ISO 27701 Checklist

Use this ISO 27701 Audit Checklist to assess PIMS compliance, PII controller and processor controls, for an internal audit and gap analysis preparing ISO 27701 certification.

Download as free PDF

GET A DEMO
SIGN UP TO USE TEMPLATE
SIGN UP

ISO 27701 Checklist



Clause 4 — Context Of The Organization

1. Internal and external issues relevant to the organisation's purpose and that affect its ability to achieve the intended outcomes of its Privacy Information Management System (PIMS) are identified and documented, including climate-related risks where relevant to PII processing infrastructure or service providers.


Photo Comment

2. Internal issues are reviewed and include organisational structure, existing privacy practices, workforce capability, technology systems used to process PII, and existing information security maturity.


Photo Comment

3. External issues are reviewed and include applicable privacy laws and regulations, regulatory expectations, market requirements for personal data handling, and geopolitical factors affecting cross-border data transfers.


Photo Comment

4. Interested parties relevant to the PIMS are identified, including data subjects, regulators, customers, business partners, third-party processors, and employees.


Photo Comment

5. The requirements and expectations of each interested party are documented and reviewed at defined intervals, including any contractual, regulatory, or voluntary privacy obligations.


Photo Comment

6. The PIMS scope is documented, defining which PII processing activities, systems, business units, and geographic locations are included.


Photo Comment

7. Any PII processing activities excluded from scope are listed with documented justification.


Photo Comment

8. The organisation has documented its role as a PII controller, PII processor, or both, and this determination is reflected in the PIMS scope and Annex A control selection.


Photo Comment

9. The PIMS scope is available to relevant interested parties.


Photo Comment

10. A record of processing activities (RoPA) or equivalent PII processing inventory is maintained, current, and aligned with the documented scope.


Photo Comment

11. The processing inventory identifies the categories of PII processed, the purposes of processing, the legal basis, data subjects affected, retention periods, and any cross-border transfers for each activity.


Photo Comment
Clause 5 — Leadership

1. Top management has demonstrated commitment to the PIMS through documented resource allocation, governance approvals, and active participation in privacy governance.


Photo Comment

2. A privacy policy is documented and approved by top management.


Photo Comment

3. The privacy policy includes a commitment to protecting PII in accordance with applicable privacy requirements and to continually improving the PIMS.


Photo Comment

4. The privacy policy provides a framework for setting and reviewing privacy objectives.


Photo Comment

5. The privacy policy is communicated to all personnel involved in PII processing activities.


Photo Comment

6. The privacy policy is made available to data subjects and other relevant external parties in an accessible format.


Photo Comment

7. PIMS roles, responsibilities, and authorities are documented and assigned, including accountability for data protection, privacy risk management, and compliance.


Photo Comment

8. A Data Protection Officer (DPO) or equivalent privacy lead has been appointed where required by applicable regulation or organisational policy, with sufficient authority and independence.


Photo Comment

9. Responsibility for ensuring PIMS conformity and reporting PIMS performance to top management is formally assigned.


Photo Comment

10. Evidence that PIMS responsibilities have been communicated to relevant personnel is available.


Photo Comment
Clause 6 — Planning

1. The organisation has established a documented process for identifying and assessing risks to the privacy rights of data subjects arising from PII processing activities.


Photo Comment

2. Privacy risk assessments have been completed for all PII processing activities within scope, using a systematic methodology covering risk identification, analysis, and evaluation.


Photo Comment

3. Risk assessments are reviewed and updated when processing activities, systems, technologies, or legal obligations change significantly.


Photo Comment

4. A privacy risk register is maintained with risk owners, assessed risk levels, and treatment status for each identified risk.


Photo Comment

5. Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) are conducted for processing activities presenting a high risk to data subjects, including activities involving automated decision-making, AI-related processing, biometric data, health data, or IoT-generated PII.


Photo Comment

6. DPIA results are retained and used to inform control selection and processing decisions.


Photo Comment

7. Risk treatment options have been selected for each identified privacy risk, with documented rationale for the controls chosen.


Photo Comment

8. A Statement of Applicability (SoA) is documented, listing applicable Annex A controls (Tables A.1, A.2, and A.3) with justifications for inclusions and exclusions based on the organisation's role as controller, processor, or both, and the results of the privacy risk assessment.


Photo Comment

9. A risk treatment plan is documented with assigned owners and target completion dates.


Photo Comment

10. Privacy objectives are established, documented, measurable, and consistent with the privacy policy, with privacy-specific KPIs defined to ensure measurability.


Photo Comment

11. Plans to achieve privacy objectives include assigned responsibilities, required resources, timelines, and methods for evaluating results.


Photo Comment

12. A change management process is in place for planned changes to PII processing activities, systems, or third-party arrangements that could affect PIMS conformity.


Photo Comment
Clause 7 — Support

1. Resources required to establish, implement, maintain, and continually improve the PIMS are identified and provided.


Photo Comment

2. Competence requirements are defined for all roles that affect PII processing, privacy governance, or PIMS performance, including privacy support roles.


Photo Comment

3. Evidence of competence is available for personnel in PIMS roles, including training records, qualifications, and assessed performance.


Photo Comment

4. Privacy awareness training is conducted for all personnel who process PII or have access to systems containing PII, including awareness of AI-related processing obligations where applicable.


Photo Comment

5. Training records are maintained and evidence that training effectiveness has been evaluated is available.


Photo Comment

6. Personnel are aware of the privacy policy, the risks relevant to their role, and the consequences of failing to comply with privacy requirements.


Photo Comment

7. Internal and external communication requirements for the PIMS are documented, specifying who communicates what, to whom, and through which channel.


Photo Comment

8. A document control procedure is in place covering creation, approval, version control, access management, and retention of PIMS documented information.


Photo Comment

9. PIMS documents are properly identified, described, and protected from unauthorised changes or accidental deletion.


Photo Comment

10. Retention requirements for PIMS documented information are defined and applied.


Photo Comment
Clause 8 — Operation

1. Operational procedures are documented for all PII processing activities within scope, including collection, storage, use, transfer, and disposal.


Photo Comment

2. Criteria for controlling PII processing activities are established and consistently applied.


Photo Comment

3. Evidence that PII processing activities are executed according to documented procedures is available.


Photo Comment

4. Privacy risk assessments are performed before new PII processing activities are initiated or existing activities are substantially changed, including activities involving new technologies such as AI, biometrics, IoT, or health data processing.


Photo Comment

5. Consent management procedures are in place where consent is used as the legal basis for processing, including records of consent obtained, withdrawn, and refreshed.


Photo Comment

6. Procedures for handling data subject rights requests are documented and cover access, rectification, erasure, restriction, portability, and objection.


Photo Comment

7. Data subject rights requests are acknowledged and fulfilled within the timeframes required by applicable privacy regulation.


Photo Comment

8. Records of data subject rights requests and their outcomes are maintained.


Photo Comment

9. Data breach and privacy incident response procedures are documented, covering detection, containment, notification to regulators, and notification to affected data subjects.


Photo Comment

10. Privacy incidents are recorded, investigated, and used to drive corrective action and PIMS improvement.


Photo Comment

11. Data minimisation controls are in place to ensure only PII necessary for the stated processing purpose is collected and retained.


Photo Comment

12. Retention schedules are defined and enforced for all categories of PII, including secure disposal procedures when retention periods expire.


Photo Comment

13. Cross-border transfer controls are in place where PII is transferred to third countries, including documented transfer mechanisms, data localisation requirements, and assessments of adequacy.


Photo Comment

14. Operational controls address AI-related processing risks, including automated decision-making, profiling, and the use of AI systems that process PII, with human oversight mechanisms defined where required.


Photo Comment
Clause 9 — Performance Evaluation

1. The organisation has determined what to monitor and measure for PIMS performance, including privacy risk treatment effectiveness, data subject rights request volumes and outcomes, incident trends, and privacy-specific KPIs aligned to the objectives set under Clause 6.


Photo Comment

2. Methods, frequency, and responsibility for monitoring and measurement are documented.


Photo Comment

3. Monitoring results are analysed, evaluated, and reported to relevant management at defined intervals.


Photo Comment

4. Privacy metrics are tracked over time and used to assess whether privacy objectives are being achieved.


Photo Comment

5. An internal audit programme for the PIMS is documented, covering audit scope, criteria, frequency, and auditor selection, structured to reflect the four control themes of the 2025 edition: Organisational, People, Physical, and Technological.


Photo Comment

6. Auditor independence from the areas being audited is ensured and documented.


Photo Comment

7. At least one complete internal PIMS audit cycle has been completed before the certification audit.


Photo Comment

8. Internal audit reports document findings, evidence reviewed, conformities, and nonconformities.


Photo Comment

9. Audit findings are communicated to relevant management and tracked to closure.


Photo Comment

10. Management reviews of the PIMS are conducted at planned intervals by top management.


Photo Comment

11. Management review inputs include PIMS performance data, audit results, privacy risk register status, privacy objective progress, data subject complaint volumes, status of corrective actions, and changes in applicable privacy laws or regulations.


Photo Comment

12. Management review outputs include decisions on improvement opportunities, resource needs, and any required changes to the PIMS.


Photo Comment

13. Management review minutes are retained as documented evidence.


Photo Comment
Clause 10 — Improvement

1. A process for identifying, recording, and managing nonconformities is documented.


Photo Comment

2. Nonconformities, including privacy control failures, data breaches, and data subject complaints, are recorded when they occur.


Photo Comment

3. Root cause analysis is performed for each nonconformity to identify the underlying cause rather than the symptom.


Photo Comment

4. Corrective actions are planned with assigned owners and target completion dates.


Photo Comment

5. Corrective actions are verified for effectiveness before the nonconformity is closed.


Photo Comment

6. Records of nonconformities, corrective actions, and closure evidence are retained.


Photo Comment

7. Lessons learned from privacy incidents and nonconformities are used to update risk assessments, controls, and processing procedures.


Photo Comment

8. Evidence of continual improvement of the PIMS is available, demonstrating that privacy controls, risk management practices, and PII protection outcomes improve over time.


Photo Comment
Annex A.1 — PII Controller Controls (Table A.1)

1. A lawful basis for processing has been identified and documented for each PII processing activity, including the specific legal basis applied (consent, contract, legal obligation, legitimate interests, or other applicable basis).


Photo Comment

2. Where legitimate interests are relied upon as the legal basis, a legitimate interests assessment has been completed and documented.


Photo Comment

3. Privacy notices are provided to data subjects at the point of collection, covering the identity of the controller, the purposes of processing, the legal basis, recipients of PII, retention periods, and data subject rights.


Photo Comment

4. Privacy notices are written in plain language accessible to the intended audience, kept current, and available in accessible formats.


Photo Comment

5. Consent is obtained through a clear affirmative action where consent is the stated legal basis, and records of consent are maintained including the date, mechanism, and scope of consent.


Photo Comment

6. Processes are in place to honour consent withdrawal promptly and to cease processing based on that consent once withdrawn.


Photo Comment

7. Procedures are in place to respond to data subject access requests, including identity verification, collation of data held, and delivery within required timeframes.


Photo Comment

8. Procedures are in place to correct inaccurate PII upon request from the data subject.


Photo Comment

9. Procedures are in place to erase PII upon request where the legal basis for erasure is met, and to communicate erasure to third parties where PII has been shared.


Photo Comment

10. Procedures are in place to restrict processing where requested by a data subject pending verification or dispute resolution.


Photo Comment

11. Where data portability applies, procedures exist to provide PII to data subjects in a structured, commonly used, machine-readable format.


Photo Comment

12. Procedures are in place to allow data subjects to object to processing, including objection to profiling and automated decision-making, and to action objections within required timeframes.


Photo Comment

13. Privacy by design and privacy by default principles are applied when developing or procuring new systems or processes that process PII, with privacy risk assessment conducted before deployment.


Photo Comment

14. Data minimisation controls ensure that only the minimum PII necessary for each specific processing purpose is collected and processed by default.


Photo Comment

15. Contracts or data processing agreements are in place with all third-party processors, specifying the scope, purpose, and obligations of processing.


Photo Comment

16. A register of third-party processors is maintained and reviewed at defined intervals.


Photo Comment

17. Due diligence is performed on third-party processors before engagement, covering their privacy and security controls.


Photo Comment

18. Where PII is transferred internationally, the transfer mechanism is documented, legally valid, and reviewed periodically.


Photo Comment

19. Records of international transfer mechanisms are maintained and updated when transfer arrangements change.


Photo Comment

20. Controls are in place for automated decision-making and profiling activities, including mechanisms for human review of significant decisions made solely on the basis of automated processing.


Photo Comment
Annex A.2 — PII Processor Controls (Table A.2)

1. A documented agreement or contract is in place with the PII controller specifying the scope, purpose, and permitted processing activities.


Photo Comment

2. PII is processed only on documented instructions from the controller, and any instruction considered to conflict with applicable privacy law is flagged to the controller before processing proceeds.


Photo Comment

3. Personnel with access to PII are subject to confidentiality obligations, either through employment contracts or separate confidentiality agreements.


Photo Comment

4. The organisation does not engage sub-processors without prior written authorisation from the controller, either specific or general.


Photo Comment

5. A register of sub-processors is maintained and kept current, and the controller is notified of any intended changes to sub-processor arrangements.


Photo Comment

6. Sub-processors are bound by data protection obligations equivalent to those in the controller agreement, through a written contract.


Photo Comment

7. The organisation assists the controller in fulfilling data subject rights requests by providing relevant PII held on the controller's behalf within agreed timescales.


Photo Comment

8. The organisation notifies the controller of any confirmed or suspected privacy breach involving the controller's PII without undue delay and within the timeframe specified in the processing agreement.


Photo Comment

9. On termination of the processing agreement, PII is returned to the controller or securely deleted as instructed, with written confirmation of deletion provided where required.


Photo Comment

10. The organisation makes available to the controller all information necessary to demonstrate compliance with processor obligations and supports audits or inspections conducted by or on behalf of the controller.


Photo Comment

11. Records of processing activities carried out on behalf of each controller are maintained, including categories of processing performed, categories of PII processed, and any transfers of PII to third countries.


Photo Comment
Annex A.3 — Shared Information Security Controls (Table A.3)

1. Information security policies relevant to PII protection are documented, approved by management, and communicated to all personnel.


Photo Comment

2. Access to PII is controlled through documented access control policies based on the principle of least privilege, with role-based access controls applied to all systems processing PII.


Photo Comment

3. User access rights to PII systems are provisioned, reviewed at defined intervals, and revoked promptly when personnel change roles or leave the organisation.


Photo Comment

4. Privileged access to systems containing PII is subject to enhanced controls, including multi-factor authentication, access logging, and periodic review.


Photo Comment

5. PII is classified in accordance with the organisation's information classification policy, and handling controls are applied commensurate with the classification level.


Photo Comment

6. Encryption is applied to PII at rest and in transit, with encryption key management documented and proportionate to the sensitivity of the PII held.


Photo Comment

7. Physical security controls are in place to protect facilities and equipment used to process PII against unauthorised access, damage, and interference.


Photo Comment

8. Vulnerability management processes are in place for systems processing PII, including regular scanning, patch management, and remediation within defined timeframes.


Photo Comment

9. Secure development practices are applied where PII systems are developed internally, including security testing before deployment and controls over development, test, and production environment separation.


Photo Comment

10. Third-party and supplier relationships affecting PII security are managed through documented assessments, contracts, and monitoring arrangements.


Photo Comment

11. Privacy incident detection, reporting, and response procedures are in place, with incidents affecting PII investigated, contained, and notified to relevant parties within required timeframes.


Photo Comment

12. Business continuity and disaster recovery plans address PII processing system dependencies and the recovery of PII in the event of a disruption.


Photo Comment

13. Audit logging is enabled for systems processing PII, capturing access, changes, and security-relevant events, with logs retained for a defined period and protected against tampering.


Photo Comment

14. Privacy and information security awareness training covering PII handling obligations is provided to all personnel at defined intervals, with records retained.


Photo Comment

15. Cloud services used to process PII are assessed and managed through defined controls covering data location, access, encryption, and incident notification, reflecting the expanded cloud services guidance in the 2025 edition.


Photo Comment

16. AI-related processing of PII is subject to documented controls covering automated decision-making, profiling, data minimisation, and human oversight, reflecting the 2025 edition's expanded scope for AI and automated processing.


Photo Comment

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Is this sample what you are looking for?
Sign up to use & customize this template, or create your own custom checklist.

NEW! Try generating a custom checklist with our free AI tool:

AI spark green AI CHECKLIST CREATOR

Easy inspection app for your digital checklists

  • Conduct inspections anytime, anywhere - even offline
  • Capture photos as proof of compliance or areas needing attention
  • Instantly generate and share detailed reports after the inspections
  • Assign & track follow-up tasks, view historical trends on a centralized dashboard
GET A DEMO
START FREE TRIAL
GoAudits care app