other PII controllers
3.22
customer
person or organization (3.1) that can or does receive a product or a service that is intended for or required
by this person or organization
EXAMPLE Consumer, client, end-user, retailer, receiver of product or service from an internal process (3.8),
beneficiary and purchaser.
Note 1 to entry: A customer can be internal or external to the organization.
Note 2 to entry: A customer can be an organization that has a contract with a PII controller, a PII controller who has a
contract with a PII processor or a PII processor that has a contract with a subcontractor for PII processing.
3.23
privacy information management system
PIMS
management system (3.4) which addresses the protection of privacy as potentially affected by the processing
of personally identifiable information
3.24
information security programme
set of policies (3.5), objectives (3.6) and processes (3.8) designed to manage risks (3.7) to an organization's
(3.1) assets, to ensure confidentiality, integrity and availability of information
Note 1 to entry: An information security programme can be, for example, an information security management system
such as one based on ISO/IEC 27001.
3.25
statement of applicability
documentation of all necessary controls and justification for the inclusion or exclusion of such controls
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that affect
its ability to achieve the intended result(s) of its privacy information management system.
The organization shall determine whether climate change is a relevant issue.
The organization shall determine if it is acting as a PII controller (including as a joint PII controller) or as a
PII processor.
The organization shall determine external and internal issues that are relevant to its context and that affect
its ability to achieve the intended outcome(s) of its PIMS.
NOTE 1 External and internal issues can include but are not limited to:

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
— applicable privacy legislation;
— applicable regulations;
— applicable judicial decisions;
— applicable organizational context, governance, policies and procedures;
— applicable administrative decisions;
— applicable contractual requirements.
Where the organization acts in both roles (i.e. a PII controller and a PII processor), separate roles shall be
determined, each of which is the subject of a separate set of controls.
NOTE 2 The role of the organization can be different for each instance of the processing of PII, since it depends on
who determines the purposes and means of the processing.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
— the interested parties that are relevant to the privacy information management system;
— the relevant requirements of these interested parties;
— which of these requirements will be addressed through the privacy information management system.
NOTE 1 Relevant interested parties can have requirements related to climate change.
The organization shall include among its interested parties those parties having interests or responsibilities
associated with the processing of PII, including the PII principals.
NOTE 2 Other interested parties can include customers, supervisory authorities, other PII controllers, PII
processors and their subcontractors.
Depending on the role of the organization, “customer” can be understood as either:
a) an organization who has a contract with a PII controller (e.g. the customer of the PII controller);
NOTE 3 This can be the case of an organization which is a joint PII controller.
b) a PII controller who has a contract with a PII processor (e.g. the customer of the PII processor); or
c) a PII processor who has a contract with a subcontractor for PII processing (e.g. the customer of the
subcontracted PII processor).
NOTE 4 An individual person whose PII is processed in a business association (for example in a consumer, employee,
vendor, visitor relationship) is referred to as a “PII principal” in this document.
NOTE 5 Requirements relevant to the processing of PII can be determined by legal and regulatory requirements, by
contractual obligations and by self-imposed organizational objectives. The privacy principles set out in ISO/IEC 29100
provide guidance concerning the processing of PII.
NOTE 6 To demonstrate conformity with the organization's obligations, some interested parties can expect that
the organization is in conformity with specific standards, such as the management system specified in this document
or any relevant set of specifications. These parties can call for independently audited conformity to these standards.
4.3 Determining the scope of the privacy information management system
The organization shall determine the boundaries and applicability of the privacy information management
system to establish its scope.

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
When determining this scope, the organization shall consider:
— the external and internal issues referred to in 4.1;
— the requirements referred to in 4.2.
The scope shall be available as documented information.
When determining the scope of the PIMS, the organization shall include the processing of PII.
4.4 Privacy information management system
The organization shall establish, implement, maintain and continually improve a privacy information
management system, including the processes needed and their interactions, in accordance with the
requirements of this document.
5 Leadership
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the privacy information
management system by:
— ensuring that the privacy policy (see 5.2) and privacy objectives (see 6.2) are established and are
compatible with the strategic direction of the organization;
— ensuring the integration of the privacy information management system requirements into the
organization’s business processes;
— ensuring that the resources needed for the privacy information management system are available;
— communicating the importance of effective privacy information management and of conforming to the
privacy information management system requirements;
— ensuring that the privacy information management system achieves its intended result(s);
— directing and supporting persons to contribute to the effectiveness of the privacy information
management system;
— promoting continual improvement;
— supporting other relevant roles to demonstrate their leadership as it applies to their areas of responsibility.
NOTE Reference to “business” in this document can be interpreted broadly to mean those activities that are core
to the purposes of the organization’s existence.
5.2 Privacy policy
Top management shall establish a privacy policy that:
a) is appropriate to the purpose of the organization;
b) provides a framework for setting privacy objectives;
c) includes a commitment to meet applicable requirements;
d) includes a commitment to continual improvement of the privacy information management system.
The privacy policy shall:
— be available as documented information;

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
— be communicated within the organization;
— be available to interested parties, as appropriate.
5.3 Roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and
communicated within the organization.
Top management shall assign the responsibility and authority for:
a) ensuring that the privacy information management system conforms to the requirements of this
document;
b) reporting on the performance of the privacy information management system to top management.
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the privacy information management system, the organization shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that
need to be addressed to:
— give assurance that the privacy information management system can achieve its intended result(s);
— prevent, or reduce, undesired effects;
— achieve continual improvement.
The organization shall plan:
a) actions to address these risks and opportunities;
b) how to
— integrate and implement the actions into its privacy information management system processes;
— evaluate the effectiveness of these actions.
6.1.2 Privacy risk assessment
The organization shall define and apply a privacy risk assessment process that:
a) establishes and maintains privacy risk criteria that include:
1) the risk acceptance criteria; and
2) criteria for performing privacy risk assessments;
b) ensures that repeated privacy risk assessments produce consistent, valid and comparable results;
c) identifies the privacy risks:
1) associated with the protection of privacy and information security risks within the scope of the
privacy information management system; and

© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
2) that identify the risk owners;
d) analyses the privacy risks that:
1) assess the potential consequences for both the organization and PII principals that would result if
the risks identified in c) 1) were to materialize;
2) assess the realistic likelihood of the occurrence of the risks identified in c) 1); and
3) determine the levels of risk;
e) evaluates the privacy risks that:
1) compare the results of risk analysis with the risk criteria established in a); and
2) prioritize the analysed risks for risk treatment.
The organization shall retain documented information about the privacy risk assessment process.
NOTE For further information on the privacy risk assessment process, see ISO/IEC 27557.
6.1.3 Privacy risk treatment
The organization shall define and apply a privacy risk treatment process to treat risks related to the
processing of PII, including risks to PII principals, and including the security of PII, by:
a) selecting appropriate privacy risk treatment options, taking account of the risk assessment results;
b) determining all controls that are necessary to implement the privacy risk treatment option(s) chosen;
NOTE 1 Organizations can design controls as required or identify them from any source.
c) identifying and documenting the information security programme implemented by the organization,
including the appropriate security controls;
The information security programme at a minimum should address the following:
— information security risk management;
— policies for information security;
— organization of information security;
— human resources security;
— asset management;
— access control;
— operations security;
— network security management;
— development security;
— supplier management;
— incident management;
— information security continuity;
— information security reviews;
— cryptography; and
© ISO/IEC 2025 – All rights reserved
ISO/IEC 27701:2025(en)
— physical and environmental security.
NOTE 2 ISO/IEC 27002 provides a list of possible information security controls. If the information security
programme is based on ISO/IEC 27001, ISO/IEC 27002 can be consulted to ensure that no necessary information
security controls are overlooked.
d) comparing the controls determined in b) and c) above with those in Annex A and verifying that no
necessary controls have been omitted;
NOTE 3 Annex A contains a list of possible privacy controls. Annex A can be consulted to ensure that no
necessary privacy controls are overlooked.
NOTE 4 The privacy controls listed in Annex A are not exhaustive and additional privacy controls can be
included if needed.
NOTE 5 Organizations can address information security and privacy in an integrated manner when considering
the security of PII processing, combining information security and privacy risk assessments for example, or as
separate entities with overlapping areas.
e) producing a statement of applicability that includes:
— the necessary controls [see b), c) and d)];
— justification for their inclusion;
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the controls from Annex A.
It is not necessary to include all controls listed in Annex A. For example, controls can be excluded if they are
not deemed necessary by the risk assessment or are not covered by (or are subject to exceptions under) the
applicable legal requirements, including those applicable to the PII principal.
f) formulating a privacy risk treatment plan;
g) obtaining the privacy risk owners’ approval of the privacy risk treatment plan and acceptance of the
residual privacy risks; and
h) considering the guidance in Annex B for the implementation of controls determined in b) and c).
The organization shall retain documented information about the privacy risk treatment process.
6.2 Privacy objectives and planning to achieve them
The organization shall establish privacy objectives at relevant functions and levels.
The privacy objectives shall:
a) be consistent with the privacy policy (see 5.2);
b) be measurable (if practicable);
c) take into account applicable requirements;
d) be monitored;
e) be communicated;
f) be updated as appropriate;
...