ISO 27701 Blog
4 min

Overview of ISO 27701 Controls

Posted by: Mr. Nur Kamal Kamari Date: 10 Oct 2023


For an organisation, safeguarding confidential data and private information from malicious attacks is imperative. In this regard, the ISO 27701 standard assumes a vital role by providing a comprehensive framework that can be globally adopted by organisations to align its compliance with GDPR (General Data Protection Regulation) and other privacy laws.

The ISO 27701 standard establishes policies, procedures, and business practices that align with privacy requirements through the implementation of a Privacy Information Management System (PIMS). By adhering to this framework and its associated guidelines, organisations can not only protect their private data but also cultivate trust among stakeholders, including consumers, employees, investors, and partners. This trust stems from the organisation's demonstrated awareness and responsibility in safeguarding data and upholding stringent privacy protection measures both internally and externally.

ISO 27701 serves as an extension to the ISO 27001 standard, which centers on Information Security. To implement ISO 27701, organisations must first fulfill a prerequisite, either by having implemented the ISO 27001 framework or by implementing it simultaneously. As an extension, the scope of ISO 27701 has to be identical to that of ISO 27001. Combining both ISO 27001 and ISO 27701 ensures enhanced protection against cyberattacks and data breaches, safeguarding critical information from unauthorized access and manipulation.

ISO 27701 controls

The successful implementation and continual improvement of a standard's framework in an organisation require adherence to specific rules and regulations. To effectively implement and maintain a Privacy Information Management System (PIMS), organisations must follow laid-down controls to mitigate privacy risks. These controls offer flexibility to suit each organisation's needs and requirements.

The ISO 27701 controls list has around 184 controls. These are divided into five sub-categories that can be easily understood and can help in implementation of key controls in the organisation:

  • Security Management Controls: These create and maintain an effective and efficient security management system which ensures that there are procedures in place for prevention against a multitude of security attacks.
  • Information Security Risk Management Controls: These cater to procedures and practices for ensuring that all personal data security risks are identified, assessed, mitigated and treated in a timely manner.
  • Information Security Controls: These ensure that controls supporting the policies are in place ensuring staff, vendors and suppliers are able to adhere to a uniform set of practices. They do this by ensuring that information is accessible only by authorised personnel and there are proper guidelines regarding usage, disclosure, destruction, and retrieval of personal information to ensure enhanced data protection.
  • Information Security Incident Management Controls: These controls are meant to be a playbook in the event of information security or data breach. These controls define the response, investigation and the resumption of business operations after a security incident or data breach that may bring about reputational damage.
  • Business Continuity Management Controls: These, when in place, ensure that the operations and activities of a business are continued, even in the unlikely event of a data breach, security attack or privacy attack, to ensure minimal impact to stakeholders and users.

While ISO 27701 controls help in keeping a check on the privacy regulations, it also helps indicatively in keeping PII of the organisations’ stakeholders and users safe. PII or Personally Identifiable Information is any information or a group of information pieces that can help in identifying the identity of an individual.

ISO 27701 is an extension to ISO 27001 standard where ISO 27001 focus on information security system and ISO 27701 adds on extra layer of protection by ensuring privacy information. Depending on the risk assessment and business operations, organisations are required to select the applicable controls from Annex A of ISO 27001. As for ISO 27701, Annex A controls are meant for data controllers while Annex B for data processors. Organisations that are both controllers and processors, they would need to consider both annexes.

While many controls in ISO 27701 overlap with ISO 27001, there are additional controls that specifically cater to the requirements for PII protection. These PII controls ensure that procedures and processes are in place to ensure correct modification, correction, accessibility, provision, confidentiality, and consent requirements fulfilment of PII to ensure highest level of security of private information.

ISO 27701 not only facilitates the implementation of privacy protection best practices but also ensures organisations' compliance with GDPR requirements, bolstering their global reputation. However, manually ensuring compliance and obtaining ISO 27701 certification can be complex. TÜV SÜD's ISO 27701 certification services aims to provide expert help for a smoother and more convenient process. Our integrated services ensure comprehensive understanding and awareness of the ISO 27701 standard and its requirements, enabling seamless control implementation, maintenance, and integrated certification process, backed by our years of experience.

  • ISO 27701:2019 Privacy Information Management Systems Awareness Training – This training ensures that the organisation’s employees and leadership team is fully aware about the requirements of the ISO 27701 in terms of privacy protection and PII and helps in ensuring that the organisation understands the benefits of getting an ISO 27701 certification.
  • ISO/IEC 27701:2019 Privacy Information Management Systems Implementer Training – This training ensures that the organisation understands the principles of ISO 27701, implements the controls in place, documents everything according to the standard requirements and ensures the effective evaluation of the control system along with training the employees for better PIMS control.
  • ISO 27701:2019 Privacy Information Management Systems Internal Auditor Training – This training helps in processes after implementation of a PIMS control within an organisation. It trains the organisation’s employees on the best practices to be followed, continuous evaluation of the control system and continual improvement as per the industry updates. It also helps the organisation with the certification procedures of ISO 27701 to ensure smooth certification and maintenance of the PIMS control within the organisation.


In the era of global data accessibility, safeguarding private and confidential information demands a robust control system that adheres to global standards and industry frameworks. ISO 27701 assumes a pivotal role in guaranteeing effective personal data and privacy protection while addressing any potential privacy concerns within an organisation.

Next Steps

Site Selector